HackTool.PS1.SHARPHOUND.G
PowerShell/RiskWare.BloodHound.F application (NOD32)
Windows
Tipo de malware
Hacking Tool
Destructivo?
No
Cifrado
In the Wild:
Sí
Resumen y descripción
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Detalles técnicos
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Otros detalles
Hace lo siguiente:
- It accepts the following commands and actions:
- -c, --collectionmethods → Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly, UserRights, CARegistry, DCRegistry, CertServices
- -d, --domain → Specify domain to enumerate
- -s, --searchforest → Search all available domains in the forest
- --stealth → Stealth Collection
- -f → Add an LDAP filter to the pregenerated filter
- --distinguishedname → Base DistinguishedName to start the LDAP search
- --computerfile → Path to file containing computer names to enumerate
- --outputdirectory → Directory to output file
- --outputprefix → String to prepend to output file names
- --cachename → Filename for cache (Defaults to a machine specific identifier)
- --memcache → Keep cache in memory and don't write to disk
- --rebuildcache → Rebuild cache and remove all entries
- --randomfilenames → Use random filenames for output
- --zipfilename → Filename for the zip
- --nozip → Don't zip files
- --trackcomputercalls → Adds a CSV tracking requests to computers
- --zippassword → Password protects the zip with the specified password
- --prettyprint → Pretty print JSON
- --ldapusername → Username for LDAP
- --ldappassword → Password for LDAP
- --domaincontroller → Override domain controller to pull LDAP
- --ldapport → Override port for LDAP
- --secureldap → Connect to LDAP SSL instead of regular LDAP
- --disablecertverification → Disable certificate verification for secure LDAP
- --disablesigning → Disables Kerberos Signing/Sealing
- --skipportcheck → Skip checking if 445 is open
- --portchecktimeout → Timeout for port checks in milliseconds
- --skippasswordcheck → Skip PwdLastSet age check when checking computers
- --excludedcs → Exclude domain controllers from session/localgroup enumeration
- --throttle → Add a delay after computer requests in milliseconds
- --jitter → Add jitter to throttle
- --threads → Number of threads to run enumeration with
- --skipregistryloggedon → Skip registry session enumeration
- --overrideusername → Override the username to filter for NetSessionEnum
- --realdnsname → Override DNS suffix for API calls
- --collectallproperties → Collect all LDAP properties from objects
- -l, --Loop → Loop computer collection
- --loopduration → Loop duration
- --loopinterval → Add delay between loops
- --statusinterval → Interval in which to display status in milliseconds
- --localadminsessionenum → Specify if to use a dedicated LOCAL user for session enumeration
- --localadminusername → Specify the username of the localadmin for session enumeration
- --localadminpassword → Specify the password of the localadmin for session enumeration
- -v → Enable verbose output
- --help → Display help screen
- --version → Display version information
Soluciones
Step 1
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 2
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como HackTool.PS1.SHARPHOUND.G En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Rellene nuestra encuesta!