SigmaHQ/rules/windows/process_creation/win_hack_bloodhound.yml

title: Bloodhound and Sharphound Hack Tool
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
author: Florian Roth
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
date: 2019/12/20
modified: 2019/12/21
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1087  # an old one
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069  # an old one
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
logsource:
    category: process_creation
    product: windows
detection:
    selection1: 
        Image|contains: 
            - '\Bloodhound.exe'
            - '\SharpHound.exe'
    selection2:
        CommandLine|contains: 
            - ' -CollectionMethod All '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection3:
        CommandLine|contains|all: 
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection4:
        CommandLine|contains|all: 
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of them
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high
rule: modified Bloodhound rule 2019-12-21 20:22:13 +00:00			`title: Bloodhound and Sharphound Hack Tool`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962`
rule: modified Bloodhound rule 2019-12-21 20:22:13 +00:00			`description: Detects command line parameters used by Bloodhound and Sharphound hack tools`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`author: Florian Roth`
			`references:`
			`- https://github.com/BloodHoundAD/BloodHound`
rule: modified Bloodhound rule 2019-12-21 20:22:13 +00:00			`- https://github.com/BloodHoundAD/SharpHound`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`date: 2019/12/20`
rule: modified Bloodhound rule 2019-12-21 20:22:13 +00:00			`modified: 2019/12/21`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`tags:`
			`- attack.discovery`
att&ck tags review: windows/process_creation part 3 2020-09-01 17:02:36 +00:00			`- attack.t1087.001`
			`- attack.t1087.002`
			`- attack.t1087 # an old one`
			`- attack.t1482`
			`- attack.t1069.001`
			`- attack.t1069.002`
			`- attack.t1069 # an old one`
			`- attack.execution`
			`- attack.t1059.001`
			`- attack.t1086 # an old one`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
rule: improved bloodhound rule 2019-12-20 15:08:26 +00:00			`selection1:`
			`Image\|contains:`
			`- '\Bloodhound.exe'`
			`- '\SharpHound.exe'`
			`selection2:`
			`CommandLine\|contains:`
			`- ' -CollectionMethod All '`
rule :improved bloodhound rule 2019-12-20 16:23:40 +00:00			`- '.exe -c All -d '`
rule: improved bloodhound rule 2019-12-20 15:08:26 +00:00			`- 'Invoke-Bloodhound'`
			`- 'Get-BloodHoundData'`
			`selection3:`
			`CommandLine\|contains\|all:`
			`- ' -JsonFolder '`
			`- ' -ZipFileName '`
rule: modified Bloodhound rule 2019-12-21 20:22:13 +00:00			`selection4:`
			`CommandLine\|contains\|all:`
			`- ' DCOnly '`
			`- ' --NoSaveCache '`
fix: fixed wrong condition 2019-12-20 15:11:39 +00:00			`condition: 1 of them`
rule: Bloodhound 2019-12-20 13:59:36 +00:00			`falsepositives:`
rule: false positive condition for BloodHound rule 2019-12-20 14:35:13 +00:00			`- Other programs that use these command line option and accepts an 'All' parameter`
rule: changed level of BloodHound rule 2019-12-20 14:37:58 +00:00			`level: high`
rule: improved bloodhound rule 2019-12-20 15:08:26 +00:00