security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml
T

155 lines
5.0 KiB
YAML
Raw Blame History

title: Suspicious Execution of SharpView Aka PowerView
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
status: experimental
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
author: frack113
references:
- https://github.com/tevora-threat/SharpView/
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
date: 2021/12/10
logsource:
category: process_creation
product: windows
detection:
sharpview:
OriginalFileName: SharpView.exe
sharpview_methods:
Commandline|contains:
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOLocation
- Get-DomainGPOComputerLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainObjectAcl
- Get-ObjectAcl
- Add-DomainObjectAcl
- Add-ObjectAcl
- Remove-DomainObjectAcl
- Get-RegLoggedOn
- Get-LoggedOnLocal
- Get-NetRDPSession
- Test-AdminAccess
- Invoke-CheckLocalAdminAccess
- Get-WMIProcess
- Get-NetProcess
- Get-WMIRegProxy
- Get-Proxy
- Get-WMIRegLastLoggedOn
- Get-LastLoggedOn
- Get-WMIRegCachedRDPConnection
- Get-CachedRDPConnection
- Get-WMIRegMountedDrive
- Get-RegistryMountedDrive
- Find-InterestingDomainAcl
- Invoke-ACLScanner
- Get-NetShare
- Get-NetLoggedon
- Get-NetLocalGroup
- Get-NetLocalGroupMember
- Get-NetSession
- Get-PathAcl
- ConvertFrom-UACValue
- Get-PrincipalContext
- New-DomainGroup
- New-DomainUser
- Add-DomainGroupMember
- Set-DomainUserPassword
- Invoke-Kerberoast
- Export-PowerViewCSV
- Find-LocalAdminAccess
- Find-DomainLocalGroupMember
- Find-DomainShare
- Find-DomainUserEvent
- Find-DomainProcess
- Find-DomainUserLocation
- Find-InterestingFile
- Find-InterestingDomainShareFile
- Find-DomainObjectPropertyOutlier
- TestMethod
- Get-Domain
- Get-NetDomain
- Get-DomainComputer
- Get-NetComputer
- Get-DomainController
- Get-NetDomainController
- Get-DomainFileServer
- Get-NetFileServer
- Convert-ADName
- Get-DomainObject
- Get-ADObject
- Get-DomainUser
- Get-NetUser
- Get-DomainGroup
- Get-NetGroup
- Get-DomainDFSShare
- Get-DFSshare
- Get-DomainDNSRecord
- Get-DNSRecord
- Get-DomainDNSZone
- Get-DNSZone
- Get-DomainForeignGroupMember
- Find-ForeignGroup
- Get-DomainForeignUser
- Find-ForeignUser
- ConvertFrom-SID
- Convert-SidToName
- Get-DomainGroupMember
- Get-NetGroupMember
- Get-DomainManagedSecurityGroup
- Find-ManagedSecurityGroups
- Get-DomainOU
- Get-NetOU
- Get-DomainSID
- Get-Forest
- Get-NetForest
- Get-ForestTrust
- Get-NetForestTrust
- Get-DomainTrust
- Get-NetDomainTrust
- Get-ForestDomain
- Get-NetForestDomain
- Get-DomainSite
- Get-NetSite
- Get-DomainSubnet
- Get-NetSubnet
- Get-DomainTrustMapping
- Invoke-MapDomainTrust
- Get-ForestGlobalCatalog
- Get-NetForestCatalog
- Get-DomainUserEvent
- Get-UserEvent
- Get-DomainGUIDMap
- Get-GUIDMap
- Resolve-IPAddress
- Get-IPAddress
- ConvertTo-SID
- Invoke-UserImpersonation
- Invoke-RevertToSelf
- Get-DomainSPNTicket
- Request-SPNTicket
- Get-NetComputerSiteName
- Get-SiteName
- Get-DomainGPO
- Get-NetGPO
- Set-DomainObject
- Set-ADObject
- Add-RemoteConnection
- Remove-RemoteConnection
- Get-IniContent
- Get-GptTmpl
- Get-GroupsXML
- Get-DomainPolicyData
- Get-DomainPolicy
- Get-DomainGPOLocalGroup
- Get-NetGPOGroup
condition: sharpview or sharpview_methods
falsepositives:
- Unknown
level: high
tags:
- attack.discovery
- attack.t1049
- attack.t1069.002
- attack.t1482
- attack.t1135
- attack.t1033
Reference in New Issue View Git Blame Copy Permalink