Blog

Sniffing Out SharpHound on its Hunt for Domain Admin

The Secureworks Taegis XDR Tactic Graphs searches for telemetry that can identify the presence of malicious tools used to gain domain administrator access.

Secureworks® Counter Threat Unit™ (CTU) periodically conducts purple team exercises called “research sprints” to understand and emulate modern attack techniques, evaluate Secureworks Taegis™ protections, and identify additional detection opportunities. Our work is informed by threat intelligence research as well as our insights from penetration tests conducted by the Secureworks Adversary Group (SwAG) and from engagements by the Secureworks Incident Response team.

Compromising highly privileged accounts can make it easier for threat actors to gain unimpeded access to systems and data and therefore achieve their objectives. With that in mind, one CTU™ research sprint focused on how attackers obtain domain administrator privileges. We surveyed hundreds of SwAG penetration test reports and identified domain administrator privilege escalation tools that were the most successful against customer environments. We then emulated this activity in our controlled environment and identified new methods to detect the use of these tools.

The first tools we explored are the well-known BloodHound toolset and the SharpHound data collector. Historically, Secureworks countermeasures for SharpHound focused on detecting execution of the tool on a system that uses an endpoint agent such as Red Cloak™. However, this detection method is ineffective when a threat actor executes the tool on a system that is not monitored by an endpoint agent. One goal of this research sprint was to better understand the holistic SharpHound telemetry so we could improve detections without relying on the system where it was executed.

BloodHound

The BloodHound tool discovers relationships between Active Directory (AD) objects within a target environment. Leveraging graph theory, BloodHound uses a collector to gather information about the target AD environment and then ingest that data to present it in a visual manner (see Figure 1). This visualization allows BloodHound users to quickly identify paths to compromise privileged accounts or abuse trust relationships that administrators of the target AD environment may not have realized. As a result, threat actors could conduct privilege escalation attacks, identify users vulnerable to Kerberoasting, or perform other malicious activity.


Figure 1. Using BloodHound to find accounts with domain administrator privileges. (Source: Secureworks)

There are a few collectors (also known as ingestors) that BloodHound can use to gather information from the target AD environment. One popular collector is SharpHound, whose name is based on the developers’ use of C# (C sharp) for its codebase. Another Python-based collector (BloodHound.py) uses the Impacket framework for certain tasks but primarily gathers the same information as SharpHound.

SharpHound

During the research sprint, we executed SharpHound on a Windows workstation via the default collection method (-c Default) while pointing it to the target domain (-d purplelabs.local) (see Figure 2). The collector was executed via a compromised administrator account (pgustavo) on the Windows host.


Figure 2. Running the default SharpHound collection method. (Source: Secureworks)

Table 1 lists telemetry generated by this collector when executed on the Windows workstation.

TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET)
2023-04-18T18:28:23 Netflow from 10.0.2.12 :51317 to 10.0.2.11 :445 TCP NET 11613
2023-04-18T18:28:23 Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET
2023-04-18T18:28:23 Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP NET
2023-04-18T18:28:23 Netflow from 10.0.2.12 :51315 to 10.0.2.11 :445 TCP NET
2023-04-18T18:28:21 Netflow from 10.0.2.12 to 10.0.1.11 :53 UDP NET 5412
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 12924
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 5230
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 115995
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 2329
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 2347
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 2321
2023-04-18T18:28:18 Netflow from 127.0.0.1 to 127.0.0.1 :64700 UDP NET 11
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 2320
2023-04-18T18:28:16 Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET 22134
2023-04-18T18:28:16 Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP NET 395216
2023-04-18T18:28:16 Netflow from 10.0.2.12 to 10.0.1.11 :389 UDP NET 447
2023-04-18T18:28:15 "D:\SharpHound.exe" -c Default -d purplelabs.local PROC

Table 1. Telemetry collected from a Windows workstation (WORKSTATION02 / 10.0.2.12) after executing SharpHound locally.

Table 2 lists telemetry from a domain controller. Due to the hundreds of netflow events generated as a result of DNS lookups performed by the SharpHound collector, the table only includes a subset of the activity.

TIMESTAMP (UTC) SUMMARY TYPE TX_BYTE_COUNT (NET)
2023-04-18T18:28:21 TRUNCATED NETFLOW EVENTS FOR HUNDREDS OF DNS LOOKUPS NET
2023-04-18T18:28:21 Netflow from 10.0.2.12 :50397 to 10.0.1.11 :53 UDP NET 118
2023-04-18T18:28:21 Netflow from 10.0.2.12 :57013 to 10.0.1.11 :53 UDP NET 117
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP NET 9997
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP NET
2023-04-18T18:28:18 Netflow from 10.0.1.11 :56099 to 168.63.129.16 :80 TCP NET 156
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP NET 2729
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP NET 932649
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP NET 299
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP NET 299
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP NET 299
2023-04-18T18:28:18 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:18 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:18 Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP NET 299
2023-04-18T18:28:16 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:16 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:16 Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP NET 14911165
2023-04-18T18:28:16 4624: LOGON to PURPLELABS.LOCAL by pgustavo AUTH
2023-04-18T18:28:16 4672: Special privileges assigned to new logon by pgustavo AUTH
2023-04-18T18:28:16 Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP NET 10442776
2023-04-18T18:28:16 Netflow from 10.0.2.12 :64701 to 10.0.1.11 :389 UDP NET 176
2023-04-18T18:28:16 Netflow from 10.0.2.12 :64699 to 10.0.1.11 :389 UDP NET 176

Table 2. Telemetry collected from a domain controller (DC01 / 10.0.1.11) after executing SharpHound.

SharpHound issues a series of LDAP queries against the domain controller to enumerate AD objects such as computer names, groups, and user accounts. The LDAP queries could be issued over an encrypted LDAP session; therefore, network inspection may not always be feasible. However, tools that utilize Windows libraries to generate LDAP queries can be monitored via Event Tracing for Windows (ETW). Table 3 lists SharpHound LDAP queries captured by an ETW trace session created during the execution of the SharpHound tool.

LDAP Query Description
(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*)) Discover group memberships for security groups, non-security groups, alias and non-alias objects that have a primary group ID
(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) Discover computer accounts that are enabled
(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit)) Discover access control lists (ACLs) containing security information for objects enumerated
(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*)))

Discover various AD groups, user accounts, computer accounts and group policies, and pull various field names useful for analysis

(|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain)) Discover AD containers and linked Group Policy Objects (GPOs)
(&(samaccounttype=805306368)(serviceprincipalname=*)) Discover all service principal names (SPN) for service accounts
(|(samAccountType=805306368)(samAccountType=805306369)(objectclass=organizationalUnit)) For objects returned, discover all other child user, computer, and organizational unit (OU) objects
(objectclass=container) For objects returned, discover all child container objects
(|(samAccountType=805306368)(samAccountType=805306369)) Discover all the user and computer objects
(objectclass=trusteddomain) Discover all trusted domains

Table 3. LDAP queries issued by SharpHound.

As a result of the LDAP connections, several successful remote Windows authentication logon events (indicated by event ID 4624) were generated. Results returned from the LDAP queries will generate additional activity such as performing DNS lookups for each computer account identified, performing a TCP 445 test connection, and enumerating session information over SMB via remote procedure call (RPC) if the test connection is successful. Note that administrator privileges are required to enumerate session information. This activity will result in hundreds of DNS lookup requests to the domain controller and hundreds of port 445 connections across several hosts within a short timeframe.

Taegis Tactic Graphs detector for SharpHound

With an understanding of the telemetry generated across the environment, and as an outcome of this research sprint, the CTU research team developed a Taegis XDR Tactic Graphs™ countermeasure to identify SharpHound. This countermeasure uses authentication and netflow events to detect instances of a telemetry profile that is consistent with the SharpHound collector. Taegis not only detects individual malicious events such as the execution of SharpHound but also a sequence of events that provide more context around the attack. Taegis XDR is continually updated with threat intelligence gained through CTU research and helps organizations differentiate noise, legitimate use, and actionable alerts.

Preview Taegis XDR to explore more coverage for threat actors’ tools and techniques.

Back to all Blogs

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.