KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel KQL Detection For Shadow Hound

Query

// 🚨 New Sentinel KQL Detection for ShadowHound 🚨
// https://blog.fndsec.net/2024/11/25/shadowhound/

// I'm excited to share that I've developed a Sentinel KQL detection specifically for identifying the use of ShadowHound, a powerful tool developed by Friends-Security. While ShadowHound offers advanced enumeration capabilities for Active Directory environments, it's crucial to be aware of its potential misuse by threat actors and red teamers for reconnaissance purposes.
// 🔍 Key Features of ShadowHound:

// - Comprehensive enumeration of Active Directory objects
// - Utilizes both ADWS and LDAP for versatile data gathering
// - Designed to enhance security assessments and audits

// 🚨 Potential Risks:
// - Reconnaissance by Threat Actors: ShadowHound can be exploited by malicious actors to gather detailed information about your network, potentially leading to targeted attacks.
// - Red Team Operations: While useful for security assessments, red teamers can use this tool to simulate attacks, highlighting vulnerabilities that need immediate attention.

// 🔐 My Sentinel KQL Detection: To help mitigate these risks, I've created a Sentinel KQL detection rule that identifies ShadowHound activity within your network. This detection rule enhances your ability to monitor and respond to potential threats effectively.

// Sentinel detection for ShadowHound

// The effective method to detect ShadowHound is to 
// track identities that read an exceptionally high number
// of LDAP records within a specific time frame similar to SharpHound

SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4662
| where not (SubjectUserSid contains "S-1-5-18")
| where AccessMask == "0x10"
| where strlen(Properties) >= 2000

// MITRE ATT&CK
// Technique: T1069 Permission Groups Discovery
// Tactic: TA0007 Discovery

Explanation

This query is designed to detect potentially suspicious activity related to the use of a tool called ShadowHound within an Active Directory environment. ShadowHound is a tool that can be used for legitimate security assessments but also poses a risk if used by malicious actors for reconnaissance.

Here's a breakdown of what the query does:

  1. Time Frame: It looks at security events generated in the last hour (TimeGenerated > ago(1h)).

  2. Event Filtering: It specifically filters for events with ID 4662, which are related to directory service access.

  3. Exclusion of System Account: It excludes events where the subject user SID is "S-1-5-18", which is the SID for the Local System account, to focus on non-system accounts.

  4. Access Mask: It checks for an access mask of "0x10", indicating a specific type of access that might be related to reading directory data.

  5. Property Length: It looks for events where the length of the Properties field is 2000 characters or more, suggesting a large amount of data being accessed, which is characteristic of enumeration activities.

The query is aligned with the MITRE ATT&CK framework, specifically targeting the "Permission Groups Discovery" technique (T1069) under the "Discovery" tactic (TA0007). This helps in identifying when someone is trying to gather detailed information about the network's Active Directory structure, which could be a precursor to more targeted attacks.

Details

Steven Lim profile picture

Steven Lim

Released: December 1, 2024

Tables

SecurityEvent

Keywords

SecurityEventTimeGeneratedEventIDSubjectUserSidAccessMaskPropertiesActiveDirectoryLDAPShadowHoundSharpHoundMITREATTCKTechniqueTacticDiscovery

Operators

ago()contains()strlen()wherenot==>=|

Actions