Detection rules › Splunk
SharpHound Keywords (PowerShell)
Sharphound can be used to collect Active Directory information in order to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Once collected information can be utilized by BloodHound to apply graph theory in order to reveal the hidden and often unintended relationships within an Active Directory environment
MITRE ATT&CK coverage
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '5528.5784'
title: SharpHound Keywords
description: 'Sharphound can be used to collect Active Directory information in order
to easily identify highly complex attack paths that would otherwise be impossible
to quickly identify. Once collected information can be utilized by BloodHound to
apply graph theory in order to reveal the hidden and often unintended relationships
within an Active Directory environment. -- Threat Actor Association: APT29/Nobelium/Cozy
Bear, BlackMatter, Carbanak, DarkSide, FIN12, Muddled Libra - Software Association:
ALPHV/BlackCat, Black Basta, LockBit, Play, Qakbot/Qbot, XingLocker -- #TrendingThreat
#Russia #Ukraine Atomics T1069.001 Test #4'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4104) OR
"<EventID>4104<") (((TERM(-c) OR TERM(collectionmethod)) (TERM(default) OR TERM(group)
OR TERM(localadmin) OR TERM(rdp) OR TERM(dcom) OR TERM(psremote) OR TERM(GPOLocalGroup)
OR TERM(Session) OR TERM(ComputerOnly) OR TERM(LoggedOn) OR TERM(Trusts) OR TERM(ACL)
OR TERM(Container) OR TERM(DcOnly) OR TERM(all))) OR ((TERM(-domaincontroller) OR
TERM(-d)) OR TERM(ldapport) OR TERM(secureldap) OR TERM(ldapusername) OR TERM(ldappassword)
OR TERM(DisableKerberosSigning) OR TERM(Loop) OR TERM(LoopDuration) OR TERM(LoopInterval)
OR TERM(-Domain) OR TERM(-Stealth) OR TERM(ExcludeDomainControllers) OR TERM(-ComputerFile)
OR TERM(LdapFilter) OR TERM(OverrideUserName) OR TERM(RealDNSName) OR TERM(CollectAllProperties)
OR TERM(WindowsOnly))) |regex process="(?i)(-d|domaincontroller|-c|collectionmethod|DisableKerberosSigning|ldappassword|ldapusername|secureldap|ldapport|loop|OverrideUserName|RealDNSName|CollectAllProperties|WindowsOnly|LdapFilter|ComputerFile|ExcludeDomainControllers|Stealth|Domain)\s"
| table _time, host, user, process, process_*, signature_id | bin span=1s | stats
values(*) as * by _time, host '
techniques:
- discovery:account discovery:local account
- discovery:account discovery:domain account
- discovery:domain trust discovery
- discovery:password policy discovery
- discovery:permission groups discovery:domain groups
- discovery:permission groups discovery:local groups
- discovery:system information discovery
technique_id:
- T1087.001
- T1087.002
- T1482
- T1201
- T1069.002
- T1069.001
- T1082
data_category:
- PowerShell logs
- Process command-line parameters
references:
- https://github.com/BloodHoundAD/SharpHound3/tree/ee437a5e596bf738b91bfae0aa35d2aab3544a8f
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4104) OR "<EventID>4104<") (((TERM(-c) OR TERM(collectionmethod)) (TERM(default) OR TERM(group) OR TERM(localadmin) OR TERM(rdp) OR TERM(dcom) OR TERM(psremote) OR TERM(GPOLocalGroup) OR TERM(Session) OR TERM(ComputerOnly) OR TERM(LoggedOn) OR TERM(Trusts) OR TERM(ACL) OR TERM(Container) OR TERM(DcOnly) OR TERM(all))) OR ((TERM(-domaincontroller) OR TERM(-d)) OR TERM(ldapport) OR TERM(secureldap) OR TERM(ldapusername) OR TERM(ldappassword) OR TERM(DisableKerberosSigning) OR TERM(Loop) OR TERM(LoopDuration) OR TERM(LoopInterval) OR TERM(-Domain) OR TERM(-Stealth) OR TERM(ExcludeDomainControllers) OR TERM(-ComputerFile) OR TERM(LdapFilter) OR TERM(OverrideUserName) OR TERM(RealDNSName) OR TERM(CollectAllProperties) OR TERM(WindowsOnly)))
Stage 2: regex
| regex process="(?i)(-d|domaincontroller|-c|collectionmethod|DisableKerberosSigning|ldappassword|ldapusername|secureldap|ldapport|loop|OverrideUserName|RealDNSName|CollectAllProperties|WindowsOnly|LdapFilter|ComputerFile|ExcludeDomainControllers|Stealth|Domain)\s"
Stage 3: table
| table _time, host, user, process, process_*, signature_id
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "-c" |
| 1 | TERM |
| 1 | collectionmethod |
| 1 | TERM |
| 1 | default |
| 1 | TERM |
| 1 | group |
| 1 | TERM |
| 1 | localadmin |
| 1 | TERM |
| 1 | rdp |
| 1 | TERM |
| 1 | dcom |
| 1 | TERM |
| 1 | psremote |
| 1 | TERM |
| 1 | GPOLocalGroup |
| 1 | TERM |
| 1 | Session |
| 1 | TERM |
| 1 | ComputerOnly |
| 1 | TERM |
| 1 | LoggedOn |
| 1 | TERM |
| 1 | Trusts |
| 1 | TERM |
| 1 | ACL |
| 1 | TERM |
| 1 | Container |
| 1 | TERM |
| 1 | DcOnly |
| 1 | TERM |
| 1 | all |
| 1 | "-domaincontroller" |
| 1 | "-d" |
| 1 | TERM |
| 1 | ldapport |
| 1 | TERM |
| 1 | secureldap |
| 1 | TERM |
| 1 | ldapusername |
| 1 | TERM |
| 1 | ldappassword |
| 1 | TERM |
| 1 | DisableKerberosSigning |
| 1 | TERM |
| 1 | Loop |
| 1 | TERM |
| 1 | LoopDuration |
| 1 | TERM |
| 1 | LoopInterval |
| 1 | "-Domain" |
| 1 | "-Stealth" |
| 1 | TERM |
| 1 | ExcludeDomainControllers |
| 1 | "-ComputerFile" |
| 1 | TERM |
| 1 | LdapFilter |
| 1 | TERM |
| 1 | OverrideUserName |
| 1 | TERM |
| 1 | RealDNSName |
| 1 | TERM |
| 1 | CollectAllProperties |
| 1 | TERM |
| 1 | WindowsOnly |