🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

SharpHound

detectors

The SharpHound Detector is designed to look for a Red Cloak telemetry profile from a victim host that had SharpHound executed against it using the default collection method. This allows SharpHound to be detected whether the attacker machine had Red Cloak installed or not. SharpHound is a data collector for BloodHound and is often used by threat actors, red teams, and blue teams to quickly identify insecure Active Directory configurations and attack paths. The detector monitors authentication and netflow events from Red Cloak™ Endpoint Agents and creates an alert when there is a particular sequence of these events matching the telemetry profile over a period of time.

Tip

For more information on the Secureworks Counter Threat Unit™ (CTU) research that resulted in the creation of this detector, see the blog post Sniffing Out SharpHound on Its Hunt for Domain Admin.

SharpHound Detector Alert

SharpHound Detector Alert

Note

The Events Timeline displays when available.

Requirements

This detector requires the following data sources, integrations, or schemas:

Tip

The SharpHound detector supports Third Party sources such as Cisco Firewall, Windows Snare Logs, SentinelOne, etc. that provide the appropriate normalized schema.

Inputs

Detections are from the following normalized sources:

Outputs

Alerts pushed to the Secureworks® Taegis™ XDR Alert Database and XDR Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

Detector Testing

This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.

Note

If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:sharphound'

References

 

On this page: