HackTool - SharpMove Tool Execution

Rule Info

Name
HackTool - SharpMove Tool Execution
Author
Luca Di Bartolomeo (CrimpSec)
Description
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
Date
2024-01-29 00:00:00
Modified
None
Id
055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
Tags
attack.lateral-movement attack.t1021.002 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Luca
Merge PR #4686 from @CrimpSec - Add new rule for SharpMove based on PE metadata and CLI options
2024-01-29