← Back to SOC feed Coverage →

HackTool - SharpUp PrivEsc Tool Execution

sigma CRITICAL SigmaHQ
T1615T1569.002T1574.005
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-09T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects the use of SharpUp, a tool for local privilege escalation

Detection Rule

Sigma (Original)

title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\SharpUp.exe" or TargetProcessFileDescription =~ "SharpUp" or (TargetProcessCommandLine contains "HijackablePaths" or TargetProcessCommandLine contains "UnquotedServicePath" or TargetProcessCommandLine contains "ProcessDLLHijack" or TargetProcessCommandLine contains "ModifiableServiceBinaries" or TargetProcessCommandLine contains "ModifiableScheduledTask" or TargetProcessCommandLine contains "DomainGPPPassword" or TargetProcessCommandLine contains "CachedGPPPassword")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml