title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview author: frack113 date: 2021/12/10 modified: 2022/09/27 tags: - attack.discovery - attack.t1049 - attack.t1069.002 - attack.t1482 - attack.t1135 - attack.t1033 logsource: category: process_creation product: windows detection: selection: - OriginalFileName: SharpView.exe - Image|endswith: '\SharpView.exe' - CommandLine|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping - Find-GPOComputerAdmin - Get-DomainObjectAcl #- Get-ObjectAcl - Add-DomainObjectAcl - Add-ObjectAcl - Remove-DomainObjectAcl - Get-RegLoggedOn - Get-LoggedOnLocal - Get-NetRDPSession - Test-AdminAccess - Invoke-CheckLocalAdminAccess - Get-WMIProcess - Get-NetProcess - Get-WMIRegProxy #- Get-Proxy - Get-WMIRegLastLoggedOn - Get-LastLoggedOn - Get-WMIRegCachedRDPConnection - Get-CachedRDPConnection - Get-WMIRegMountedDrive - Get-RegistryMountedDrive - Find-InterestingDomainAcl - Invoke-ACLScanner - Get-NetShare - Get-NetLoggedon - Get-NetLocalGroup - Get-NetLocalGroupMember - Get-NetSession - Get-PathAcl - ConvertFrom-UACValue - Get-PrincipalContext - New-DomainGroup - New-DomainUser - Add-DomainGroupMember - Set-DomainUserPassword - Invoke-Kerberoast - Export-PowerViewCSV - Find-LocalAdminAccess - Find-DomainLocalGroupMember - Find-DomainShare - Find-DomainUserEvent - Find-DomainProcess - Find-DomainUserLocation - Find-InterestingFile - Find-InterestingDomainShareFile - Find-DomainObjectPropertyOutlier #- TestMethod #- Get-Domain - Get-NetDomain - Get-DomainComputer - Get-NetComputer - Get-DomainController - Get-NetDomainController - Get-DomainFileServer - Get-NetFileServer - Convert-ADName - Get-DomainObject - Get-ADObject - Get-DomainUser - Get-NetUser - Get-DomainGroup #- Get-NetGroup - Get-DomainDFSShare - Get-DFSshare - Get-DomainDNSRecord #- Get-DNSRecord #- Get-DomainDNSZone #- Get-DNSZone - Get-DomainForeignGroupMember - Find-ForeignGroup - Get-DomainForeignUser - Find-ForeignUser - ConvertFrom-SID - Convert-SidToName - Get-DomainGroupMember - Get-NetGroupMember - Get-DomainManagedSecurityGroup - Find-ManagedSecurityGroups - Get-DomainOU - Get-NetOU - Get-DomainSID #- Get-Forest - Get-NetForest - Get-ForestTrust - Get-NetForestTrust - Get-DomainTrust - Get-NetDomainTrust - Get-ForestDomain - Get-NetForestDomain - Get-DomainSite - Get-NetSite - Get-DomainSubnet - Get-NetSubnet - Get-DomainTrustMapping - Invoke-MapDomainTrust - Get-ForestGlobalCatalog - Get-NetForestCatalog - Get-DomainUserEvent #- Get-UserEvent - Get-DomainGUIDMap #- Get-GUIDMap - Resolve-IPAddress #- Get-IPAddress - ConvertTo-SID - Invoke-UserImpersonation #- Invoke-RevertToSelf - Get-DomainSPNTicket - Request-SPNTicket - Get-NetComputerSiteName #- Get-SiteName - Get-DomainGPO - Get-NetGPO - Set-DomainObject #- Set-ADObject - Add-RemoteConnection - Remove-RemoteConnection #- Get-IniContent - Get-GptTmpl - Get-GroupsXML - Get-DomainPolicyData - Get-DomainPolicy - Get-DomainGPOLocalGroup - Get-NetGPOGroup - Invoke-Sharefinder condition: selection falsepositives: - Unknown level: high