Detectionhightest

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

C.J. MayCreated Tue Aug 09Updated Thu Feb 1902773bed-83bf-469f-b7ff-e676e7d78babwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*

False Positives

Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise

References

Resolving title…

academy.hackthebox.com

MITRE ATT&CK

Tactics

TA0007 · Discovery TA0002 · Execution

Techniques

T1482 · Domain Trust Discovery

Sub-techniques

T1087.001 · Local Account T1087.002 · Domain Account T1069.001 · Local Groups T1069.002 · Domain Groups T1059.001 · PowerShell

Rule Metadata

Rule ID