www.secureworks.com
Open in
urlscan Pro
2620:1ec:46::42
Public Scan
URL:
https://www.secureworks.com/blog/sniffing-out-sharphound-on-its-hunt-for-domain-admin
Submission: On August 14 via api from DE — Scanned from DE
Submission: On August 14 via api from DE — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Skip to main content NEW REPORT State of the Threat: A Year in Review * Experiencing a Breach? * Contact Us * Support * Blog * English * Products * Services * Why Secureworks * Partners * Resources Request Demo Close Close 0 Results Found * Products * Products, Services & Solutions * Insights * About * Contact * Other Back To Results * * Cybersecurity Threat Intelligence Blogs * Sniffing Out SharpHound on its Hunt for Domain Admin Research & Intelligence SNIFFING OUT SHARPHOUND ON ITS HUNT FOR DOMAIN ADMIN The Secureworks Taegis XDR Tactic Graphs searches for telemetry that can identify the presence of malicious tools used to gain domain administrator access. Tuesday, August 1, 2023 By: Counter Threat Unit Research Team * * * * Secureworks® Counter Threat Unit™ (CTU) periodically conducts purple team exercises called “research sprints” to understand and emulate modern attack techniques, evaluate Secureworks Taegis™ protections, and identify additional detection opportunities. Our work is informed by threat intelligence research as well as our insights from penetration tests conducted by the Secureworks Adversary Group (SwAG) and from engagements by the Secureworks Incident Response team. Compromising highly privileged accounts can make it easier for threat actors to gain unimpeded access to systems and data and therefore achieve their objectives. With that in mind, one CTU™ research sprint focused on how attackers obtain domain administrator privileges. We surveyed hundreds of SwAG penetration test reports and identified domain administrator privilege escalation tools that were the most successful against customer environments. We then emulated this activity in our controlled environment and identified new methods to detect the use of these tools. The first tools we explored are the well-known BloodHound toolset and the SharpHound data collector. Historically, Secureworks countermeasures for SharpHound focused on detecting execution of the tool on a system that uses an endpoint agent such as Red Cloak™. However, this detection method is ineffective when a threat actor executes the tool on a system that is not monitored by an endpoint agent. One goal of this research sprint was to better understand the holistic SharpHound telemetry so we could improve detections without relying on the system where it was executed. BLOODHOUND The BloodHound tool discovers relationships between Active Directory (AD) objects within a target environment. Leveraging graph theory, BloodHound uses a collector to gather information about the target AD environment and then ingest that data to present it in a visual manner (see Figure 1). This visualization allows BloodHound users to quickly identify paths to compromise privileged accounts or abuse trust relationships that administrators of the target AD environment may not have realized. As a result, threat actors could conduct privilege escalation attacks, identify users vulnerable to Kerberoasting, or perform other malicious activity. Figure 1. Using BloodHound to find accounts with domain administrator privileges. (Source: Secureworks) There are a few collectors (also known as ingestors) that BloodHound can use to gather information from the target AD environment. One popular collector is SharpHound, whose name is based on the developers’ use of C# (C sharp) for its codebase. Another Python-based collector (BloodHound.py) uses the Impacket framework for certain tasks but primarily gathers the same information as SharpHound. SHARPHOUND During the research sprint, we executed SharpHound on a Windows workstation via the default collection method (-c Default) while pointing it to the target domain (-d purplelabs.local) (see Figure 2). The collector was executed via a compromised administrator account (pgustavo) on the Windows host. Figure 2. Running the default SharpHound collection method. (Source: Secureworks) Table 1 lists telemetry generated by this collector when executed on the Windows workstation. TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET) 2023-04-18T18:28:23 Netflow from 10.0.2.12 :51317 to 10.0.2.11 :445 TCP NET 11613 2023-04-18T18:28:23 Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET 2023-04-18T18:28:23 Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET 2023-04-18T18:28:23 Netflow from 10.0.2.12 :51315 to 10.0.2.11 :445 TCP NET 2023-04-18T18:28:21 Netflow from 10.0.2.12 to 10.0.1.11 :53 UDP NET 5412 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 12924 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 5230 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 115995 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 2329 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 2347 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 2321 2023-04-18T18:28:18 Netflow from 127.0.0.1 to 127.0.0.1 :64700 UDP NET 11 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 2320 2023-04-18T18:28:16 Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET 22134 2023-04-18T18:28:16 Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP NET 395216 2023-04-18T18:28:16 Netflow from 10.0.2.12 to 10.0.1.11 :389 UDP NET 447 2023-04-18T18:28:15 "D:\SharpHound.exe" -c Default -d purplelabs.local PROC Table 1. Telemetry collected from a Windows workstation (WORKSTATION02 / 10.0.2.12) after executing SharpHound locally. Table 2 lists telemetry from a domain controller. Due to the hundreds of netflow events generated as a result of DNS lookups performed by the SharpHound collector, the table only includes a subset of the activity. TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET) 2023-04-18T18:28:21 TRUNCATED NETFLOW EVENTS FOR HUNDREDS OF DNS LOOKUPS NET 2023-04-18T18:28:21 Netflow from 10.0.2.12 :50397 to 10.0.1.11 :53 UDP NET 118 2023-04-18T18:28:21 Netflow from 10.0.2.12 :57013 to 10.0.1.11 :53 UDP NET 117 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 9997 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET 2023-04-18T18:28:18 Netflow from 10.0.1.11 :56099 to 168.63.129.16 :80 TCP NET 156 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 2729 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 932649 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:18 Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 299 2023-04-18T18:28:16 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:16 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:16 Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET 14911165 2023-04-18T18:28:16 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH 2023-04-18T18:28:16 4672: Special privileges assigned to new logon by pgustavo AUTH 2023-04-18T18:28:16 Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP NET 10442776 2023-04-18T18:28:16 Netflow from 10.0.2.12 :64701 to 10.0.1.11 :389 UDP NET 176 2023-04-18T18:28:16 Netflow from 10.0.2.12 :64699 to 10.0.1.11 :389 UDP NET 176 Table 2. Telemetry collected from a domain controller (DC01 / 10.0.1.11) after executing SharpHound. SharpHound issues a series of LDAP queries against the domain controller to enumerate AD objects such as computer names, groups, and user accounts. The LDAP queries could be issued over an encrypted LDAP session; therefore, network inspection may not always be feasible. However, tools that utilize Windows libraries to generate LDAP queries can be monitored via Event Tracing for Windows (ETW). Table 3 lists SharpHound LDAP queries captured by an ETW trace session created during the execution of the SharpHound tool. LDAP Query Description (|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*)) Discover group memberships for security groups, non-security groups, alias and non-alias objects that have a primary group ID (&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) Discover computer accounts that are enabled (|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit)) Discover access control lists (ACLs) containing security information for objects enumerated (|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*))) Discover various AD groups, user accounts, computer accounts and group policies, and pull various field names useful for analysis (|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain)) Discover AD containers and linked Group Policy Objects (GPOs) (&(samaccounttype=805306368)(serviceprincipalname=*)) Discover all service principal names (SPN) for service accounts (|(samAccountType=805306368)(samAccountType=805306369)(objectclass=organizationalUnit)) For objects returned, discover all other child user, computer, and organizational unit (OU) objects (objectclass=container) For objects returned, discover all child container objects (|(samAccountType=805306368)(samAccountType=805306369)) Discover all the user and computer objects (objectclass=trusteddomain) Discover all trusted domains Table 3. LDAP queries issued by SharpHound. As a result of the LDAP connections, several successful remote Windows authentication logon events (indicated by event ID 4624) were generated. Results returned from the LDAP queries will generate additional activity such as performing DNS lookups for each computer account identified, performing a TCP 445 test connection, and enumerating session information over SMB via remote procedure call (RPC) if the test connection is successful. Note that administrator privileges are required to enumerate session information. This activity will result in hundreds of DNS lookup requests to the domain controller and hundreds of port 445 connections across several hosts within a short timeframe. TAEGIS TACTIC GRAPHS DETECTOR FOR SHARPHOUND With an understanding of the telemetry generated across the environment, and as an outcome of this research sprint, the CTU research team developed a Taegis XDR Tactic Graphs™ countermeasure to identify SharpHound. This countermeasure uses authentication and netflow events to detect instances of a telemetry profile that is consistent with the SharpHound collector. Taegis not only detects individual malicious events such as the execution of SharpHound but also a sequence of events that provide more context around the attack. Taegis XDR is continually updated with threat intelligence gained through CTU research and helps organizations differentiate noise, legitimate use, and actionable alerts. Preview Taegis XDR to explore more coverage for threat actors’ tools and techniques. STAY INFORMED Get the latest in cybersecurity news, trends, and research SEND ME UPDATES NOW TRENDING... * 2022 State of the Threat Report * XDR vs. SIEM: A Cybersecurity Leader’s Guide * Modernize Your Security Operation Center with XDR * MDR Done Right * EDR, XDR, MDR: Filtering Out the Alphabet Soup of Cybersecurity Secureworks Taegis™ Security Analytics + Human Intelligence Delivers Better Security Outcomes About Taegis LATEST REPORT Reports 2022 State of the Threat Report Enjoyed what you read? Share it! * * * * RELATED CONTENT Reports THREAT INTELLIGENCE EXECUTIVE REPORT 2023 VOL. 3 Reports LEARNING FROM INCIDENT RESPONSE: JANUARY-MARCH 2023 Case Studies SECUREWORKS CASE STUDY LIBRARY Reports THREAT INTELLIGENCE EXECUTIVE REPORT 2023 VOL. 3 Reports LEARNING FROM INCIDENT RESPONSE: JANUARY-MARCH 2023 GET THE LATEST UPDATES AND NEWS FROM SECUREWORKS. Subscribe Now PRODUCTS * DETECTION & RESPONSE * XDR * MDR * Threat Hunting * Log Management * MITRE ATT&CK Coverage * ENDPOINT SECURITY * EDR * NGAV * NETWORK SECURITY * IDPS * VULNERABILITY MANAGEMENT * Vulnerability Risk Prioritization SERVICES * ASSESS & PLAN * Threat Hunting Assessment * Vulnerability Assessment * Ransomware Readiness Assessment * BATTLE TEST & EXERCISE * Application Security Testing * Adversary Exercises * Penetration Testing * INCIDENT RESPONSE * About Emergency Incident Response * Emergency Breach Hotline WHY SECUREWORKS * Why Secureworks * Corporate Overview * Corporate Responsibility * Careers * Investor Relations RESOURCES * Blog * Resource Library * Case Studies * Data Sheets * Industry Reports * In the News * Knowledge Center Library * Live Events * Threat Resource Library * Threat Profiles * White Papers * Webinars * Podcasts * Videos * Cybersecurity Glossary GET IN TOUCH * Experiencing a Breach? * Contact * Support * Login ©2023 Secureworks, Inc. * Privacy Policy * Supply Chain Transparency * Terms & Conditions * Accessibility Statement * Unsubscribe * Cookie Settings By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Accept All Cookies Reject All Cookies Settings PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. Allow All MANAGE CONSENT PREFERENCES PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices