rule: modified Bloodhound rule

2024-11-07 09:48:58 +00:00 · 2019-12-21 21:22:13 +01:00 · 2019-12-21 21:22:13 +01:00 · 511229c0b6
commit 511229c0b6
parent 781f53332b
1 changed files with 8 additions and 2 deletions
--- a/rules/windows/process_creation/win_hack_bloodhound.yml
+++ b/rules/windows/process_creation/win_hack_bloodhound.yml
@ -1,10 +1,12 @@
-title: Bloodhound Hack Tool
+title: Bloodhound and Sharphound Hack Tool
 id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
-description: Detects command line parameters used by Bloodhound hack tool
+description: Detects command line parameters used by Bloodhound and Sharphound hack tools
 author: Florian Roth
 references:
    - https://github.com/BloodHoundAD/BloodHound
+    - https://github.com/BloodHoundAD/SharpHound
 date: 2019/12/20
+modified: 2019/12/21
 tags:
    - attack.discovery
    - attack.t1087
@ -26,6 +28,10 @@ detection:
        CommandLine|contains|all: 
            - ' -JsonFolder '
            - ' -ZipFileName '
+    selection4:
+        CommandLine|contains|all: 
+            - ' DCOnly '
+            - ' --NoSaveCache '
    condition: 1 of them
 falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter