title: HackTool - SharpView Execution id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d related: - id: dcd74b95-3f36-4ed9-9598-0490951643aa type: similar status: test description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview author: frack113 date: 2021-12-10 modified: 2023-02-14 tags: - attack.discovery - attack.t1049 - attack.t1069.002 - attack.t1482 - attack.t1135 - attack.t1033 logsource: category: process_creation product: windows detection: selection: - OriginalFileName: 'SharpView.exe' - Image|endswith: '\SharpView.exe' - CommandLine|contains: # - 'Add-DomainGroupMember' # - 'Add-DomainObjectAcl' # - 'Add-ObjectAcl' - 'Add-RemoteConnection' - 'Convert-ADName' - 'ConvertFrom-SID' - 'ConvertFrom-UACValue' - 'Convert-SidToName' # - 'ConvertTo-SID' - 'Export-PowerViewCSV' # - 'Find-DomainLocalGroupMember' - 'Find-DomainObjectPropertyOutlier' - 'Find-DomainProcess' - 'Find-DomainShare' - 'Find-DomainUserEvent' - 'Find-DomainUserLocation' - 'Find-ForeignGroup' - 'Find-ForeignUser' - 'Find-GPOComputerAdmin' - 'Find-GPOLocation' - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile' - 'Find-LocalAdminAccess' - 'Find-ManagedSecurityGroups' # - 'Get-ADObject' - 'Get-CachedRDPConnection' - 'Get-DFSshare' # - 'Get-DNSRecord' # - 'Get-DNSZone' # - 'Get-Domain' - 'Get-DomainComputer' - 'Get-DomainController' - 'Get-DomainDFSShare' - 'Get-DomainDNSRecord' # - 'Get-DomainDNSZone' - 'Get-DomainFileServer' - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser' - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping' - 'Get-DomainGroup' # 'Get-DomainGroupMember' - 'Get-DomainGUIDMap' - 'Get-DomainManagedSecurityGroup' - 'Get-DomainObject' # 'Get-DomainObjectAcl' - 'Get-DomainOU' - 'Get-DomainPolicy' # 'Get-DomainPolicyData' - 'Get-DomainSID' - 'Get-DomainSite' - 'Get-DomainSPNTicket' - 'Get-DomainSubnet' - 'Get-DomainTrust' # 'Get-DomainTrustMapping' # - 'Get-DomainUser' - 'Get-DomainUserEvent' # - 'Get-Forest' - 'Get-ForestDomain' - 'Get-ForestGlobalCatalog' - 'Get-ForestTrust' - 'Get-GptTmpl' - 'Get-GroupsXML' # - 'Get-GUIDMap' # - 'Get-IniContent' # - 'Get-IPAddress' - 'Get-LastLoggedOn' - 'Get-LoggedOnLocal' - 'Get-NetComputer' # 'Get-NetComputerSiteName' - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust' - 'Get-NetFileServer' - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust' - 'Get-NetGPO' # 'Get-NetGPOGroup' # - 'Get-NetGroup' - 'Get-NetGroupMember' - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember' - 'Get-NetLoggedon' - 'Get-NetOU' - 'Get-NetProcess' - 'Get-NetRDPSession' - 'Get-NetSession' - 'Get-NetShare' - 'Get-NetSite' - 'Get-NetSubnet' - 'Get-NetUser' # - 'Get-ObjectAcl' - 'Get-PathAcl' - 'Get-PrincipalContext' # - 'Get-Proxy' - 'Get-RegistryMountedDrive' - 'Get-RegLoggedOn' # - 'Get-SiteName' # - 'Get-UserEvent' # - 'Get-WMIProcess' - 'Get-WMIRegCachedRDPConnection' - 'Get-WMIRegLastLoggedOn' - 'Get-WMIRegMountedDrive' - 'Get-WMIRegProxy' - 'Invoke-ACLScanner' - 'Invoke-CheckLocalAdminAccess' - 'Invoke-Kerberoast' - 'Invoke-MapDomainTrust' - 'Invoke-RevertToSelf' - 'Invoke-Sharefinder' - 'Invoke-UserImpersonation' # - 'New-DomainGroup' # - 'New-DomainUser' - 'Remove-DomainObjectAcl' - 'Remove-RemoteConnection' - 'Request-SPNTicket' # - 'Resolve-IPAddress' # - 'Set-ADObject' - 'Set-DomainObject' # - 'Set-DomainUserPassword' - 'Test-AdminAccess' condition: selection falsepositives: - Unknown level: high