Sharpersist Windows Persistence Toolkit Executed

LetsDefend Monitoring Alert

Apr, 15, 2024, 07:04 AM

Event ID: 248

Event Time: Apr, 15, 2024, 07:04 AM

Rule Name: SOC273 - Sharpersist Windows Persistence Toolkit Executed

Alert Type: Persistence

MITRE Technique:

T1053.005 - Persistence - Scheduled Task,

T1059.001 - Execution - Command and Scripting Interpreter: PowerShell,

T1078 - Initial Access - Valid Accounts,

T1110 - Credential Access - Brute Force,

T1133 - Initial Access - External Remote Services,

T1057 - Discovery - Process Discovery,

T1543 - Persistence - Create or Modify System Process,

T1016 - Discovery - System Network Configuration Discovery,

T1059.003 - Execution - Command and Scripting Interpreter: Windows Command Shell,

T1562.004 - Defense Evasion - Impair Defenses: Disable or Modify System Firewall,

T1562.002 - Defense Evasion - Impair Defenses: Disable Windows Event Logging,

Severity: Medium

Incident Responder

45305 Catalina ct. Suite 150, Sterling VA 20166