EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - SharpChisel Execution

Detects usage of the Sharp Chisel via the commandline arguments

MITRE ATT&CK

T1090.001
command-and-control

Detection Query

selection:
  - Image|endswith: \SharpChisel.exe
  - Product: SharpChisel
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.command-and-controlattack.t1090.001
Raw Content
title: HackTool - SharpChisel Execution
id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
related:
    - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
      type: similar
status: test
description: Detects usage of the Sharp Chisel via the commandline arguments
references:
    - https://github.com/shantanu561993/SharpChisel
    - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-13
tags:
    - attack.command-and-control
    - attack.t1090.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpChisel.exe'
        - Product: 'SharpChisel'
    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
    condition: selection
falsepositives:
    - Unlikely
level: high