Merge PR SigmaHQ#4686 from @CrimpSec - Add new rule for SharpMove bas…

…ed on PE metadata and CLI options new: HackTool - SharpMove Tool Execution --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: phantinuss <[email protected]>
frack113 · Jan 29, 2024 · 7f582c3 · 7f582c3
1 parent 2fc5330
commit 7f582c3
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml
@@ -0,0 +1,39 @@
+title: HackTool - SharpMove Tool Execution
+id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
+status: experimental
+description: |
+    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
+references:
+    - https://github.com/0xthirteen/SharpMove/
+    - https://pentestlab.blog/tag/sharpmove/
+author: Luca Di Bartolomeo (CrimpSec)
+date: 2024/01/29
+tags:
+    - attack.lateral_movement
+    - attack.t1021.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\SharpMove.exe'
+        - OriginalFileName: SharpMove.exe
+    selection_cli_computer:
+        # In its current implementation the "computername" flag is required in all actions
+        CommandLine|contains: 'computername='
+    selection_cli_actions:
+        CommandLine|contains:
+            - 'action=create'
+            - 'action=dcom'
+            - 'action=executevbs'
+            - 'action=hijackdcom'
+            - 'action=modschtask'
+            - 'action=modsvc'
+            - 'action=query'
+            - 'action=scm'
+            - 'action=startservice'
+            - 'action=taskscheduler'
+    condition: selection_img or all of selection_cli_*
+falsepositives:
+    - Unknown
+level: high