Detecting presence of SharPersist tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This rule is designed to spot and respond to activities linked to SharPersist, a threat known for using persistence mechanisms. These mechanisms help attackers maintain unauthorized access to compromised systems, making the rule crucial for cybersecurity monitoring and defense.

Data source:

Windows: File, script, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1053 - Scheduled Task/Job, T1547 - Boot or Logon Autostart Execution, T1574 - Hijack Execution Flow

Sub-techniques: T1547.001 - Registry Run Keys/ Startup Folder, T1547.009 - Boot or Logon Autostart Execution

Criteria:

Original file name ends with "SharPersist.exe" The rule checks if the filename in the event log ends with "SharPersist.exe".

Process name ends with "SharPersist.exe" If Eventlog Analyzer detects a running process that matches the name "SharPersist.exe", it will likely trigger an alert when the alert profile is enabled.

When to enable this rule:

This rule should be implemented when you need to detect attempts to establish persistence on a system using techniques associated with the SharPersist tool.

Compliance mapping (NIST, CIS):

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions associated with SharPersist, such as attempts to establish persistence mechanisms.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores.
• Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to maintain unauthorized access or elevate privileges.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SharPersist and similar tools used for persistence.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SharPersist usage or suspicious modifications to system configurations.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.