Detecting presence of SharpDump

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

The SharpDump detection rule identifies and alerts on the execution of the SharpDump PowerShell script. SharpDump is commonly used for memory dumping on Windows systems, allowing attackers to extract sensitive information from running processes. This rule aims to enhance cybersecurity by providing early detection and response capabilities when SharpDump activity is detected within a network or system.

By employing SharpDump, adversaries can execute attacks such as:

• Credential theft
• Privilege escalation
• Data exfiltration

Data source:

Windows: process, user account, script

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0006 - Credential Access

Techniques: T1548 - Abuse Elevation Control Mechanism, T1003 - OS Credential Dumping

Sub-techniques: T1003.001 - OS Credential Dumping : LSASS Memory, T1003.002 - OS Credential Dumping : Security Account Manager, T1003.003 - OS Credential Dumping : NTDS

Criteria:

Original file name ends with "sharpdump.exe": This condition checks if the event log contains information about a file being executed where the filename ends with "sharpdump.exe". This indicates the execution of the SharpDump tool.

Process name ends with "sharpdump.exe": This condition looks for events mentioning a process where the process name itself ends with "sharpdump.exe". This further strengthens the possibility of the SharpDump tool being involved.

When to implement:

This rule should be implemented when you want to detect malicious attempts to steal credentials or other sensitive information from memory on your Windows systems.

Compliance mapping:

Enabling this rule will help you comply with the below security standards' requirements

NIST Cybersecurity Framework (CSF):

Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions associated with SharpDump, such as attempts to extract credential information.

Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or memory dumps.

Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit credential vulnerabilities or elevate privileges.

CIS:

Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SharpDump and similar tools targeting credential extraction.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SharpDump usage or suspicious activities targeting credentials.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.