EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

MITRE ATT&CK

T1087.001T1087.002T1482T1069.001T1069.002T1059.001
discoveryexecution

Detection Query

selection_img:
  - Product|contains: SharpHound
  - Description|contains: SharpHound
  - Company|contains:
      - SpecterOps
      - evil corp
  - Image|contains:
      - \Bloodhound.exe
      - \SharpHound.exe
selection_cli_1:
  CommandLine|contains:
    - " -CollectionMethod All "
    - " --CollectionMethods Session "
    - " --Loop --Loopduration "
    - " --PortScanTimeout "
    - ".exe -c All -d "
    - Invoke-Bloodhound
    - Get-BloodHoundData
selection_cli_2:
  CommandLine|contains|all:
    - " -JsonFolder "
    - " -ZipFileName "
selection_cli_3:
  CommandLine|contains|all:
    - " DCOnly "
    - " --NoSaveCache "
condition: 1 of selection_*

Author

Florian Roth (Nextron Systems)

Created

2019-12-20

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.discoveryattack.t1087.001attack.t1087.002attack.t1482attack.t1069.001attack.t1069.002attack.executionattack.t1059.001
Raw Content
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high