← Back to Explore
sigmacriticalHunting
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
Detection Query
selection:
- Image|endswith: \SharpUp.exe
- Description: SharpUp
- CommandLine|contains:
- HijackablePaths
- UnquotedServicePath
- ProcessDLLHijack
- ModifiableServiceBinaries
- ModifiableScheduledTask
- DomainGPPPassword
- CachedGPPPassword
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2022-08-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.discoveryattack.executionattack.t1615attack.t1569.002attack.t1574.005
Raw Content
title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
- https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1569.002
- attack.t1574.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SharpUp.exe'
- Description: 'SharpUp'
- CommandLine|contains:
- 'HijackablePaths'
- 'UnquotedServicePath'
- 'ProcessDLLHijack'
- 'ModifiableServiceBinaries'
- 'ModifiableScheduledTask'
- 'DomainGPPPassword'
- 'CachedGPPPassword'
condition: selection
falsepositives:
- Unknown
level: critical