detection.wiki

Detection rules › Sigma

HackTool - SharpView Execution

Severity
high
Author
frack113
Source
upstream

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1033 System Owner/User Discovery, T1049 System Network Connections Discovery, T1069.002 Permission Groups Discovery: Domain Groups, T1135 Network Share Discovery, T1482 Domain Trust Discovery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: Add-RemoteConnection
CommandLine|contains: Convert-ADName
CommandLine|contains: Convert-SidToName
CommandLine|contains: ConvertFrom-SID
CommandLine|contains: ConvertFrom-UACValue
CommandLine|contains: Export-PowerViewCSV
CommandLine|contains: Find-DomainObjectPropertyOutlier
CommandLine|contains: Find-DomainProcess
CommandLine|contains: Find-DomainShare
CommandLine|contains: Find-DomainUserEvent
CommandLine|contains: Find-DomainUserLocation
CommandLine|contains: Find-ForeignGroup
CommandLine|contains: Find-ForeignUser
CommandLine|contains: Find-GPOComputerAdmin
CommandLine|contains: Find-GPOLocation
CommandLine|contains: Find-Interesting
CommandLine|contains: Find-LocalAdminAccess
CommandLine|contains: Find-ManagedSecurityGroups
CommandLine|contains: Get-CachedRDPConnection
CommandLine|contains: Get-DFSshare
CommandLine|contains: Get-DomainComputer
CommandLine|contains: Get-DomainController
CommandLine|contains: Get-DomainDFSShare
CommandLine|contains: Get-DomainDNSRecord
CommandLine|contains: Get-DomainFileServer
CommandLine|contains: Get-DomainForeign
CommandLine|contains: Get-DomainGPO
CommandLine|contains: Get-DomainGUIDMap
CommandLine|contains: Get-DomainGroup
CommandLine|contains: Get-DomainManagedSecurityGroup
CommandLine|contains: Get-DomainOU
CommandLine|contains: Get-DomainObject
CommandLine|contains: Get-DomainPolicy
CommandLine|contains: Get-DomainSID
CommandLine|contains: Get-DomainSPNTicket
CommandLine|contains: Get-DomainSite
CommandLine|contains: Get-DomainSubnet
CommandLine|contains: Get-DomainTrust
CommandLine|contains: Get-DomainUserEvent
CommandLine|contains: Get-ForestDomain
CommandLine|contains: Get-ForestGlobalCatalog
CommandLine|contains: Get-ForestTrust
CommandLine|contains: Get-GptTmpl
CommandLine|contains: Get-GroupsXML
CommandLine|contains: Get-LastLoggedOn
CommandLine|contains: Get-LoggedOnLocal
CommandLine|contains: Get-NetComputer
CommandLine|contains: Get-NetDomain
CommandLine|contains: Get-NetFileServer
CommandLine|contains: Get-NetForest
CommandLine|contains: Get-NetGPO
CommandLine|contains: Get-NetGroupMember
CommandLine|contains: Get-NetLocalGroup
CommandLine|contains: Get-NetLoggedon
CommandLine|contains: Get-NetOU
CommandLine|contains: Get-NetProcess
CommandLine|contains: Get-NetRDPSession
CommandLine|contains: Get-NetSession
CommandLine|contains: Get-NetShare
CommandLine|contains: Get-NetSite
CommandLine|contains: Get-NetSubnet
CommandLine|contains: Get-NetUser
CommandLine|contains: Get-PathAcl
CommandLine|contains: Get-PrincipalContext
CommandLine|contains: Get-RegLoggedOn
CommandLine|contains: Get-RegistryMountedDrive
CommandLine|contains: Get-WMIRegCachedRDPConnection
CommandLine|contains: Get-WMIRegLastLoggedOn
CommandLine|contains: Get-WMIRegMountedDrive
CommandLine|contains: Get-WMIRegProxy
CommandLine|contains: Invoke-ACLScanner
CommandLine|contains: Invoke-CheckLocalAdminAccess
CommandLine|contains: Invoke-Kerberoast
CommandLine|contains: Invoke-MapDomainTrust
CommandLine|contains: Invoke-RevertToSelf
CommandLine|contains: Invoke-Sharefinder
CommandLine|contains: Invoke-UserImpersonation
CommandLine|contains: Remove-DomainObjectAcl
CommandLine|contains: Remove-RemoteConnection
CommandLine|contains: Request-SPNTicket
CommandLine|contains: Set-DomainObject
CommandLine|contains: Test-AdminAccess
Image|endswith: '\SharpView.exe'
OriginalFileName: SharpView.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • Add-RemoteConnection
  • Convert-ADName
  • Convert-SidToName
  • ConvertFrom-SID
  • ConvertFrom-UACValue
  • Export-PowerViewCSV
  • Find-DomainObjectPropertyOutlier
  • Find-DomainProcess
  • Find-DomainShare
  • Find-DomainUserEvent
  • Find-DomainUserLocation
  • Find-ForeignGroup
  • Find-ForeignUser
  • Find-GPOComputerAdmin
  • Find-GPOLocation corpus 2 (sigma 2)
  • Find-Interesting
  • Find-LocalAdminAccess
  • Find-ManagedSecurityGroups
  • Get-CachedRDPConnection
  • Get-DFSshare
  • Get-DomainComputer
  • Get-DomainController
  • Get-DomainDFSShare
  • Get-DomainDNSRecord
  • Get-DomainFileServer
  • Get-DomainForeign
  • Get-DomainGPO
  • Get-DomainGUIDMap
  • Get-DomainGroup
  • Get-DomainManagedSecurityGroup
  • Get-DomainOU
  • Get-DomainObject
  • Get-DomainPolicy
  • Get-DomainSID
  • Get-DomainSPNTicket
  • Get-DomainSite
  • Get-DomainSubnet
  • Get-DomainTrust
  • Get-DomainUserEvent
  • Get-ForestDomain
  • Get-ForestGlobalCatalog
  • Get-ForestTrust
  • Get-GptTmpl
  • Get-GroupsXML
  • Get-LastLoggedOn
  • Get-LoggedOnLocal
  • Get-NetComputer
  • Get-NetDomain
  • Get-NetFileServer
  • Get-NetForest
  • Get-NetGPO
  • Get-NetGroupMember
  • Get-NetLocalGroup
  • Get-NetLoggedon
  • Get-NetOU
  • Get-NetProcess
  • Get-NetRDPSession
  • Get-NetSession
  • Get-NetShare
  • Get-NetSite
  • Get-NetSubnet
  • Get-NetUser
  • Get-PathAcl
  • Get-PrincipalContext
  • Get-RegLoggedOn
  • Get-RegistryMountedDrive
  • Get-WMIRegCachedRDPConnection
  • Get-WMIRegLastLoggedOn
  • Get-WMIRegMountedDrive
  • Get-WMIRegProxy
  • Invoke-ACLScanner corpus 2 (sigma 2)
  • Invoke-CheckLocalAdminAccess
  • Invoke-Kerberoast corpus 2 (sigma 2)
  • Invoke-MapDomainTrust
  • Invoke-RevertToSelf
  • Invoke-Sharefinder
  • Invoke-UserImpersonation
  • Remove-DomainObjectAcl
  • Remove-RemoteConnection
  • Request-SPNTicket
  • Set-DomainObject
  • Test-AdminAccess
Imageends_with
  • \SharpView.exe corpus 2 (sigma 2)
OriginalFileNameeq
  • SharpView.exe