BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Sigma rule (View on GitHub)
1title: BloodHound Collection Files
2id: 02773bed-83bf-469f-b7ff-e676e7d78bab
3status: test
4description: Detects default file names outputted by the BloodHound collection tool SharpHound
5references:
6 - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
7author: C.J. May
8date: 2022-08-09
9modified: 2023-03-29
10tags:
11 - attack.discovery
12 - attack.t1087.001
13 - attack.t1087.002
14 - attack.t1482
15 - attack.t1069.001
16 - attack.t1069.002
17 - attack.execution
18 - attack.t1059.001
19logsource:
20 product: windows
21 category: file_event
22detection:
23 selection:
24 TargetFilename|endswith:
25 - 'BloodHound.zip'
26 - '_computers.json'
27 - '_containers.json'
28 - '_domains.json'
29 - '_gpos.json'
30 - '_groups.json'
31 - '_ous.json'
32 - '_users.json'
33 filter_optional_ms_winapps:
34 Image|endswith: '\svchost.exe'
35 TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
36 TargetFilename|endswith: '\pocket_containers.json'
37 condition: selection and not 1 of filter_optional_*
38falsepositives:
39 - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
40level: high
References
Related rules
- HackTool - Bloodhound/Sharphound Execution
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock
- PUA - AdFind Suspicious Execution
- AdFind Discovery