Skip to main content

Hacking Tools - SharpH0und, Cred Dumping, etc.

  • March 18, 2024
  • 5 replies
  • 42 views
R
Forum|alt.badge.img+3

Hello Experts, Can someone please provide some sample rules to detect SharpH0und, Cred Dumping?

Is this one of the detection premises for this detection rule? 

Look for processes with names matching SharpHound (e.g., "SharpHound.exe", "SharpHound.x64.exe") or other credential dumping tools (e.g., "Mimikatz", "LaZagne"). *Suspicious Interpreters: Monitor processes launched with interpreters commonly used for hacking tools (e.g., PowerShell (.exe), cmd.exe, cscript.exe). Analyze the command-line arguments passed to these processes to identify potential hacking tool usage.

5 replies

tameri
Staff
Forum|alt.badge.img+5
  • tameri
  • Staff
  • March 19, 2024

Hello @ravivittal ,

Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

here, you can find some examples that you can use as guideline

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral




    R
    Forum|alt.badge.img+3
    • ravivittalBronze 3
    • Author
    • Bronze 3
    • March 20, 2024

    Hello @ravivittal ,

    Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

    here, you can find some examples that you can use as guideline

    https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

    https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
    https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
    https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral





    Thanks for the quick feedback!

      R
      Forum|alt.badge.img+3
      • ravivittalBronze 3
      • Author
      • Bronze 3
      • March 20, 2024

      Hello @ravivittal ,

      Yes, the premises you've outlined for detecting SharpHound and credential dumping activities are generally correct and represent a common approaches in identifying these tools.

      here, you can find some examples that you can use as guideline

      https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_dc_sync.yaral

      https://github.com/chronicle/detection-rules/blob/main/community/microsoft/windows/rw_mimikatz_T1003.yaral
      https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/mimikatz_through_windows_remote_management.yaral
      https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/sysmon/detect_crackmapexec_mimikatz_module_footprint_on_a_victim_machine.yaral





      @tameri All the detection rules are for Mimikatz. Can I use the same regex for Sharphound as well? 

      tameri
      Staff
      Forum|alt.badge.img+5
      • tameri
      • Staff
      • March 20, 2024

      @ravivittal , sure you can use the same for Sharphound or any other tools

      These URLs are sample to guide and inspire you when write rules specific for your use cases.

      Regards

       

       

      R
      Forum|alt.badge.img
      • ratatatado
      • New Member
      • September 27, 2024

      I’ve also been diving into some of these hacking tools, like SharpH0und and the whole cred dumping scene. How much power you can get with the right tools is pretty wild. SharpH0und is a real gem for mapping Active Directory environments; it’s almost like having a treasure map to all the juicy data points!

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.