Common BloodHound Command-Line Options (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0521 ·

Detects common BloodHound parameters in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Common BloodHound Command-Line Options (RedCanary Threat Detection Report)
 2id: 2b7d1fff-74b3-496c-b8f9-3bd90ba102c5
 3status: experimental
 4description: Detects common BloodHound parameters in command line strings. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/threats/bloodhound/
 7author: RedCanary, Sigma formatting by Micah Babinski
 8date: 2023/05/10
 9tags:
10    - attack.s0521
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        CommandLine|contains:
17            - '-collectionmethod'
18            - 'invoke-bloodhound'
19            - 'get-bloodhounddata'
20    condition: selection
21falsepositives:
22    - Unknown
23level: low```

References

BloodHound - Red Canary Threat Detection Report

BloodHound is an open source tool that provides visibility into Active Directory environments and is a precursor to follow-on activity.

Read More

Common BloodHound Command-Line Options (RedCanary Threat Detection Report)

Sigma rule (View on GitHub)

References

BloodHound - Red Canary Threat Detection Report