Detection rules › YARA-L
Hacktool - IronSharpPack Execution
Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule hacktool_ironsharp_pack_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments."
rule_id = "mr_34f2ecef-cd3e-4dee-9c83-b7a9ec34becc"
rule_name = "Hacktool - IronSharpPack Execution"
tactic = "TA0002"
technique = "T1059"
references = "https://github.com/BC-SECURITY/IronSharpPack"
type = "alert"
platform = "Linux, Windows, EDR"
data_source = "Sysmon for Linux, Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$ironsharp_execution.metadata.event_type = "PROCESS_LAUNCH"
$ironsharp_execution.target.process.file.full_path = /cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe/ nocase and
$ironsharp_execution.target.process.command_line = /IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py/ nocase
// Capture the hostname where the event occurred
$ironsharp_execution.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = max(65)
$event_count = count_distinct($ironsharp_execution.metadata.id)
$principal_process_pid = array_distinct($ironsharp_execution.principal.process.pid)
$principal_process_command_line = array_distinct($ironsharp_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($ironsharp_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($ironsharp_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($ironsharp_execution.target.process.pid)
$target_process_command_line = array_distinct($ironsharp_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($ironsharp_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($ironsharp_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($ironsharp_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($ironsharp_execution.principal.user.userid)
condition:
$ironsharp_execution
}
Stages and Predicates
Stage 0: match + condition
match:
$hostname over 15m
condition:
$ironsharp_execution
Fires when at least one $ironsharp_execution event in the 15m window.
Stage 1: events: $ironsharp_execution · PROCESS_LAUNCH
$ironsharp_execution.metadata.event_type = "PROCESS_LAUNCH"
$ironsharp_execution.target.process.file.full_path = /cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe/ nocase and
$ironsharp_execution.target.process.command_line = /IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py/ nocase
// Capture the hostname where the event occurred
$ironsharp_execution.principal.hostname = $hostname
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
target.process.command_line | regex_match |
|
target.process.file.full_path | regex_match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
risk_score | max(65) |
event_count | count_distinct($ironsharp_execution.metadata.id) |
principal_process_pid | array_distinct($ironsharp_execution.principal.process.pid) |
principal_process_command_line | array_distinct($ironsharp_execution.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($ironsharp_execution.principal.process.file.sha256) |
principal_process_file_full_path | array_distinct($ironsharp_execution.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($ironsharp_execution.principal.process.product_specific_process_id) |
principal_process_parent_process_product_specific_process_id | array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id) |
target_process_pid | array_distinct($ironsharp_execution.target.process.pid) |
target_process_command_line | array_distinct($ironsharp_execution.target.process.command_line) |
target_process_file_sha256 | array_distinct($ironsharp_execution.target.process.file.sha256) |
target_process_file_full_path | array_distinct($ironsharp_execution.target.process.file.full_path) |
target_process_product_specific_process_id | array_distinct($ironsharp_execution.target.process.product_specific_process_id) |
principal_user_userid | array_distinct($ironsharp_execution.principal.user.userid) |