This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Hacking Tools - SharpH0und, Cred Dumping, etc.

Posted on 03-18-2024 04:37 PM
ravivittal
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello Experts, Can someone please provide some sample rules to detect SharpH0und, Cred Dumping?

Is this one of the detection premises for this detection rule? 

Look for processes with names matching SharpHound (e.g., "SharpHound.exe", "SharpHound.x64.exe") or other credential dumping tools (e.g., "Mimikatz", "LaZagne"). *Suspicious Interpreters: Monitor processes launched with interpreters commonly used for hacking tools (e.g., PowerShell (.exe), cmd.exe, cscript.exe). Analyze the command-line arguments passed to these processes to identify potential hacking tool usage.

0 5 585
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
tameri
Staff
Reply posted on --/--/---- --:-- AM

Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikat...

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003...
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikat...
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_...




Posted on --/--/---- --:-- AM
ravivittal
Bronze 5
Bronze 5
In response to tameri
Reply posted on --/--/---- --:-- AM

Thanks for the quick feedback!

Posted on --/--/---- --:-- AM
ravivittal
Bronze 5
Bronze 5
In response to tameri
Reply posted on --/--/---- --:-- AM

@tameri All the detection rules are for Mimikatz. Can I use the same regex for Sharphound as well? 

0 Likes

Posted on --/--/---- --:-- AM
tameri
Staff
Reply posted on --/--/---- --:-- AM

@ravivittal , sure you can use the same for Sharphound or any other tools

These URLs are sample to guide and inspire you when write rules specific for your use cases.

Regards

 

 

0 Likes

Posted on --/--/---- --:-- AM
ratatatado
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Iโ€™ve also been diving into some of these hacking tools, like SharpH0und and the whole cred dumping scene. How much power you can get with the right tools is pretty wild. SharpH0und is a real gem for mapping Active Directory environments; itโ€™s almost like having a treasure map to all the juicy data points!

0 Likes
Top Solution Authors
View all