HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

Sigma rule (View on GitHub)

 1title: HackTool - Bloodhound/Sharphound Execution
 2id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
 3status: test
 4description: Detects command line parameters used by Bloodhound and Sharphound hack tools
 5references:
 6    - https://github.com/BloodHoundAD/BloodHound
 7    - https://github.com/BloodHoundAD/SharpHound
 8author: Florian Roth (Nextron Systems)
 9date: 2019/12/20
10modified: 2023/02/04
11tags:
12    - attack.discovery
13    - attack.t1087.001
14    - attack.t1087.002
15    - attack.t1482
16    - attack.t1069.001
17    - attack.t1069.002
18    - attack.execution
19    - attack.t1059.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Product|contains: 'SharpHound'
26        - Description|contains: 'SharpHound'
27        - Company|contains:
28              - 'SpecterOps'
29              - 'evil corp'
30        - Image|contains:
31              - '\Bloodhound.exe'
32              - '\SharpHound.exe'
33    selection_cli_1:
34        CommandLine|contains:
35            - ' -CollectionMethod All '
36            - ' --CollectionMethods Session '
37            - ' --Loop --Loopduration '
38            - ' --PortScanTimeout '
39            - '.exe -c All -d '
40            - 'Invoke-Bloodhound'
41            - 'Get-BloodHoundData'
42    selection_cli_2:
43        CommandLine|contains|all:
44            - ' -JsonFolder '
45            - ' -ZipFileName '
46    selection_cli_3:
47        CommandLine|contains|all:
48            - ' DCOnly '
49            - ' --NoSaveCache '
50    condition: 1 of selection_*
51falsepositives:
52    - Other programs that use these command line option and accepts an 'All' parameter
53level: high

References

Related rules

to-top