HackTool - SharpDPAPI Execution

About the rule

Rule Type

Standard

Rule Description

Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Credential dumping → SharpDPAPI deployment → DPAPI Master key extraction → Decryption and lateral movement

Impact

• Credential exposure
• Data decryption
• Lateral movement
• Privilege escalation

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed process auditing, log in to the domain controller with domain admin credentials and access the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and enable Audit Process Creation and Audit Process Termination under Detailed Tracking. For enhanced visibility, enable the policy to Include command line in process creation events. Additionally, ensure the registry key for "Microsoft-Windows-Security-Auditing/Operational" exists to support event logging.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, and configure it with a file that includes process creation monitoring. Use the command sysmon.exe -i [configfile.xml] to install Sysmon with the configuration. Ensure the necessary registry key under "Microsoft-Windows-Sysmon/Operational" exists to enable proper event logging.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Defense Evasion: Access Token Manipulation - Make and Impersonate Token (T1134.003)
• Privilege Escalation: Access Token Manipulation - Make and Impersonate Token (T1134.003)
• Defense Evasion: Access Token Manipulation - Token Impersonation/Theft (T1134.001)
• Privilege Escalation: Access Token Manipulation - Token Impersonation/Theft (T1134.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

• NIST SP 800-53 – SI-4: System Monitoring
  Monitors systems to detect and respond to unauthorized activity.
  Triggering this rule supports continuous system monitoring by detecting abnormal use of credential dumping tools like SharpDPAPI.
• NIST SP 800-53 – AC-2: Account Management
  Manages user accounts and access rights to protect against misuse.
  Triggering this rule aids in identifying attempts to harvest credentials from DPAPI, indicating misuse of legitimate accounts.
• NIST SP 800-53 – AU-6: Audit Review, Analysis, and Reporting
  Requires organizations to review and act on audit logs regularly.
  Triggering this rule generates actionable log data about SharpDPAPI usage, enhancing audit analysis and reporting of suspicious activity.
• NIST SP 800-171 – 3.1.7: Prevent Non-Privileged Users from Executing Privileged Functions
  Prevents unauthorized elevation or misuse of privileges.
  Triggering this rule identifies when an adversary tries to access protected DPAPI data, possibly by abusing elevated privileges.
• NIST CSF – DE.CM-7: Monitoring for Unauthorized Personnel, Connections, Devices, and Software
  Detects unauthorized software and user activity.
  Triggering this rule helps detect unauthorized use of penetration testing tools or credential access utilities like SharpDPAPI.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered if SharpDPAPI is executed by security teams during authorized red team assessments or internal testing. It may also alert when forensic analysts use the tool for credential recovery in a controlled environment.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Validation: Verify if the activity is part of authorized red team testing or internal security operations to rule out false positives.
5. Containment: Isolate the affected host to prevent further compromise and preserve forensic evidence for investigation.

Mitigation