blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml

title: Suspicious Execution of SharpView Aka PowerView
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
status: experimental
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/tevora-threat/SharpView/
    - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021/12/10
modified: 2022/09/27
tags:
    - attack.discovery
    - attack.t1049
    - attack.t1069.002
    - attack.t1482
    - attack.t1135
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: SharpView.exe
        - Image|endswith: '\SharpView.exe'
        - CommandLine|contains:
            - Get-DomainGPOUserLocalGroupMapping
            - Find-GPOLocation
            - Get-DomainGPOComputerLocalGroupMapping
            - Find-GPOComputerAdmin
            - Get-DomainObjectAcl
            #- Get-ObjectAcl
            - Add-DomainObjectAcl
            - Add-ObjectAcl
            - Remove-DomainObjectAcl
            - Get-RegLoggedOn
            - Get-LoggedOnLocal
            - Get-NetRDPSession
            - Test-AdminAccess
            - Invoke-CheckLocalAdminAccess
            - Get-WMIProcess
            - Get-NetProcess
            - Get-WMIRegProxy
            #- Get-Proxy
            - Get-WMIRegLastLoggedOn
            - Get-LastLoggedOn
            - Get-WMIRegCachedRDPConnection
            - Get-CachedRDPConnection
            - Get-WMIRegMountedDrive
            - Get-RegistryMountedDrive
            - Find-InterestingDomainAcl
            - Invoke-ACLScanner
            - Get-NetShare
            - Get-NetLoggedon
            - Get-NetLocalGroup
            - Get-NetLocalGroupMember
            - Get-NetSession
            - Get-PathAcl
            - ConvertFrom-UACValue
            - Get-PrincipalContext
            - New-DomainGroup
            - New-DomainUser
            - Add-DomainGroupMember
            - Set-DomainUserPassword
            - Invoke-Kerberoast
            - Export-PowerViewCSV
            - Find-LocalAdminAccess
            - Find-DomainLocalGroupMember
            - Find-DomainShare
            - Find-DomainUserEvent
            - Find-DomainProcess
            - Find-DomainUserLocation
            - Find-InterestingFile
            - Find-InterestingDomainShareFile
            - Find-DomainObjectPropertyOutlier
            #- TestMethod
            #- Get-Domain
            - Get-NetDomain
            - Get-DomainComputer
            - Get-NetComputer
            - Get-DomainController
            - Get-NetDomainController
            - Get-DomainFileServer
            - Get-NetFileServer
            - Convert-ADName
            - Get-DomainObject
            - Get-ADObject
            - Get-DomainUser
            - Get-NetUser
            - Get-DomainGroup
            #- Get-NetGroup
            - Get-DomainDFSShare
            - Get-DFSshare
            - Get-DomainDNSRecord
            #- Get-DNSRecord
            #- Get-DomainDNSZone
            #- Get-DNSZone
            - Get-DomainForeignGroupMember
            - Find-ForeignGroup
            - Get-DomainForeignUser
            - Find-ForeignUser
            - ConvertFrom-SID
            - Convert-SidToName
            - Get-DomainGroupMember
            - Get-NetGroupMember
            - Get-DomainManagedSecurityGroup
            - Find-ManagedSecurityGroups
            - Get-DomainOU
            - Get-NetOU
            - Get-DomainSID
            #- Get-Forest
            - Get-NetForest
            - Get-ForestTrust
            - Get-NetForestTrust
            - Get-DomainTrust
            - Get-NetDomainTrust
            - Get-ForestDomain
            - Get-NetForestDomain
            - Get-DomainSite
            - Get-NetSite
            - Get-DomainSubnet
            - Get-NetSubnet
            - Get-DomainTrustMapping
            - Invoke-MapDomainTrust
            - Get-ForestGlobalCatalog
            - Get-NetForestCatalog
            - Get-DomainUserEvent
            #- Get-UserEvent
            - Get-DomainGUIDMap
            #- Get-GUIDMap
            - Resolve-IPAddress
            #- Get-IPAddress
            - ConvertTo-SID
            - Invoke-UserImpersonation
            #- Invoke-RevertToSelf
            - Get-DomainSPNTicket
            - Request-SPNTicket
            - Get-NetComputerSiteName
            #- Get-SiteName
            - Get-DomainGPO
            - Get-NetGPO
            - Set-DomainObject
            #- Set-ADObject
            - Add-RemoteConnection
            - Remove-RemoteConnection
            #- Get-IniContent
            - Get-GptTmpl
            - Get-GroupsXML
            - Get-DomainPolicyData
            - Get-DomainPolicy
            - Get-DomainGPOLocalGroup
            - Get-NetGPOGroup
            - Invoke-Sharefinder
    condition: selection
falsepositives:
    - Unknown
level: high