From 2fe25f3c80a1ddb23a53800313176406a3bb32be Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 15 Sep 2022 16:50:34 +0200
Subject: [PATCH] rule: sharpersist usage

---
 .../proc_creation_win_hack_sharpersist.yml    | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml

diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml
new file mode 100644
index 000000000..02c36329a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml
@@ -0,0 +1,42 @@
+title: SharPersist Usage
+id: 26488ad0-f9fd-4536-876f-52fea846a2e4
+status: experimental
+description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
+author: Florian Roth
+references:
+   - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
+   - https://github.com/mandiant/SharPersist
+date: 2022/09/15
+logsource:
+   category: process_creation
+   product: windows
+tags:
+   - attack.persistence
+   - attack.t1053
+   - attack.t1060
+   - attack.t1050
+detection:
+   selection1:
+      Image|endswith: '\SharPersist.exe'
+   selection2:
+      Product: 'SharPersist'
+   selection3:
+      CommandLine|contains:
+         - ' -t schtask -c '
+         - ' -t startupfolder -c '
+   selection4:
+      CommandLine|contains|all:
+         - ' -t reg -c '
+         - ' -m add'
+   selection5:
+      CommandLine|contains|all:
+         - ' -t service -c '
+         - ' -m add'
+   selection6:
+      CommandLine|contains|all:
+         - ' -t schtask -c '
+         - ' -m add'
+   condition: selection
+falsepositives:
+   - Unknown
+level: high