HackTool.PS1.SHARPHOUND.G
PowerShell/RiskWare.BloodHound.F application (NOD32)
Windows
Threat Type: Hacking Tool
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
1,662,249 bytes
PS1
No
19 Apr 2024
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other Details
This Hacking Tool does the following:
- It accepts the following commands and actions:
- -c, --collectionmethods → Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly, UserRights, CARegistry, DCRegistry, CertServices
- -d, --domain → Specify domain to enumerate
- -s, --searchforest → Search all available domains in the forest
- --stealth → Stealth Collection
- -f → Add an LDAP filter to the pregenerated filter
- --distinguishedname → Base DistinguishedName to start the LDAP search
- --computerfile → Path to file containing computer names to enumerate
- --outputdirectory → Directory to output file
- --outputprefix → String to prepend to output file names
- --cachename → Filename for cache (Defaults to a machine specific identifier)
- --memcache → Keep cache in memory and don't write to disk
- --rebuildcache → Rebuild cache and remove all entries
- --randomfilenames → Use random filenames for output
- --zipfilename → Filename for the zip
- --nozip → Don't zip files
- --trackcomputercalls → Adds a CSV tracking requests to computers
- --zippassword → Password protects the zip with the specified password
- --prettyprint → Pretty print JSON
- --ldapusername → Username for LDAP
- --ldappassword → Password for LDAP
- --domaincontroller → Override domain controller to pull LDAP
- --ldapport → Override port for LDAP
- --secureldap → Connect to LDAP SSL instead of regular LDAP
- --disablecertverification → Disable certificate verification for secure LDAP
- --disablesigning → Disables Kerberos Signing/Sealing
- --skipportcheck → Skip checking if 445 is open
- --portchecktimeout → Timeout for port checks in milliseconds
- --skippasswordcheck → Skip PwdLastSet age check when checking computers
- --excludedcs → Exclude domain controllers from session/localgroup enumeration
- --throttle → Add a delay after computer requests in milliseconds
- --jitter → Add jitter to throttle
- --threads → Number of threads to run enumeration with
- --skipregistryloggedon → Skip registry session enumeration
- --overrideusername → Override the username to filter for NetSessionEnum
- --realdnsname → Override DNS suffix for API calls
- --collectallproperties → Collect all LDAP properties from objects
- -l, --Loop → Loop computer collection
- --loopduration → Loop duration
- --loopinterval → Add delay between loops
- --statusinterval → Interval in which to display status in milliseconds
- --localadminsessionenum → Specify if to use a dedicated LOCAL user for session enumeration
- --localadminusername → Specify the username of the localadmin for session enumeration
- --localadminpassword → Specify the password of the localadmin for session enumeration
- -v → Enable verbose output
- --help → Display help screen
- --version → Display version information
SOLUTION
9.800
2.721.00
19 Apr 2024
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as HackTool.PS1.SHARPHOUND.G. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.