← Back to Explore
sigmahighHunting
HackTool - SharPersist Execution
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Detection Query
selection_img:
- Image|endswith: \SharPersist.exe
- Product: SharPersist
selection_cli_1:
CommandLine|contains:
- " -t schtask -c "
- " -t startupfolder -c "
selection_cli_2:
CommandLine|contains|all:
- " -t reg -c "
- " -m add"
selection_cli_3:
CommandLine|contains|all:
- " -t service -c "
- " -m add"
selection_cli_4:
CommandLine|contains|all:
- " -t schtask -c "
- " -m add"
condition: 1 of selection_*
Author
Florian Roth (Nextron Systems)
Created
2022-09-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1053
Raw Content
title: HackTool - SharPersist Execution
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: test
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
- https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
- https://github.com/mandiant/SharPersist
author: Florian Roth (Nextron Systems)
date: 2022-09-15
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SharPersist.exe'
- Product: 'SharPersist'
selection_cli_1:
CommandLine|contains:
- ' -t schtask -c '
- ' -t startupfolder -c '
selection_cli_2:
CommandLine|contains|all:
- ' -t reg -c '
- ' -m add'
selection_cli_3:
CommandLine|contains|all:
- ' -t service -c '
- ' -m add'
selection_cli_4:
CommandLine|contains|all:
- ' -t schtask -c '
- ' -m add'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high