Detect Sharphound Usage

Detect Sharphound Usage

Description

The following analytic identifies SharpHound binary usage by using the original filena,e. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic looks for the originalfilename of SharpHound.exe and the process name. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary.

   Help

Detect Sharphound Usage Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.

   Search

Open in Search