Detection rules › YARA-L
Hacktool - IronSharpPack Execution
Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule hacktool_ironsharp_pack_execution {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments."
rule_id = "mr_34f2ecef-cd3e-4dee-9c83-b7a9ec34becc"
rule_name = "Hacktool - IronSharpPack Execution"
tactic = "TA0002"
technique = "T1059"
references = "https://github.com/BC-SECURITY/IronSharpPack"
type = "alert"
platform = "Linux, Windows, EDR"
data_source = "Sysmon for Linux, Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$ironsharp_execution.metadata.event_type = "PROCESS_LAUNCH"
$ironsharp_execution.target.process.file.full_path = /cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe/ nocase and
$ironsharp_execution.target.process.command_line = /IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py/ nocase
// Capture the hostname where the event occurred
$ironsharp_execution.principal.hostname = $hostname
match:
$hostname over 15m
outcome:
$risk_score = max(65)
$event_count = count_distinct($ironsharp_execution.metadata.id)
$principal_process_pid = array_distinct($ironsharp_execution.principal.process.pid)
$principal_process_command_line = array_distinct($ironsharp_execution.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($ironsharp_execution.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($ironsharp_execution.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($ironsharp_execution.target.process.pid)
$target_process_command_line = array_distinct($ironsharp_execution.target.process.command_line)
$target_process_file_sha256 = array_distinct($ironsharp_execution.target.process.file.sha256)
$target_process_file_full_path = array_distinct($ironsharp_execution.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($ironsharp_execution.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($ironsharp_execution.principal.user.userid)
condition:
$ironsharp_execution
}
Detection logic
Fires when at least one $ironsharp_execution event in the 15m window.
Events
$ironsharp_execution
target.process.file.full_path matches "cmd\.exe|python.*\.exe|ipy\.exe|powershell\.exe|pwsh\.exe|wsl\.exe"target.process.command_line matches "IronADCSPwn\.py|IronADFSDump\.py|IronBetterSafetyKatz\.py|IronCertify\.py|IronDeployPrinterNightmare\.py|IronEmbed\.py|IronEDD\.py|IronGrouper2\.py|IronInveigh\.py|IronLockLess\.py|IronPassTheCert\.py|IronRubeus\.py|IronSafetyKatz\.py|IronSearchOutlook\.py|IronSeatbelt\.py|IronSharPersist\.py|IronSharp-SMBExec\.py|IronSharpAllowedToAct\.py|IronSharpBypassUAC\.py|IronSharpCOM\.py|IronSharpChisel\.py|IronSharpChrome\.py|IronSharpChromium\.py|IronSharpCloud\.py|IronSharpCookieMonster\.py|IronSharpCrashEventLog\.py|IronSharpDPAPI\.py|IronSharpDir\.py|IronSharpDoor\.py|IronSharpDump\.py|IronSharpEDRChecker\.py|IronSharpExec\.py|IronSharpGPOAbuse\.py|IronSharpHandler\.py|IronSharpKatz\.py|IronSharpLAPS\.py|IronSharpMapExec\.py|IronSharpMiniDump\.py|IronSharpMove\.py|IronSharpNamedPipePTH\.py|IronSharpReg\.py|IronSharpSQLPwn\.py|IronSharpSearch\.py|IronSharpSecDump\.py|IronSharpSniper\.py|IronSharpSpray\.py|IronSharpStay\.py|IronSharpTask\.py|IronSharpUp\.py|IronSharpWMI\.py|IronSharpWebServer\.py|IronSharpWifiGrabber\.py|IronSharpZeroLogon\.py|IronShhmon\.py|IronSqlClient\.py|IronStandIn\.py|IronStickyNotesExtract\.py|IronThunderFox\.py|IronTokenStomp\.py|IronWMIReg\.py|IronWatson\.py|Iron_RunasCs\.py|Ironscout\.py|Ironsharpfiles\.py|Ironsharpshares\.py"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | max(65) |
event_count | count_distinct($ironsharp_execution.metadata.id) |
principal_process_pid | array_distinct($ironsharp_execution.principal.process.pid) |
principal_process_command_line | array_distinct($ironsharp_execution.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($ironsharp_execution.principal.process.file.sha256) |
principal_process_file_full_path | array_distinct($ironsharp_execution.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($ironsharp_execution.principal.process.product_specific_process_id) |
principal_process_parent_process_product_specific_process_id | array_distinct($ironsharp_execution.principal.process.parent_process.product_specific_process_id) |
target_process_pid | array_distinct($ironsharp_execution.target.process.pid) |
target_process_command_line | array_distinct($ironsharp_execution.target.process.command_line) |
target_process_file_sha256 | array_distinct($ironsharp_execution.target.process.file.sha256) |
target_process_file_full_path | array_distinct($ironsharp_execution.target.process.file.full_path) |
target_process_product_specific_process_id | array_distinct($ironsharp_execution.target.process.product_specific_process_id) |
principal_user_userid | array_distinct($ironsharp_execution.principal.user.userid) |