HackTool - SharpMove Tool Execution

Rule Info

Name
HackTool - SharpMove Tool Execution
Author
Luca Di Bartolomeo (CrimpSec)
Description
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
Reference
https://github.com/0xthirteen/SharpMove/
Date
2024-01-29 00:00:00
Modified
None
Id
055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
Tags
attack.lateral_movement attack.t1021.002 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=055fb54c-a8f4-4aee-bd44-f74cf30a0d9d

Rule History

Author
Title
Date
Commit
Luca
Merge PR #4686 from @CrimpSec - Add new rule for SharpMove based on PE metadata and CLI options
2024-01-29
7f582c3d1
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022