Detecting the presence of SharpView tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify use of SharpView.exe, a powerful tool primarily used for domain enumeration within AD environments.

Data source:

Windows: process, script, user account, file

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA007 - Discovery

Techniques: T1087 - Account Discovery, T1069 - Permission Groups Discovery, T1016 - System Network Configuration Discovery

Sub-techniques: T1087.001 - Local Account, T1087.002 - Domain Account, T1069.001 - Local Groups, T1069.002 - Domain Groups

Criteria:

Original file name ends with "SharpView.exe": This criteria checks the event log for entries where the original filename involved in the event ends with "SharpView.exe".

Process name ends with "SharpView.exe": This criteria focuses on the process name itself. It looks for events where the process involved ends with "SharpView.exe".

When to implement:

Enable this rule to detect reconnaissance activities targeting the network infrastructure, as SharpView is often used by attackers to gather intelligence for planning further attacks.

This rule can be helpful in identifying potential lateral movement attempts within the network. Attackers often use SharpView to enumerate user accounts and computer systems to find new targets.

Compliance mapping:

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions associated with SharpView, such as attempts to enumerate domain information.
• Unusual Network Traffic Patterns (DE.AE-1): Monitoring for unexpected network activity indicative of SharpView's reconnaissance activities.
• Security Log Anomalies (DE.CM-7): Alerting on activities related to unauthorized access attempts or manipulation of domain resources.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SharpView and similar tools used for domain reconnaissance.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SharpView usage or suspicious activities targeting domain resources.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.