LIVE · cybersecurity feed
aimedium

SharpHound Recon Attack – How AI enhanced the threat hunt

zeroday.news·1d ago

At Cisco Live AMER 2026, a novel approach to security operations was implemented by integrating an AI-driven security agent with always-on, full packet capture technology. This setup aimed to automate threat hunting and analysis, protecting conference attendees and infrastructure.

The core of this innovation lies in providing the Agentic SOC with access to comprehensive network data via Endace's full packet capture. This rich data source serves as a forensic goldmine for AI, offering unparalleled context and evidence for incident response and threat hunting.

The system was tasked with assessing a potential SharpHound reconnaissance attack. Within minutes, the AI agent provided an accurate assessment, concluding that the observed activity was a benign near-miss. This rapid analysis significantly reduced the manual effort typically required for such investigations.

The architecture combined Endace full packet capture with AI capabilities from Cisco XDR and Splunk Enterprise Security. A custom agentic tool was developed to orchestrate these components, creating a Tier-2 SOC analyst that could investigate incidents end-to-end.

This agent pulled context from Cisco XDR, retrieved relevant packet data from Endace, and queried Splunk logs autonomously. The result was a structured report detailing the incident, gathered data, reasoning, and disposition, empowering even novice analysts.

During the threat hunt, analysts initially observed suspicious LDAP sessions from attendee devices, theorizing it could be SharpHound reconnaissance. The AI agent was then deployed to investigate this potential threat.

The agent's process involved reading the XDR incident, accessing packet capture for the specific session, and gathering supporting evidence from Splunk logs. It autonomously performed a blast-radius check by reviewing all packet data within a defined window.

In this instance, the AI agent correctly identified the activity as benign, recommending the incident be closed. The system also demonstrated a learning capability, correcting an initial error in time interpretation and updating its skill file for future reference.

This integration of Agentic AI with full packet capture represents a significant advancement in SOC productivity and security, enabling human analysts to focus on more critical threats.

aithreat huntingpacket captureincident responsecisco
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·high

3 Ways AI Powers Service Desk Attacks and How to Prevent Them

Artificial intelligence is increasingly being used by attackers to enhance service desk attacks, particularly during employee onboarding. AI tools can create more convincing impersonations, accelerate reconnaissance for personalized attacks, and scale malicious campaigns. To counter these threats, organizations need to implement stronger identity verification methods, such as secure password delivery, biometric liveness detection, and multi-factor authentication before sensitive actions are approved.

zeroday.news · 2h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 2h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 3h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.