frack113
41 lines
1.1 KiB
YAML
41 lines
1.1 KiB
YAML
title: SharPersist Usage
|
|
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
|
|
status: experimental
|
|
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
|
|
references:
|
|
- https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
|
|
- https://github.com/mandiant/SharPersist
|
|
author: Florian Roth
|
|
date: 2022/09/15
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1053
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
Image|endswith: '\SharPersist.exe'
|
|
selection2:
|
|
Product: 'SharPersist'
|
|
selection3:
|
|
CommandLine|contains:
|
|
- ' -t schtask -c '
|
|
- ' -t startupfolder -c '
|
|
selection4:
|
|
CommandLine|contains|all:
|
|
- ' -t reg -c '
|
|
- ' -m add'
|
|
selection5:
|
|
CommandLine|contains|all:
|
|
- ' -t service -c '
|
|
- ' -m add'
|
|
selection6:
|
|
CommandLine|contains|all:
|
|
- ' -t schtask -c '
|
|
- ' -m add'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|