HackTool - SharpMove Tool Execution
Luca Di Bartolomeo (CrimpSec)
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
attack.lateral_movement attack.t1021.002 DEMO
Link to Public Repo
Merge PR #4686 from @CrimpSec - Add new rule for SharpMove based on PE metadata and CLI options