Techniques
Sample rules
Detect SharpHound Command-Line Arguments
- source: splunk
- technicques:
- T1087.002
- T1069.001
- T1482
- T1087.001
- T1087
- T1069.002
- T1069
Description
The following analytic identifies common command-line arguments used by SharpHound -collectionMethod
and invoke-bloodhound
. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_command_line_arguments_filter`