www.secureworks.com Open in urlscan Pro
2620:1ec:46::42  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content
NEW REPORT State of the Threat: A Year in Review
 * Experiencing a Breach?
 * Contact Us
 * Support
 * Blog
 * English



 * Products
 * Services
 * Why Secureworks
 * Partners
 * Resources

Request Demo
Close
Close
0 Results Found
 * Products
 * Products, Services & Solutions
 * Insights
 * About
 * Contact
 * Other

Back To Results
 * 


 * Cybersecurity Threat Intelligence Blogs
 * Sniffing Out SharpHound on its Hunt for Domain Admin

Research & Intelligence



SNIFFING OUT SHARPHOUND ON ITS HUNT FOR DOMAIN ADMIN

The Secureworks Taegis XDR Tactic Graphs searches for telemetry that can
identify the presence of malicious tools used to gain domain administrator
access. Tuesday, August 1, 2023 By: Counter Threat Unit Research Team
 * 
 * 
 * 
 * 

Secureworks® Counter Threat Unit™ (CTU) periodically conducts purple team
exercises called “research sprints” to understand and emulate modern attack
techniques, evaluate Secureworks Taegis™ protections, and identify additional
detection opportunities. Our work is informed by threat intelligence research as
well as our insights from penetration tests conducted by the Secureworks
Adversary Group (SwAG) and from engagements by the Secureworks Incident Response
team.

Compromising highly privileged accounts can make it easier for threat actors to
gain unimpeded access to systems and data and therefore achieve their
objectives. With that in mind, one CTU™ research sprint focused on how attackers
obtain domain administrator privileges. We surveyed hundreds of SwAG penetration
test reports and identified domain administrator privilege escalation tools that
were the most successful against customer environments. We then emulated this
activity in our controlled environment and identified new methods to detect the
use of these tools.

The first tools we explored are the well-known BloodHound toolset and the
SharpHound data collector. Historically, Secureworks countermeasures for
SharpHound focused on detecting execution of the tool on a system that uses an
endpoint agent such as Red Cloak™. However, this detection method is ineffective
when a threat actor executes the tool on a system that is not monitored by an
endpoint agent. One goal of this research sprint was to better understand the
holistic SharpHound telemetry so we could improve detections without relying on
the system where it was executed.


BLOODHOUND

The BloodHound tool discovers relationships between Active Directory (AD)
objects within a target environment. Leveraging graph theory, BloodHound uses a
collector to gather information about the target AD environment and then ingest
that data to present it in a visual manner (see Figure 1). This visualization
allows BloodHound users to quickly identify paths to compromise privileged
accounts or abuse trust relationships that administrators of the target AD
environment may not have realized. As a result, threat actors could conduct
privilege escalation attacks, identify users vulnerable to Kerberoasting, or
perform other malicious activity.


Figure 1. Using BloodHound to find accounts with domain administrator
privileges. (Source: Secureworks)

There are a few collectors (also known as ingestors) that BloodHound can use to
gather information from the target AD environment. One popular collector is
SharpHound, whose name is based on the developers’ use of C# (C sharp) for its
codebase. Another Python-based collector (BloodHound.py) uses the Impacket
framework for certain tasks but primarily gathers the same information as
SharpHound.


SHARPHOUND

During the research sprint, we executed SharpHound on a Windows workstation via
the default collection method (-c Default) while pointing it to the target
domain (-d purplelabs.local) (see Figure 2). The collector was executed via a
compromised administrator account (pgustavo) on the Windows host.


Figure 2. Running the default SharpHound collection method. (Source:
Secureworks)

Table 1 lists telemetry generated by this collector when executed on the Windows
workstation.

TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET) 2023-04-18T18:28:23 Netflow
from 10.0.2.12 :51317 to 10.0.2.11 :445 TCP NET 11613 2023-04-18T18:28:23
Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET 2023-04-18T18:28:23
Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET 2023-04-18T18:28:23
Netflow from 10.0.2.12 :51315 to 10.0.2.11 :445 TCP NET 2023-04-18T18:28:21
Netflow from 10.0.2.12 to 10.0.1.11 :53 UDP NET 5412 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 12924 2023-04-18T18:28:18
Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET 2023-04-18T18:28:18
Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 5230 2023-04-18T18:28:18
Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 115995
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 2329
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 2347
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 2321
2023-04-18T18:28:18 Netflow from 127.0.0.1 to 127.0.0.1 :64700 UDP NET 11
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 2320
2023-04-18T18:28:16 Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET
22134 2023-04-18T18:28:16 Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP
NET 395216 2023-04-18T18:28:16 Netflow from 10.0.2.12 to 10.0.1.11 :389 UDP NET
447 2023-04-18T18:28:15 "D:\SharpHound.exe" -c Default -d purplelabs.local PROC

Table 1. Telemetry collected from a Windows workstation (WORKSTATION02 /
10.0.2.12) after executing SharpHound locally.

Table 2 lists telemetry from a domain controller. Due to the hundreds of netflow
events generated as a result of DNS lookups performed by the SharpHound
collector, the table only includes a subset of the activity.

TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET) 2023-04-18T18:28:21 TRUNCATED
NETFLOW EVENTS FOR HUNDREDS OF DNS LOOKUPS NET 2023-04-18T18:28:21 Netflow from
10.0.2.12 :50397 to 10.0.1.11 :53 UDP NET 118 2023-04-18T18:28:21 Netflow from
10.0.2.12 :57013 to 10.0.1.11 :53 UDP NET 117 2023-04-18T18:28:18 4624: LOGON to
PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges
assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from
10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 9997 2023-04-18T18:28:18 Netflow from
10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET 2023-04-18T18:28:18 Netflow from
10.0.1.11 :56099 to 168.63.129.16 :80 TCP NET 156 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 2729 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 932649 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow
from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:16 4624:
LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:16 4672: Special
privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:16 Netflow
from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET 14911165 2023-04-18T18:28:16
4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:16 4672:
Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:16
Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP NET 10442776
2023-04-18T18:28:16 Netflow from 10.0.2.12 :64701 to 10.0.1.11 :389 UDP NET 176
2023-04-18T18:28:16 Netflow from 10.0.2.12 :64699 to 10.0.1.11 :389 UDP NET 176

Table 2. Telemetry collected from a domain controller (DC01 / 10.0.1.11) after
executing SharpHound.

SharpHound issues a series of LDAP queries against the domain controller to
enumerate AD objects such as computer names, groups, and user accounts. The LDAP
queries could be issued over an encrypted LDAP session; therefore, network
inspection may not always be feasible. However, tools that utilize Windows
libraries to generate LDAP queries can be monitored via Event Tracing for
Windows (ETW). Table 3 lists SharpHound LDAP queries captured by an ETW trace
session created during the execution of the SharpHound tool.

LDAP Query Description
(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*))
Discover group memberships for security groups, non-security groups, alias and
non-alias objects that have a primary group ID
(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Discover computer accounts that are enabled
(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit))
Discover access control lists (ACLs) containing security information for objects
enumerated
(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*)))

Discover various AD groups, user accounts, computer accounts and group policies,
and pull various field names useful for analysis

(|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain))
Discover AD containers and linked Group Policy Objects (GPOs)
(&(samaccounttype=805306368)(serviceprincipalname=*)) Discover all service
principal names (SPN) for service accounts
(|(samAccountType=805306368)(samAccountType=805306369)(objectclass=organizationalUnit))
For objects returned, discover all other child user, computer, and
organizational unit (OU) objects (objectclass=container) For objects returned,
discover all child container objects
(|(samAccountType=805306368)(samAccountType=805306369)) Discover all the user
and computer objects (objectclass=trusteddomain) Discover all trusted domains

Table 3. LDAP queries issued by SharpHound.

As a result of the LDAP connections, several successful remote Windows
authentication logon events (indicated by event ID 4624) were generated. Results
returned from the LDAP queries will generate additional activity such as
performing DNS lookups for each computer account identified, performing a TCP
445 test connection, and enumerating session information over SMB via remote
procedure call (RPC) if the test connection is successful. Note that
administrator privileges are required to enumerate session information. This
activity will result in hundreds of DNS lookup requests to the domain controller
and hundreds of port 445 connections across several hosts within a short
timeframe.


TAEGIS TACTIC GRAPHS DETECTOR FOR SHARPHOUND

With an understanding of the telemetry generated across the environment, and as
an outcome of this research sprint, the CTU research team developed a Taegis XDR
Tactic Graphs™ countermeasure to identify SharpHound. This countermeasure uses
authentication and netflow events to detect instances of a telemetry profile
that is consistent with the SharpHound collector. Taegis not only detects
individual malicious events such as the execution of SharpHound but also a
sequence of events that provide more context around the attack. Taegis XDR is
continually updated with threat intelligence gained through CTU research and
helps organizations differentiate noise, legitimate use, and actionable alerts.

Preview Taegis XDR to explore more coverage for threat actors’ tools and
techniques.


STAY INFORMED

Get the latest in cybersecurity news, trends, and research 
SEND ME UPDATES


NOW TRENDING...


 * 2022 State of the Threat Report
 * XDR vs. SIEM: A Cybersecurity Leader’s Guide
 * Modernize Your Security Operation Center with XDR
 * MDR Done Right
 * EDR, XDR, MDR: Filtering Out the Alphabet Soup of Cybersecurity

Secureworks Taegis™ 

Security Analytics +
Human Intelligence
Delivers Better
Security Outcomes







About Taegis


LATEST REPORT


Reports
2022 State of the Threat Report
Enjoyed what you read? Share it!
 * 
 * 
 * 
 * 





RELATED CONTENT

Reports


THREAT INTELLIGENCE EXECUTIVE REPORT 2023 VOL. 3

Reports


LEARNING FROM INCIDENT RESPONSE: JANUARY-MARCH 2023

Case Studies


SECUREWORKS CASE STUDY LIBRARY

Reports


THREAT INTELLIGENCE EXECUTIVE REPORT 2023 VOL. 3

Reports


LEARNING FROM INCIDENT RESPONSE: JANUARY-MARCH 2023



GET THE LATEST UPDATES AND NEWS FROM SECUREWORKS.

Subscribe Now



PRODUCTS

 * DETECTION & RESPONSE
   
   * XDR
   * MDR
   * Threat Hunting
   * Log Management
   * MITRE ATT&CK Coverage

 * ENDPOINT SECURITY
   
   * EDR
   * NGAV

 * NETWORK SECURITY
   
   * IDPS

 * VULNERABILITY MANAGEMENT
   
   * Vulnerability Risk Prioritization


SERVICES

 * ASSESS & PLAN
   
   * Threat Hunting Assessment
   * Vulnerability Assessment
   * Ransomware Readiness Assessment

 * BATTLE TEST & EXERCISE
   
   * Application Security Testing
   * Adversary Exercises
   * Penetration Testing

 * INCIDENT RESPONSE
   
   * About Emergency Incident Response
   * Emergency Breach Hotline


WHY SECUREWORKS

 * Why Secureworks
 * Corporate Overview
 * Corporate Responsibility
 * Careers
 * Investor Relations


RESOURCES

 * Blog
 * Resource Library
 * Case Studies
 * Data Sheets
 * Industry Reports
 * In the News
 * Knowledge Center Library
 * Live Events
 * Threat Resource Library
 * Threat Profiles
 * White Papers
 * Webinars
 * Podcasts
 * Videos
 * Cybersecurity Glossary


GET IN TOUCH

 * Experiencing a Breach?
 * Contact
 * Support
 * Login

©2023 Secureworks, Inc.

 * Privacy Policy
 * Supply Chain Transparency
 * Terms & Conditions
 * Accessibility Statement
 * Unsubscribe
 * Cookie Settings







By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Accept All Cookies
Reject All
Cookies Settings


PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Allow All


MANAGE CONSENT PREFERENCES

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices