HackTool - SharpView Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - SharpView Execution | Standard | Windows | Discovery: Permission Groups Discovery - Domain Groups (T1069.002),"Discovery: Network Share Discovery (T1135)","Discovery: Domain Trust Discovery (T1482)","Discovery: System Network Connections Discovery (T1049)","Discovery: System Owner/User Discovery (T1033)" | Critical |
About the rule
Rule Type
Standard
Rule Description
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Tool deployment → Domain enumeration → User discovery →ACL enumeration → Privilege escalation
Impact
- Domain exposure
- User enumeration
- Access mapping
- Privilege targeting
Rule Requirement
Prerequisites
- Using Windows event viewer:
To enable detailed process auditing, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the relevant OU, then navigate to Advanced Audit Policy Configuration > Detailed Tracking and enable success auditing for Process Creation and Process Termination. For enhanced visibility, enable the “Include command line in process creation events” setting under Audit Process Creation in Administrative Templates. Additionally, ensure the registry key Microsoft-Windows-Security-Auditing/Operational exists under the EventLog directory to support operational logging.
- Using Sysmon:
To monitor process creation events, download and install Sysmon from Microsoft Sysinternals and run it with administrator privileges using a configuration file that includes process creation monitoring. Ensure your config file includes a <ProcessCreate> event filter to capture relevant activity. Finally, create the registry key Microsoft-Windows-Sysmon/Operational under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn’t already exist to enable event logging.
Criteria
Action1: actionname = "Process started" AND ORIGINALFILENAME = "SharpView.exe" OR PROCESSNAME endswith "\SharpView.exe" OR (COMMANDLINE contains "Add-RemoteConnection,Convert-ADName,ConvertFrom-SID,ConvertFrom-UACValue,Convert-SidToName,Export-PowerViewCSV,Find-DomainObjectPropertyOutlier,Find-DomainProcess,Find-DomainShare,Find-DomainUserEvent,Find-DomainUserLocation,Find-ForeignGroup,Find-ForeignUser,Find-GPOComputerAdmin,Find-GPOLocation,Find-Interesting,Find-LocalAdminAccess,Find-ManagedSecurityGroups,Get-CachedRDPConnection,Get-DFSshare,Get-DomainComputer" OR COMMANDLINE contains "Get-DomainController,Get-DomainDFSShare,Get-DomainDNSRecord,Get-DomainFileServer,Get-DomainForeign,Get-DomainGPO,Get-DomainGroup,Get-DomainGUIDMap,Get-DomainManagedSecurityGroup,Get-DomainObject,Get-DomainOU,Get-DomainPolicy,Get-DomainSID,Get-DomainSite,Get-DomainSPNTicket,Get-DomainSubnet,Get-DomainTrust,Get-DomainUserEvent,Get-ForestDomain,Get-ForestGlobalCatalog,Get-ForestTrust" OR COMMANDLINE contains "Get-GptTmpl,Get-GroupsXML,Get-LastLoggedOn,Get-LoggedOnLocal,Get-NetComputer,Get-NetDomain,Get-NetFileServer,Get-NetForest,Get-NetGPO,Get-NetGroupMember,Get-NetLocalGroup,Get-NetLoggedon,Get-NetOU,Get-NetProcess,Get-NetRDPSession,Get-NetSession,Get-NetShare,Get-NetSite,Get-NetSubnet,Get-NetUser,Get-PathAcl" OR COMMANDLINE contains "Get-PrincipalContext,Get-RegistryMountedDrive,Get-RegLoggedOn,Get-WMIRegCachedRDPConnection,Get-WMIRegLastLoggedOn,Get-WMIRegMountedDrive,Get-WMIRegProxy,Invoke-ACLScanner,Invoke-CheckLocalAdminAccess,Invoke-Kerberoast,Invoke-MapDomainTrust,Invoke-RevertToSelf,Invoke-Sharefinder,Invoke-UserImpersonation,Remove-DomainObjectAcl,Remove-RemoteConnection,Request-SPNTicket,Set-DomainObject,Test-AdminAccess") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
- Discovery: Permission Groups Discovery - Domain Groups (T1069.002)
- Discovery: Network Share Discovery (T1135)
- Discovery: Domain Trust Discovery (T1482)
- Discovery: System Network Connections Discovery (T1049)
- Discovery: System Owner/User Discovery (T1033)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
- NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting
Requires regular review and analysis of audit records for indications of inappropriate or unusual activity.
Triggering this rule helps detect and alert on SharpView-based reconnaissance attempts, allowing timely audit review and incident triage. - NIST SP 800-53: SI-4 – System Monitoring
Mandates monitoring of system events to detect unauthorized activity.
Triggering this rule aids in identifying malicious discovery behavior consistent with attacker reconnaissance within the network. - NIST SP 800-53: AC-2 – Account Management
Focuses on managing information system accounts, including monitoring for unusual access patterns.
Triggering this rule supports visibility into account or group enumeration attempts, which may indicate abuse or misuse of account privileges. - NIST SP 800-171: 3.14.6 – Monitor organizational systems
Organizations must actively monitor systems for unauthorized access or abnormal activity.
Triggering this rule alerts defenders to attacker use of SharpView to gather domain or user-level intelligence, indicating a potential compromise. - NIST CSF: DE.CM-7 – Monitoring for unauthorized personnel, devices, and software
Requires detection of unauthorized actors and tools in the environment.
Triggering this rule highlights use of unauthorized recon tools like SharpView, allowing swift detection of internal enumeration tactics.
Author
frack113
Future actions
Known False Positives
This rule will be triggered when security analysts or administrators use SharpView for legitimate auditing, troubleshooting, or Active Directory enumeration tasks. It may also fire during approved red team exercises or internal security assessments.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Containment: Isolate the affected host from the network to prevent further lateral movement or data collection attempts.
- Eradication: Remove the SharpView tool and any associated malicious scripts or payloads from the compromised system.
Mitigation
Mitigation IDs | Mitigation Name | Description |
M1047 | Audit | Limit and document trust relationships within and across domains/forests, ensuring only essential trusts are maintained. |
M1030 | Network Segmentation | Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts). |
M1028 | Operating System Configuration | Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.(Citation: Windows Anonymous Enumeration of SAM Accounts) |
