Detecting the presence of SharpHound tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the execution of SafetyDump.exe, a tool capable of allowing the data to be stored in a file or transmitted through a C2 channel. It allows adversaries to extract sensitive data, evade traditional defenses, establish persistence, conduct espionage, and communicate stealthily through the channel.

Data source:

Windows: process, file

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0007 - Discovery, TA0008 - Lateral Movement

Techniques: T1068 - Exploitation for Privilege Escalation, T1087 - Account Discovery, T1210 - Exploitation of Remote Services

Criteria:

Original file name ends with "SharpHound.exe": This criterion looks for events where the original filename involved in an action ends with "SharpHound.exe".

Process name ends with "SharpHound.exe": This criteria directly checks the running process name. If the process name itself ends with "SharpHound.exe", it strengthens the possibility of SharpHound being involved.

When to implement:

This rule should be enabled when you want to detect potential privilege escalation and lateral movement within your Active Directory environment.

Compliance mapping (NIST, CIS):

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detect suspicious process executions linked to SharpHound, such as attempts to extract credential information.
• Irregular Access to Credential Stores (DE.CM-1): Identify unauthorized access attempts or modifications to credential stores or memory dumps, potentially indicating SharpHound activity.

CIS:

• Control 8: Malware Defense: Implementing mechanisms to detect and prevent the execution of SharpHound and similar tools targeting credential extraction. This involves employing antivirus software or endpoint detection and response (EDR) tools to identify and block SharpHound's execution.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitoring audit logs for anomalies indicating SharpHound usage or suspicious activities targeting credentials. This includes analyzing logs for unusual access patterns or attempts to query sensitive information.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.