HackTool - SharpImpersonation Execution

About the rule

Rule Type

Standard

Rule Description

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Tool deployment → Token impersonation → Remote execution → Lateral movement

Impact

• Privilege abuse
• Credential theft
• Access expansion
• Stealth persistence

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process auditing, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the relevant OU and navigate to Detailed Tracking under Advanced Audit Policy Configuration. Enable both Audit Process Creation and Audit Process Termination by selecting "Success" in their respective properties. For enhanced tracking, enable the "Include command line in process creation events" setting under Audit Process Creation. Additionally, ensure the registry key Microsoft-Windows-Security-Auditing/Operational is created in the system event log directory to support proper event logging.

• Using Sysmon:

To enable detailed process monitoring, download and install Sysmon from Microsoft Sysinternals and run it with administrator privileges. Use or create a configuration file that includes process creation event filters, then install Sysmon using sysmon.exe -i [configfile.xml]. Ensure the registry key Microsoft-Windows-Sysmon/Operational exists under the EventLog directory to support event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Defense Evasion: Access Token Manipulation - Make and Impersonate Token (T1134.003)
• Privilege Escalation: Access Token Manipulation - Make and Impersonate Token (T1134.003)
• Defense Evasion: Access Token Manipulation - Token Impersonation/Theft (T1134.001)
• Privilege Escalation: Access Token Manipulation - Token Impersonation/Theft (T1134.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

• AC-2: Account Management
  Controls the creation, use, and monitoring of user accounts.
  Triggering this rule helps detect unauthorized impersonation attempts using valid accounts, enforcing oversight on account usage.
• AC-6: Least Privilege
  Ensures users operate with the minimum necessary access.
  Triggering this rule identifies privilege escalation or token manipulation attempts, enforcing least privilege policies.
• AU-6: Audit Review, Analysis, and Reporting
  Requires organizations to analyze and respond to audit logs.
  Triggering this rule provides visibility into suspicious impersonation activity, supporting timely audit log analysis.
• SI-4: System Monitoring
  Calls for continuous monitoring to detect and respond to incidents.
  Triggering this rule supports real-time detection of impersonation techniques, enhancing threat monitoring capabilities.
• IR-5: Incident Monitoring
  Requires tracking and monitoring of incident-related data.
  Triggering this rule captures indicators of potential incidents, aiding in early detection and incident tracking.
• SC-7: Boundary Protection
  Focuses on monitoring and controlling communications at system boundaries.
  Triggering this rule flags lateral movement through remote token manipulation, strengthening internal boundary defense.

Author

Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered when legitimate red team activities or internal penetration tests involve SharpImpersonation for simulation purposes. It may also alert during authorized security tool evaluations that replicate token manipulation behavior.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected system to prevent lateral movement or privilege escalation across the network.
5. Eradication: Remove the malicious tool and any associated artifacts, and revoke any compromised tokens or credentials.

Mitigation