← Back to Explore
sigmahighHunting
HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
Detection Query
selection_img:
- Image|endswith: \SharpMove.exe
- OriginalFileName: SharpMove.exe
selection_cli_computer:
CommandLine|contains: computername=
selection_cli_actions:
CommandLine|contains:
- action=create
- action=dcom
- action=executevbs
- action=hijackdcom
- action=modschtask
- action=modsvc
- action=query
- action=scm
- action=startservice
- action=taskscheduler
condition: selection_img or all of selection_cli_*
Author
Luca Di Bartolomeo (CrimpSec)
Created
2024-01-29
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.lateral-movementattack.t1021.002
Raw Content
title: HackTool - SharpMove Tool Execution
id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
status: test
description: |
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
references:
- https://github.com/0xthirteen/SharpMove/
- https://pentestlab.blog/tag/sharpmove/
author: Luca Di Bartolomeo (CrimpSec)
date: 2024-01-29
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SharpMove.exe'
- OriginalFileName: SharpMove.exe
selection_cli_computer:
# In its current implementation the "computername" flag is required in all actions
CommandLine|contains: 'computername='
selection_cli_actions:
CommandLine|contains:
- 'action=create'
- 'action=dcom'
- 'action=executevbs'
- 'action=hijackdcom'
- 'action=modschtask'
- 'action=modsvc'
- 'action=query'
- 'action=scm'
- 'action=startservice'
- 'action=taskscheduler'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unknown
level: high