Detecting the presence of SharpUp tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the presence of SharpUp, a C# port of the PowerUp privilege escalation tool.

Data source:

Windows: process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0007 - Discovery, TA0005 - Defense Evasion

Techniques: T1069 - Permission Groups Discovery, T1222 - File and Directory Permissions Modifications, T1057 - Process Discovery

Criteria:

Original file name ends with "SharpUp": The rule scans log entries for events where the original filename of a file ends with the string "SharpUp". This could indicate attempts to download, transfer, or execute the SharpUp tool.

Process name ends with "SharpUp.exe": This condition checks if the event log entry indicates a process name ending with "SharpUp.exe". This identifies events where SharpUp.exe is involved.

AND Command line not ends with SharpUpgrade.exe: This condition further refines the identification by excluding events where the command line ends with "SharpUpgrade.exe". SharpUpgrade.exe is a legitimate tool used for Windows upgrades. By excluding it, the rule focuses on SharpUp.exe being used potentially for malicious purposes.

When to enable this rule:

This correlation rule should be implemented when the user wants to detect potential privilege escalation attempts using the SharpUp tool.

Compliance mapping (NIST, CIS):

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions associated with SharpUp, such as attempts to escalate privileges.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or system services.
• Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit privilege escalation vulnerabilities.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SharpUp and similar tools targeting privilege escalation.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SharpUp usage or suspicious activities targeting privilege escalation.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.