Threat behavior
HackTool:PowerShell/SharpHound.B is a reconnaissance tool engineered to launch a comprehensive data collection within Microsoft Active Directory domains. Its architecture manifests primarily in two forms: as a standalone executable compiled from C# source code for the .NET framework, and as a native PowerShell script module. Execution is parameter-driven, initiated through command-line arguments that define the operational scope. The critical -CollectionMethod parameter accepts values such as Group, Session, LocalAdmin, Default, or DCOnly, each dictating a specific data category for enumeration. The -Domain parameter targets a specific domain, while -SearchBase can restrict queries to a particular Organizational Unit. The tool uses the security context of the currently authenticated user or compromised account, using entirely legitimate Windows Management Instrumentation, Lightweight Directory Access Protocol, and Remote Procedure Call application programming interfaces to gather information without exploiting software vulnerabilities.
A distinct technical characteristic is its initial system profiling through registry queries. The tool reads the unique MachineGuid value from the registry key HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\MachineGuid to fingerprint the host. It also reads the default system locale from HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\NLS\Locale\Default to understand language settings. For network context, it enumerates protocol and namespace providers by querying registry paths including \Registry\Machine\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries and \Registry\Machine\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog9\Catalog_Entries. These registry interactions are strictly read-only operations; the tool does not create, modify, or delete registry keys to alter Windows configuration or establish persistence. The core enumeration engine employs multi-threading to perform high-speed, sequential queries against domain controllers. For the Group collection method, it performs Lightweight Directory Access Protocol queries to recursively resolve nested group memberships across the entire domain, building a complete graph of user-to-group and group-to-group relationships.
The Session method issues NetSessionEnum and NetWkstaUserEnum Remote Procedure Calls over the Server Message Block protocol to poll target computers for active user logon sessions. The LocalAdmin method uses NetLocalGroupGetMembers API calls to remotely query the membership of local administrators groups on domain-joined devices. The default method is a composite that runs multiple collection types. This activity generates a definitive network footprint characterized by a sustained burst of Lightweight Directory Access Protocol queries from the host to a domain controller on port 389 Transmission Control Protocol. A high volume of outbound Server Message Block connections accompanies it on port 445 Transmission Control Protocol to numerous internal Internet Protocol addresses. It also comes with a corresponding spike in Domain Name System User Datagram Protocol queries on port 53 for reverse lookups.
All harvested data is serialized into individual JavaScript Object Notation files on the local filesystem. The output schema is standardized, producing files such as users.json containing user attributes and group memberships, groups.json detailing group properties and relations, computers.json with computer objects and operating system data, sessions.json listing identified user sessions, local_admins.json defining local administrative rights, and trusts.json mapping domain trust direction and type. Upon completion, the tool invokes a compression routine, typically using the .NET System.IO.Compression.ZipFile class, to bundle these files into a single archive. Common archive names follow patterns like BloodHound.bin, BloodHound.zip, or YYYYMMDDHHMMSS_SharpHound.zip. This archive is the primary payload for exfiltration. The tool is purely data-centric; it contains no self-replication logic, no persistence mechanisms such as service or scheduled task creation, and no embedded command and control communication channels. Its operational lifecycle is entirely dependent on manual threat actor intervention for deployment, execution, and retrieval of the final compressed output.
Prevention
- Regularly audit and minimize membership in privileged groups (Domain Admins, Enterprise Admins). Implement the principle of least privilege for all user and service accounts. Deactivate unnecessary legacy protocols like NTLM and enforce LDAP signing and channel binding.
- Implement PowerShell Constrained Language Mode and script block logging. Use application whitelisting to prevent the execution of unauthorized scripts and executables, including SharpHound binaries, on workstations and servers.
- Use Endpoint Detection and Response tools configured to detect the specific behavioral patterns of Active Directory reconnaissance, such as mass LDAP querying from a non-server host or the use of specific API calls associated with credential dumping or replication.
- Use network detection tools to baseline normal LDAP/DNS/SMB traffic and alert on anomalous spikes from single sources. Monitor the specific port and protocol patterns associated with enumeration tools.
- Proactively run authorized BloodHound/SharpHound audits in your own environment. This "know your weaknesses" approach allows you to find and remediate critical attack paths before malicious actors exploit them.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
