LoFP / false positives should be limited as the arguments used are specific to sharphound. filter as needed or add more command-line arguments as needed.

Techniques

• T1069
• T1069.001
• T1069.002
• T1087
• T1087.001
• T1087.002
• T1482

Sample rules

Detect SharpHound Command-Line Arguments

• source: splunk
• technicques:
  • T1087.002
  • T1069.001
  • T1482
  • T1087.001
  • T1087
  • T1069.002
  • T1069

Description

The following analytic detects the execution of SharpHound command-line arguments, specifically -collectionMethod and invoke-bloodhound. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_sharphound_command_line_arguments_filter`