HackTool - SharpUp PrivEsc Tool Execution

About the rule

Rule Type

Standard

Rule Description

Detects the use of SharpUp, a tool for local privilege escalation

Severity

Critical

Rule journey

Attack chain scenario

Initial access → Local enumeration → SharpUp deployment → Privilege discovery → Exploit execution → Privilege escalation

Impact

• Privilege escalation
• System compromise
• Access expansion
• Lateral movement

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process tracking, log in to the domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the appropriate OU and navigate to the Audit Policies section under Detailed Tracking. Enable audit settings for process creation and termination, and also enable the option to include command-line data in event logs. Finally, ensure the registry key for "Microsoft-Windows-Security-Auditing/Operational" is created under the EventLog directory to support detailed auditing.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, and run it using a configuration file that includes process creation monitoring. Use administrator privileges to execute sysmon.exe -i [configfile.xml], and ensure your config captures all process creation events. Also, verify the "Microsoft-Windows-Sysmon/Operational" registry key exists under the EventLog directory to support proper event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Discovery: Group Policy Discovery (T1615)
• Execution: System Services - Service Execution (T1569.002)
• Defense Evasion: Hijack Execution Flow - Executable Installer File Permissions Weakness (T1574.005)
• Persistence: Hijack Execution Flow - Executable Installer File Permissions Weakness (T1574.005)
• Privilege Escalation: Hijack Execution Flow - Executable Installer File Permissions Weakness (T1574.005)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

1. NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)

Provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.
Triggering this rule supports AC-6 (Least Privilege) and SI-4 (System Monitoring) by detecting attempts to escalate privileges and enforcing restrictions on user capabilities.

2. NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)

Defines security requirements for protecting Controlled Unclassified Information (CUI).
Triggering this rule aligns with 3.1.6 (Use of least privilege) and 3.3.1 (Audit and accountability) by identifying suspicious privilege escalation tools used in non-authorized access attempts.

3. NIST CSF (Cybersecurity Framework)

Helps organizations manage and reduce cybersecurity risk through five core functions: Identify, Protect, Detect, Respond, and Recover.
Triggering this rule supports the "Detect" and "Respond" functions by identifying potential unauthorized privilege escalation activities and allowing for timely response.

4. NIST SP 800-137 (Information Security Continuous Monitoring - ISCM)

Establishes a process for maintaining ongoing awareness of information security to support risk management decisions.
Triggering this rule enables real-time monitoring of endpoint behavior, helping detect privilege abuse tools like SharpUp as part of continuous risk assessments.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered if a security analyst or administrator executes SharpUp during internal red team assessments or tool evaluations. It may also be activated by automated security testing scripts in lab environments.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected endpoint from the network to prevent further privilege abuse or lateral movement.
5. Eradication: Remove any identified persistence mechanisms or malicious files deployed using the elevated privileges.

Mitigation