We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
HackTool:MSIL/SharpHound!rfn
Aliases: No associated aliases
Summary
HackTool:MSIL/SharpHound!rfn is the data collection post-exploitation reconnaissance tool. Originally a PowerShell script, its evolution to a compiled C# application running on the .NET Common Language Infrastructure represents a significant architectural advancement. This shift allows direct interaction with low-level Windows APIs and raw LDAP protocols, bypassing higher-level interfaces that are easier to monitor. The tool enumerates objects and relationships within an AD forest, including user and group memberships, active sessions, domain trusts, and access control lists, to build a comprehensive map of the network's identity and security structure.
After gaining initial access, threat actors use it to identify high-value targets, such as domain administrators, and to discover the most efficient paths for lateral movement and privilege escalation. Its use is a strong indicator that an attack is in the active discovery phase, preparing actions like data exfiltration or ransomware deployment. The tool's forensic profile includes distinctive network traffic patterns involving LDAP and SMB protocols, as well as the creation of time-stamped data archives on the local file system.
- Block any identified command and control (C2) IP addresses or domains at the firewall.
- Immediately reset the password for the user account used to run the tool.
- If that account was a member of a privileged group (like Domain Admins), assume the entire AD environment is compromised.
- Reset the KRBTGT account password twice in quick succession. This invalidates all Kerberos tickets and effectively terminates any active attacker sessions using stolen tickets.
- Locate and analyze all SharpHound output files (JSON, ZIP, BIN). These files show what data the threat actor stole.
- Review domain controller logs (Event ID 4662, 5145) to map the full scope of the reconnaissance activity.
- Determine the initial access vector by reviewing logs for phishing, exploited applications, or unauthorized RDP connections.
- For any critically compromised servers (especially domain controllers), perform a complete wipe and restore from a known-good, offline backup. Do not attempt to remove malicious files.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
