Detection rules › Sigma
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
MITRE ATT&CK coverage
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: 1 of selection_img
or:
Company|contains: SpecterOps
Company|contains: 'evil corp'
Description|contains: SharpHound
Image|contains: '\Bloodhound.exe'
Image|contains: '\SharpHound.exe'
Product|contains: SharpHound
Stage 2: 1 of selection_cli_1
or:
CommandLine|contains: ' --CollectionMethods Session '
CommandLine|contains: ' --Loop --Loopduration '
CommandLine|contains: ' --PortScanTimeout '
CommandLine|contains: ' -CollectionMethod All '
CommandLine|contains: '.exe -c All -d '
CommandLine|contains: Get-BloodHoundData
CommandLine|contains: Invoke-Bloodhound
Stage 3: 1 of selection_cli_2
CommandLine|contains: ' -JsonFolder '
CommandLine|contains: ' -ZipFileName '
Stage 4: 1 of selection_cli_3
CommandLine|contains: ' --NoSaveCache '
CommandLine|contains: ' DCOnly '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Company | match |
|
Description | match |
|
Image | match |
|
Product | match |
|