BloodHound Collection Files

Severity: high
Author: C.J. May
Source: upstream

Detects default file names outputted by the BloodHound collection tool SharpHound

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.001` Command and Scripting Interpreter: PowerShell
Discovery	`T1069.001` Permission Groups Discovery: Local Groups, `T1069.002` Permission Groups Discovery: Domain Groups, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|endswith: BloodHound.zip
TargetFilename|endswith: _computers.json
TargetFilename|endswith: _containers.json
TargetFilename|endswith: _gpos.json
TargetFilename|endswith: _groups.json
TargetFilename|endswith: _ous.json
TargetFilename|endswith: _users.json

Stage 2: `not 1 of filter_optional_ms_winapps`

Image|endswith: '\svchost.exe'
TargetFilename|endswith: '\pocket_containers.json'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\svchost.exe` corpus 20 (sigma 20)
`TargetFilename`	ends_with	`BloodHound.zip` `\pocket_containers.json` `_computers.json` `_containers.json` `_gpos.json` `_groups.json` `_ous.json` `_users.json`
`TargetFilename`	starts_with	`C:\Program Files\WindowsApps\Microsoft.`