title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems author: frack113 references: - https://github.com/tevora-threat/SharpView/ - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 logsource: category: process_creation product: windows detection: sharpview: OriginalFileName: SharpView.exe sharpview_methods: Commandline|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping - Find-GPOComputerAdmin - Get-DomainObjectAcl - Get-ObjectAcl - Add-DomainObjectAcl - Add-ObjectAcl - Remove-DomainObjectAcl - Get-RegLoggedOn - Get-LoggedOnLocal - Get-NetRDPSession - Test-AdminAccess - Invoke-CheckLocalAdminAccess - Get-WMIProcess - Get-NetProcess - Get-WMIRegProxy - Get-Proxy - Get-WMIRegLastLoggedOn - Get-LastLoggedOn - Get-WMIRegCachedRDPConnection - Get-CachedRDPConnection - Get-WMIRegMountedDrive - Get-RegistryMountedDrive - Find-InterestingDomainAcl - Invoke-ACLScanner - Get-NetShare - Get-NetLoggedon - Get-NetLocalGroup - Get-NetLocalGroupMember - Get-NetSession - Get-PathAcl - ConvertFrom-UACValue - Get-PrincipalContext - New-DomainGroup - New-DomainUser - Add-DomainGroupMember - Set-DomainUserPassword - Invoke-Kerberoast - Export-PowerViewCSV - Find-LocalAdminAccess - Find-DomainLocalGroupMember - Find-DomainShare - Find-DomainUserEvent - Find-DomainProcess - Find-DomainUserLocation - Find-InterestingFile - Find-InterestingDomainShareFile - Find-DomainObjectPropertyOutlier - TestMethod - Get-Domain - Get-NetDomain - Get-DomainComputer - Get-NetComputer - Get-DomainController - Get-NetDomainController - Get-DomainFileServer - Get-NetFileServer - Convert-ADName - Get-DomainObject - Get-ADObject - Get-DomainUser - Get-NetUser - Get-DomainGroup - Get-NetGroup - Get-DomainDFSShare - Get-DFSshare - Get-DomainDNSRecord - Get-DNSRecord - Get-DomainDNSZone - Get-DNSZone - Get-DomainForeignGroupMember - Find-ForeignGroup - Get-DomainForeignUser - Find-ForeignUser - ConvertFrom-SID - Convert-SidToName - Get-DomainGroupMember - Get-NetGroupMember - Get-DomainManagedSecurityGroup - Find-ManagedSecurityGroups - Get-DomainOU - Get-NetOU - Get-DomainSID - Get-Forest - Get-NetForest - Get-ForestTrust - Get-NetForestTrust - Get-DomainTrust - Get-NetDomainTrust - Get-ForestDomain - Get-NetForestDomain - Get-DomainSite - Get-NetSite - Get-DomainSubnet - Get-NetSubnet - Get-DomainTrustMapping - Invoke-MapDomainTrust - Get-ForestGlobalCatalog - Get-NetForestCatalog - Get-DomainUserEvent - Get-UserEvent - Get-DomainGUIDMap - Get-GUIDMap - Resolve-IPAddress - Get-IPAddress - ConvertTo-SID - Invoke-UserImpersonation - Invoke-RevertToSelf - Get-DomainSPNTicket - Request-SPNTicket - Get-NetComputerSiteName - Get-SiteName - Get-DomainGPO - Get-NetGPO - Set-DomainObject - Set-ADObject - Add-RemoteConnection - Remove-RemoteConnection - Get-IniContent - Get-GptTmpl - Get-GroupsXML - Get-DomainPolicyData - Get-DomainPolicy - Get-DomainGPOLocalGroup - Get-NetGPOGroup condition: sharpview or sharpview_methods falsepositives: - Unknown level: high tags: - attack.discovery - attack.t1049 - attack.t1069.002 - attack.t1482 - attack.t1135 - attack.t1033