rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml

title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
    - id: dcd74b95-3f36-4ed9-9598-0490951643aa
      type: similar
status: experimental
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/tevora-threat/SharpView/
    - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021/12/10
modified: 2023/02/14
tags:
    - attack.discovery
    - attack.t1049
    - attack.t1069.002
    - attack.t1482
    - attack.t1135
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'SharpView.exe'
        - Image|endswith: '\SharpView.exe'
        - CommandLine|contains:
            #- 'Add-DomainGroupMember'
            #- 'Add-DomainObjectAcl'
            #- 'Add-ObjectAcl'
            - 'Add-RemoteConnection'
            - 'Convert-ADName'
            - 'ConvertFrom-SID'
            - 'ConvertFrom-UACValue'
            - 'Convert-SidToName'
            #- 'ConvertTo-SID'
            - 'Export-PowerViewCSV'
            #- 'Find-DomainLocalGroupMember'
            - 'Find-DomainObjectPropertyOutlier'
            - 'Find-DomainProcess'
            - 'Find-DomainShare'
            - 'Find-DomainUserEvent'
            - 'Find-DomainUserLocation'
            - 'Find-ForeignGroup'
            - 'Find-ForeignUser'
            - 'Find-GPOComputerAdmin'
            - 'Find-GPOLocation'
            - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
            - 'Find-LocalAdminAccess'
            - 'Find-ManagedSecurityGroups'
            #- 'Get-ADObject'
            - 'Get-CachedRDPConnection'
            - 'Get-DFSshare'
            #- 'Get-DNSRecord'
            #- 'Get-DNSZone'
            #- 'Get-Domain'
            - 'Get-DomainComputer'
            - 'Get-DomainController'
            - 'Get-DomainDFSShare'
            - 'Get-DomainDNSRecord'
            #- 'Get-DomainDNSZone'
            - 'Get-DomainFileServer'
            - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
            - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
            - 'Get-DomainGroup' # 'Get-DomainGroupMember'
            - 'Get-DomainGUIDMap'
            - 'Get-DomainManagedSecurityGroup'
            - 'Get-DomainObject' # 'Get-DomainObjectAcl'
            - 'Get-DomainOU'
            - 'Get-DomainPolicy' # 'Get-DomainPolicyData'
            - 'Get-DomainSID'
            - 'Get-DomainSite'
            - 'Get-DomainSPNTicket'
            - 'Get-DomainSubnet'
            - 'Get-DomainTrust' # 'Get-DomainTrustMapping'
            #- 'Get-DomainUser'
            - 'Get-DomainUserEvent'
            #- 'Get-Forest'
            - 'Get-ForestDomain'
            - 'Get-ForestGlobalCatalog'
            - 'Get-ForestTrust'
            - 'Get-GptTmpl'
            - 'Get-GroupsXML'
            #- 'Get-GUIDMap'
            #- 'Get-IniContent'
            #- 'Get-IPAddress'
            - 'Get-LastLoggedOn'
            - 'Get-LoggedOnLocal'
            - 'Get-NetComputer' # 'Get-NetComputerSiteName'
            - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
            - 'Get-NetFileServer'
            - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
            - 'Get-NetGPO' # 'Get-NetGPOGroup'
            #- 'Get-NetGroup'
            - 'Get-NetGroupMember'
            - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
            - 'Get-NetLoggedon'
            - 'Get-NetOU'
            - 'Get-NetProcess'
            - 'Get-NetRDPSession'
            - 'Get-NetSession'
            - 'Get-NetShare'
            - 'Get-NetSite'
            - 'Get-NetSubnet'
            - 'Get-NetUser'
            #- 'Get-ObjectAcl'
            - 'Get-PathAcl'
            - 'Get-PrincipalContext'
            #- 'Get-Proxy'
            - 'Get-RegistryMountedDrive'
            - 'Get-RegLoggedOn'
            #- 'Get-SiteName'
            #- 'Get-UserEvent'
            #- 'Get-WMIProcess'
            - 'Get-WMIRegCachedRDPConnection'
            - 'Get-WMIRegLastLoggedOn'
            - 'Get-WMIRegMountedDrive'
            - 'Get-WMIRegProxy'
            - 'Invoke-ACLScanner'
            - 'Invoke-CheckLocalAdminAccess'
            - 'Invoke-Kerberoast'
            - 'Invoke-MapDomainTrust'
            - 'Invoke-RevertToSelf'
            - 'Invoke-Sharefinder'
            - 'Invoke-UserImpersonation'
            #- 'New-DomainGroup'
            #- 'New-DomainUser'
            - 'Remove-DomainObjectAcl'
            - 'Remove-RemoteConnection'
            - 'Request-SPNTicket'
            #- 'Resolve-IPAddress'
            #- 'Set-ADObject'
            - 'Set-DomainObject'
            #- 'Set-DomainUserPassword'
            - 'Test-AdminAccess'
    condition: selection
falsepositives:
    - Unknown
level: high
feat: updates and enhancements 2023-02-14 00:51:20 +01:00			`title: HackTool - SharpView Execution`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d`
feat: multiple updates and enhancements 2023-01-30 20:02:45 +01:00			`related:`
			`- id: dcd74b95-3f36-4ed9-9598-0490951643aa`
			`type: similar`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`status: experimental`
			`description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems`
			`references:`
			`- https://github.com/tevora-threat/SharpView/`
			`- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: frack113`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`date: 2021/12/10`
feat: updates and enhancements 2023-02-14 00:51:20 +01:00			`modified: 2023/02/14`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.discovery`
			`- attack.t1049`
			`- attack.t1069.002`
			`- attack.t1482`
			`- attack.t1135`
			`- attack.t1033`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Add %tmp% env variable 2022-09-13 10:49:14 +02:00			`selection:`
feat: multiple updates and enhancements 2023-01-30 20:02:45 +01:00			`- OriginalFileName: 'SharpView.exe'`
Add %tmp% env variable 2022-09-13 10:49:14 +02:00			`- Image\|endswith: '\SharpView.exe'`
Merge branch 'master' into rule-devel 2022-09-27 10:29:03 +02:00			`- CommandLine\|contains:`
feat: multiple updates and enhancements 2023-01-30 20:02:45 +01:00			`#- 'Add-DomainGroupMember'`
			`#- 'Add-DomainObjectAcl'`
			`#- 'Add-ObjectAcl'`
			`- 'Add-RemoteConnection'`
			`- 'Convert-ADName'`
			`- 'ConvertFrom-SID'`
			`- 'ConvertFrom-UACValue'`
			`- 'Convert-SidToName'`
			`#- 'ConvertTo-SID'`
			`- 'Export-PowerViewCSV'`
			`#- 'Find-DomainLocalGroupMember'`
			`- 'Find-DomainObjectPropertyOutlier'`
			`- 'Find-DomainProcess'`
			`- 'Find-DomainShare'`
			`- 'Find-DomainUserEvent'`
			`- 'Find-DomainUserLocation'`
			`- 'Find-ForeignGroup'`
			`- 'Find-ForeignUser'`
			`- 'Find-GPOComputerAdmin'`
			`- 'Find-GPOLocation'`
			`- 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'`
			`- 'Find-LocalAdminAccess'`
			`- 'Find-ManagedSecurityGroups'`
			`#- 'Get-ADObject'`
			`- 'Get-CachedRDPConnection'`
			`- 'Get-DFSshare'`
			`#- 'Get-DNSRecord'`
			`#- 'Get-DNSZone'`
			`#- 'Get-Domain'`
			`- 'Get-DomainComputer'`
			`- 'Get-DomainController'`
			`- 'Get-DomainDFSShare'`
			`- 'Get-DomainDNSRecord'`
			`#- 'Get-DomainDNSZone'`
			`- 'Get-DomainFileServer'`
			`- 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'`
			`- 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'`
			`- 'Get-DomainGroup' # 'Get-DomainGroupMember'`
			`- 'Get-DomainGUIDMap'`
			`- 'Get-DomainManagedSecurityGroup'`
			`- 'Get-DomainObject' # 'Get-DomainObjectAcl'`
			`- 'Get-DomainOU'`
			`- 'Get-DomainPolicy' # 'Get-DomainPolicyData'`
			`- 'Get-DomainSID'`
			`- 'Get-DomainSite'`
			`- 'Get-DomainSPNTicket'`
			`- 'Get-DomainSubnet'`
			`- 'Get-DomainTrust' # 'Get-DomainTrustMapping'`
			`#- 'Get-DomainUser'`
			`- 'Get-DomainUserEvent'`
			`#- 'Get-Forest'`
			`- 'Get-ForestDomain'`
			`- 'Get-ForestGlobalCatalog'`
			`- 'Get-ForestTrust'`
			`- 'Get-GptTmpl'`
			`- 'Get-GroupsXML'`
			`#- 'Get-GUIDMap'`
			`#- 'Get-IniContent'`
			`#- 'Get-IPAddress'`
			`- 'Get-LastLoggedOn'`
			`- 'Get-LoggedOnLocal'`
			`- 'Get-NetComputer' # 'Get-NetComputerSiteName'`
			`- 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'`
			`- 'Get-NetFileServer'`
			`- 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'`
			`- 'Get-NetGPO' # 'Get-NetGPOGroup'`
			`#- 'Get-NetGroup'`
			`- 'Get-NetGroupMember'`
			`- 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'`
			`- 'Get-NetLoggedon'`
			`- 'Get-NetOU'`
			`- 'Get-NetProcess'`
			`- 'Get-NetRDPSession'`
			`- 'Get-NetSession'`
			`- 'Get-NetShare'`
			`- 'Get-NetSite'`
			`- 'Get-NetSubnet'`
			`- 'Get-NetUser'`
			`#- 'Get-ObjectAcl'`
			`- 'Get-PathAcl'`
			`- 'Get-PrincipalContext'`
			`#- 'Get-Proxy'`
			`- 'Get-RegistryMountedDrive'`
			`- 'Get-RegLoggedOn'`
			`#- 'Get-SiteName'`
			`#- 'Get-UserEvent'`
			`#- 'Get-WMIProcess'`
			`- 'Get-WMIRegCachedRDPConnection'`
			`- 'Get-WMIRegLastLoggedOn'`
			`- 'Get-WMIRegMountedDrive'`
			`- 'Get-WMIRegProxy'`
			`- 'Invoke-ACLScanner'`
			`- 'Invoke-CheckLocalAdminAccess'`
			`- 'Invoke-Kerberoast'`
			`- 'Invoke-MapDomainTrust'`
			`- 'Invoke-RevertToSelf'`
			`- 'Invoke-Sharefinder'`
			`- 'Invoke-UserImpersonation'`
			`#- 'New-DomainGroup'`
			`#- 'New-DomainUser'`
			`- 'Remove-DomainObjectAcl'`
			`- 'Remove-RemoteConnection'`
			`- 'Request-SPNTicket'`
			`#- 'Resolve-IPAddress'`
			`#- 'Set-ADObject'`
			`- 'Set-DomainObject'`
			`#- 'Set-DomainUserPassword'`
			`- 'Test-AdminAccess'`
Add %tmp% env variable 2022-09-13 10:49:14 +02:00			`condition: selection`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`falsepositives:`
fix: remove penetration test as valid false positive reason 2022-03-16 14:23:48 +01:00			`- Unknown`
$frack113$ Windows T1049 RedCannary 2021-12-11 09:38:20 +01:00			`level: high`