Threat Hunting #7 - Detecting BloodHound\Sharphound using EID 5045

Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

In this post we will show you how to detect Sharphound both at the client side as well as at the DC side:

Client Side artifacts:

• Multiple connections to LDAP/LDAPS (389/636) and SMB (445) tcp ports
• Multiple connection to named pipes "srvsvc" and "lsass"

Server Side (i.e. DC or Windows Network File Share) artifacts:

• Connections to named pipes srvsvc, lsarpc and samr (apply to "default" and "all" scan modes)
• Connections to named pipe srvsvc and access to share relative target name containing "Groups.xml" and "GpTmpl.inf" (apply to --Stealth scan mode)

Below examples of events we've observed while testing Sharphound with the "all", "--Stealth" and "default" scan modes:

Detection Examples:

• CarbonBlack: (ipport:389 or ipport:636) and ipport:445 and filemod:srvsvc and filemod:lsass 
• You can use Sysmon EID 18 (Pipe Connect) & EID 3 Network Connect to build the same logic as for the above rule
• EventID-5145 and RelativeTargetName={srvcsvc or lsarpc or samr} and at least 3 occurences with different RelativeTargetName and Same (Source IP, Port) and SourceUserName not like "*DC*$" within 1 minute

References:

https://github.com/BloodHoundAD/BloodHound

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5145

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon