← Back to Explore
sigmahighHunting
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Detection Query
selection_img:
- Image|endswith: \SharpImpersonation.exe
- OriginalFileName: SharpImpersonation.exe
selection_cli:
- CommandLine|contains|all:
- " user:"
- " binary:"
- CommandLine|contains|all:
- " user:"
- " shellcode:"
- CommandLine|contains:
- " technique:CreateProcessAsUserW"
- " technique:ImpersonateLoggedOnuser"
condition: 1 of selection_*
Author
Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
Created
2022-12-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1134.001attack.t1134.003
Raw Content
title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
- id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
- https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpImpersonation.exe'
- OriginalFileName: 'SharpImpersonation.exe'
selection_cli:
- CommandLine|contains|all:
- ' user:'
- ' binary:'
- CommandLine|contains|all:
- ' user:'
- ' shellcode:'
- CommandLine|contains:
- ' technique:CreateProcessAsUserW'
- ' technique:ImpersonateLoggedOnuser'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high