Detecting the presence of SharpShares tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon/auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to detect the misuse of SharpShares, a collection of PowerShell scripts primarily designed for penetration testing and administrative tasks within AD environments.

Data source:

Windows: Network traffic, firewall

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0007 - Discovery, TA0008 - Lateral Movement, TA0009 - Collection

Techniques: T1087 - Account Discovery, T1135 - Network Share Discovery, T1021 - Remote Services, T1074 - Data Staged

Sub-techniques: T1087.002 - Domain Account, T1021.002 - SMB/Windows File Sharing

Criteria:

Original file name contains sharpshares: This condition checks if the name of a file involved in an event log entry contains the text "sharpshares".

Original file name contains sharp shares: This is similar to the first condition, but allows for a space between "sharp" and "shares".

Process name ends with sharpshares.exe: This condition checks if the name of a process involved in an event log entry ends with "sharpshares.exe"

When to enable this rule:

Enable this rule when the user wants to detect suspicious PowerShell activity that might indicate lateral movement or privilege escalation attempts within the Active Directory (AD) environment.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions related to SharpShares, such as enumeration of network shares.
• Unusual Network Traffic Patterns (DE.AE-1): Monitoring for unexpected network activity, potentially indicating information gathering or lateral movement via shares.
• Security Log Anomalies (DE.CM-7): Alerting on activities associated with unauthorized access attempts or manipulation of shared resources.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of tools like SharpShares, commonly used for reconnaissance and lateral movement.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Analyze audit logs for anomalies indicating SharpShares usage or suspicious access to network shares.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.