HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
Sigma rule (View on GitHub)
1title: HackTool - Bloodhound/Sharphound Execution
2id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
3status: test
4description: Detects command line parameters used by Bloodhound and Sharphound hack tools
5references:
6 - https://github.com/BloodHoundAD/BloodHound
7 - https://github.com/BloodHoundAD/SharpHound
8author: Florian Roth (Nextron Systems)
9date: 2019-12-20
10modified: 2023-02-04
11tags:
12 - attack.discovery
13 - attack.t1087.001
14 - attack.t1087.002
15 - attack.t1482
16 - attack.t1069.001
17 - attack.t1069.002
18 - attack.execution
19 - attack.t1059.001
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Product|contains: 'SharpHound'
26 - Description|contains: 'SharpHound'
27 - Company|contains:
28 - 'SpecterOps'
29 - 'evil corp'
30 - Image|contains:
31 - '\Bloodhound.exe'
32 - '\SharpHound.exe'
33 selection_cli_1:
34 CommandLine|contains:
35 - ' -CollectionMethod All '
36 - ' --CollectionMethods Session '
37 - ' --Loop --Loopduration '
38 - ' --PortScanTimeout '
39 - '.exe -c All -d '
40 - 'Invoke-Bloodhound'
41 - 'Get-BloodHoundData'
42 selection_cli_2:
43 CommandLine|contains|all:
44 - ' -JsonFolder '
45 - ' -ZipFileName '
46 selection_cli_3:
47 CommandLine|contains|all:
48 - ' DCOnly '
49 - ' --NoSaveCache '
50 condition: 1 of selection_*
51falsepositives:
52 - Other programs that use these command line option and accepts an 'All' parameter
53level: high
References
Related rules
- BloodHound Collection Files
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock
- PUA - AdFind Suspicious Execution
- AdFind Discovery