Hacking Tools - SharpH0und, Cred Dumping, etc.

ravivittal · 03-18-2024 04:37 PM

Hello Experts, Can someone please provide some sample rules to detect SharpH0und, Cred Dumping?

Is this one of the detection premises for this detection rule?

Look for processes with names matching SharpHound (e.g., "SharpHound.exe", "SharpHound.x64.exe") or other credential dumping tools (e.g., "Mimikatz", "LaZagne"). *Suspicious Interpreters: Monitor processes launched with interpreters commonly used for hacking tools (e.g., PowerShell (.exe), cmd.exe, cscript.exe). Analyze the command-line arguments passed to these processes to identify potential hacking tool usage.

tameri

Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikat...

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003...
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikat...
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_...

ravivittal

Thanks for the quick feedback!

ravivittal

@tameri All the detection rules are for Mimikatz. Can I use the same regex for Sharphound as well?

tameri

@ravivittal , sure you can use the same for Sharphound or any other tools

These URLs are sample to guide and inspire you when write rules specific for your use cases.

Regards