← Back to Explore
sigmahighHunting
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Detection Query
selection:
TargetFilename|endswith:
- BloodHound.zip
- _computers.json
- _containers.json
- _gpos.json
- _groups.json
- _ous.json
- _users.json
filter_optional_ms_winapps:
Image|endswith: \svchost.exe
TargetFilename|startswith: C:\Program Files\WindowsApps\Microsoft.
TargetFilename|endswith: \pocket_containers.json
condition: selection and not 1 of filter_optional_*
Author
C.J. May
Created
2022-08-09
Data Sources
windowsFile Events
Platforms
windows
Tags
attack.discoveryattack.t1087.001attack.t1087.002attack.t1482attack.t1069.001attack.t1069.002attack.executionattack.t1059.001
Raw Content
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high