Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Sigma rule (View on GitHub)
1title: Discovery Using AzureHound
2id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
3status: test
4description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
5references:
6 - https://github.com/BloodHoundAD/AzureHound
7author: Janantha Marasinghe
8date: 2022-11-27
9tags:
10 - attack.discovery
11 - attack.t1087.004
12 - attack.t1526
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 userAgent|contains: 'azurehound'
19 ResultType: 0
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
Azure Data Exporter for BloodHound. Contribute to BloodHoundAD/AzureHound development by creating an account on GitHub.
Read More
Related rules
- Github Self Hosted Runner Changes Detected
- PUA - Seatbelt Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule