SigmaHQ/rules/windows/process_creation/win_hack_bloodhound.yml
2019-12-21 21:22:13 +01:00

40 lines
1.1 KiB
YAML

title: Bloodhound and Sharphound Hack Tool
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
author: Florian Roth
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
date: 2019/12/20
modified: 2019/12/21
tags:
- attack.discovery
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection2:
CommandLine|contains:
- ' -CollectionMethod All '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection3:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection4:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of them
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high