Secureworks® Counter Threat Unit™ (CTU) periodically conducts purple team exercises called “research sprints” to understand and emulate modern attack techniques, evaluate Secureworks Taegis™ protections, and identify additional detection opportunities. Our work is informed by threat intelligence research as well as our insights from penetration tests conducted by the Secureworks Adversary Group (SwAG) and from engagements by the Secureworks Incident Response team.
Compromising highly privileged accounts can make it easier for threat actors to gain unimpeded access to systems and data and therefore achieve their objectives. With that in mind, one CTU™ research sprint focused on how attackers obtain domain administrator privileges. We surveyed hundreds of SwAG penetration test reports and identified domain administrator privilege escalation tools that were the most successful against customer environments. We then emulated this activity in our controlled environment and identified new methods to detect the use of these tools.
The first tools we explored are the well-known BloodHound toolset and the SharpHound data collector. Historically, Secureworks countermeasures for SharpHound focused on detecting execution of the tool on a system that uses an endpoint agent such as Red Cloak™. However, this detection method is ineffective when a threat actor executes the tool on a system that is not monitored by an endpoint agent. One goal of this research sprint was to better understand the holistic SharpHound telemetry so we could improve detections without relying on the system where it was executed.
BloodHound
The BloodHound tool discovers relationships between Active Directory (AD) objects within a target environment. Leveraging graph theory, BloodHound uses a collector to gather information about the target AD environment and then ingest that data to present it in a visual manner (see Figure 1). This visualization allows BloodHound users to quickly identify paths to compromise privileged accounts or abuse trust relationships that administrators of the target AD environment may not have realized. As a result, threat actors could conduct privilege escalation attacks, identify users vulnerable to Kerberoasting, or perform other malicious activity.
Figure 1. Using BloodHound to find accounts with domain administrator privileges. (Source: Secureworks)
There are a few collectors (also known as ingestors) that BloodHound can use to gather information from the target AD environment. One popular collector is SharpHound, whose name is based on the developers’ use of C# (C sharp) for its codebase. Another Python-based collector (BloodHound.py) uses the Impacket framework for certain tasks but primarily gathers the same information as SharpHound.
SharpHound
During the research sprint, we executed SharpHound on a Windows workstation via the default collection method (-c Default) while pointing it to the target domain (-d purplelabs.local) (see Figure 2). The collector was executed via a compromised administrator account (pgustavo) on the Windows host.
Figure 2. Running the default SharpHound collection method. (Source: Secureworks)
Table 1 lists telemetry generated by this collector when executed on the Windows workstation.
| TIMESTAMP (UTC) | SUMMARY | TYPE | TX_BYTE_COUNT (NET) |
|---|---|---|---|
| 2023-04-18T18:28:23 | Netflow from 10.0.2.12 :51317 to 10.0.2.11 :445 TCP | NET | 11613 |
| 2023-04-18T18:28:23 | Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP | NET | |
| 2023-04-18T18:28:23 | Netflow from 10.0.2.12 :51316 to 10.0.2.12 :445 TCP | NET | |
| 2023-04-18T18:28:23 | Netflow from 10.0.2.12 :51315 to 10.0.2.11 :445 TCP | NET | |
| 2023-04-18T18:28:21 | Netflow from 10.0.2.12 to 10.0.1.11 :53 UDP | NET | 5412 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP | NET | 12924 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP | NET | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP | NET | 5230 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP | NET | 115995 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP | NET | 2329 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP | NET | 2347 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP | NET | 2321 |
| 2023-04-18T18:28:18 | Netflow from 127.0.0.1 to 127.0.0.1 :64700 UDP | NET | 11 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP | NET | 2320 |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP | NET | 22134 |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP | NET | 395216 |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 to 10.0.1.11 :389 UDP | NET | 447 |
| 2023-04-18T18:28:15 | "D:\SharpHound.exe" -c Default -d purplelabs.local | PROC |
Table 1. Telemetry collected from a Windows workstation (WORKSTATION02 / 10.0.2.12) after executing SharpHound locally.
Table 2 lists telemetry from a domain controller. Due to the hundreds of netflow events generated as a result of DNS lookups performed by the SharpHound collector, the table only includes a subset of the activity.
| TIMESTAMP (UTC) | SUMMARY | TYPE | TX_BYTE_COUNT (NET) |
|---|---|---|---|
| 2023-04-18T18:28:21 | TRUNCATED NETFLOW EVENTS FOR HUNDREDS OF DNS LOOKUPS | NET | |
| 2023-04-18T18:28:21 | Netflow from 10.0.2.12 :50397 to 10.0.1.11 :53 UDP | NET | 118 |
| 2023-04-18T18:28:21 | Netflow from 10.0.2.12 :57013 to 10.0.1.11 :53 UDP | NET | 117 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51314 to 10.0.1.11 :445 TCP | NET | 9997 |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51313 to 10.0.1.11 :445 TCP | NET | |
| 2023-04-18T18:28:18 | Netflow from 10.0.1.11 :56099 to 168.63.129.16 :80 TCP | NET | 156 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51312 to 10.0.1.11 :389 TCP | NET | 2729 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51311 to 10.0.1.11 :389 TCP | NET | 932649 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51310 to 10.0.1.11 :389 TCP | NET | 299 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51309 to 10.0.1.11 :389 TCP | NET | 299 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51308 to 10.0.1.11 :389 TCP | NET | 299 |
| 2023-04-18T18:28:18 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:18 | Netflow from 10.0.2.12 :51307 to 10.0.1.11 :389 TCP | NET | 299 |
| 2023-04-18T18:28:16 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:16 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :51306 to 10.0.1.11 :389 TCP | NET | 14911165 |
| 2023-04-18T18:28:16 | 4624: LOGON to PURPLELABS.LOCAL by pgustavo | AUTH | |
| 2023-04-18T18:28:16 | 4672: Special privileges assigned to new logon by pgustavo | AUTH | |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :51305 to 10.0.1.11 :389 TCP | NET | 10442776 |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :64701 to 10.0.1.11 :389 UDP | NET | 176 |
| 2023-04-18T18:28:16 | Netflow from 10.0.2.12 :64699 to 10.0.1.11 :389 UDP | NET | 176 |
Table 2. Telemetry collected from a domain controller (DC01 / 10.0.1.11) after executing SharpHound.
SharpHound issues a series of LDAP queries against the domain controller to enumerate AD objects such as computer names, groups, and user accounts. The LDAP queries could be issued over an encrypted LDAP session; therefore, network inspection may not always be feasible. However, tools that utilize Windows libraries to generate LDAP queries can be monitored via Event Tracing for Windows (ETW). Table 3 lists SharpHound LDAP queries captured by an ETW trace session created during the execution of the SharpHound tool.
| LDAP Query | Description |
|---|---|
| (|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*)) | Discover group memberships for security groups, non-security groups, alias and non-alias objects that have a primary group ID |
| (&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) | Discover computer accounts that are enabled |
| (|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit)) | Discover access control lists (ACLs) containing security information for objects enumerated |
| (|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*))) |
Discover various AD groups, user accounts, computer accounts and group policies, and pull various field names useful for analysis |
| (|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain)) | Discover AD containers and linked Group Policy Objects (GPOs) |
| (&(samaccounttype=805306368)(serviceprincipalname=*)) | Discover all service principal names (SPN) for service accounts |
| (|(samAccountType=805306368)(samAccountType=805306369)(objectclass=organizationalUnit)) | For objects returned, discover all other child user, computer, and organizational unit (OU) objects |
| (objectclass=container) | For objects returned, discover all child container objects |
| (|(samAccountType=805306368)(samAccountType=805306369)) | Discover all the user and computer objects |
| (objectclass=trusteddomain) | Discover all trusted domains |
Table 3. LDAP queries issued by SharpHound.
As a result of the LDAP connections, several successful remote Windows authentication logon events (indicated by event ID 4624) were generated. Results returned from the LDAP queries will generate additional activity such as performing DNS lookups for each computer account identified, performing a TCP 445 test connection, and enumerating session information over SMB via remote procedure call (RPC) if the test connection is successful. Note that administrator privileges are required to enumerate session information. This activity will result in hundreds of DNS lookup requests to the domain controller and hundreds of port 445 connections across several hosts within a short timeframe.
Taegis Tactic Graphs detector for SharpHound
With an understanding of the telemetry generated across the environment, and as an outcome of this research sprint, the CTU research team developed a Taegis XDR Tactic Graphs™ countermeasure to identify SharpHound. This countermeasure uses authentication and netflow events to detect instances of a telemetry profile that is consistent with the SharpHound collector. Taegis not only detects individual malicious events such as the execution of SharpHound but also a sequence of events that provide more context around the attack. Taegis XDR is continually updated with threat intelligence gained through CTU research and helps organizations differentiate noise, legitimate use, and actionable alerts.
Preview Taegis XDR to explore more coverage for threat actors’ tools and techniques.