Skip to main content

Hello Experts, Can someone please provide some sample rules to detect SharpH0und, Cred Dumping?

Is this one of the detection premises for this detection rule? 

Look for processes with names matching SharpHound (e.g., "SharpHound.exe", "SharpHound.x64.exe") or other credential dumping tools (e.g., "Mimikatz", "LaZagne"). *Suspicious Interpreters: Monitor processes launched with interpreters commonly used for hacking tools (e.g., PowerShell (.exe), cmd.exe, cscript.exe). Analyze the command-line arguments passed to these processes to identify potential hacking tool usage.

Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral




Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral





Thanks for the quick feedback!

Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral





@tameri All the detection rules are for Mimikatz. Can I use the same regex for Sharphound as well? 

@ravivittal , sure you can use the same for Sharphound or any other tools


These URLs are sample to guide and inspire you when write rules specific for your use cases.


Regards


 


 

I’ve also been diving into some of these hacking tools, like SharpH0und and the whole cred dumping scene. How much power you can get with the right tools is pretty wild. SharpH0und is a real gem for mapping Active Directory environments; it’s almost like having a treasure map to all the juicy data points!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.