HackTool - SharpMove Tool Execution

About the rule

Rule Type

Standard

Rule Description

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → SharpMove deployment → Task creation →WMI execution → Service manipulation

Impact

• Remote execution
• Service abuse
• Privilege escalation
• Evasion tactics

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process tracking, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new GPO or modify an existing one linked to the relevant OU, then navigate to Advanced Audit Policy Configuration under Computer Configuration. Enable both Audit Process Creation and Audit Process Termination by selecting the Success option. For enhanced visibility, enable the Include command line in process creation events policy, and ensure the registry key Microsoft-Windows-Security-Auditing/Operational exists at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Use a configuration file that includes process creation monitoring and install it using sysmon.exe -i [configfile.xml]. Ensure your config captures all process creation events, and create the Microsoft-Windows-Sysmon/Operational registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Lateral Movement: Remote Services - SMB/Windows Admin Shares (T1021.002)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

1. NIST SP 800-53 – SI-4: System Monitoring

Requires continuous monitoring to detect unauthorized access or malicious activity.
Triggering this rule helps detect malicious use of SharpMove for remote task creation, service manipulation, or script execution, enhancing real-time system monitoring.

2. NIST SP 800-53 – AU-6: Audit Review, Analysis, and Reporting

Calls for the analysis of audit logs to detect suspicious activity.
Triggering this rule produces actionable audit data for SharpMove usage, supporting effective log analysis and early threat identification.

3. NIST SP 800-53 – AC-6: Least Privilege

Requires restricting access to the minimum level necessary to perform duties.
Triggering this rule flags attempts to abuse administrative functions like scm, modsvc, or taskscheduler, helping enforce least privilege principles.

4. NIST SP 800-53 – IR-5: Incident Monitoring

Involves tracking indicators of compromise and unusual behavior for ongoing incidents.
Triggering this rule surfaces attacker techniques used during post-exploitation, aiding in continuous incident tracking and containment.

5. NIST SP 800-171 – 3.3.1: Generate Audit Records

Requires generating and retaining logs for security-relevant activities.
Triggering this rule ensures SharpMove activity is captured and logged, maintaining audit record completeness and integrity.

6. NIST CSF – DE.CM-1: Detect Anomalies and Events

Calls for detection of deviations from normal operations to identify security events.
Triggering this rule identifies anomalous command-line actions linked to SharpMove, supporting behavioral threat detection.

Author

Luca Di Bartolomeo (CrimpSec)

Future actions

Known False Positives

This rule will be triggered if SharpMove is executed during authorized red team exercises or internal security testing. It may also result in false positives if administrators run similarly named tools or scripts that mimic SharpMove’s command-line patterns for automation or diagnostics.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected host to prevent further remote task execution or service manipulation.
5. Remediation: Remove the SharpMove binary, review executed commands, and reset any compromised accounts or modified services.

Mitigation