some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise

t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma

Techniques

t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482

Sample rules

BloodHound Collection Files

source: sigma
technicques:
- t1059
- t1059.001
- t1069
- t1069.001
- t1069.002
- t1087
- t1087.001
- t1087.002
- t1482

Description

Detects default file names outputted by the BloodHound collection tool SharpHound

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_ms_winapps:
  Image|endswith: \svchost.exe
  TargetFilename|endswith: \pocket_containers.json
  TargetFilename|startswith: C:\Program Files\WindowsApps\Microsoft.
selection:
  TargetFilename|endswith:
  - BloodHound.zip
  - _computers.json
  - _containers.json
  - _domains.json
  - _gpos.json
  - _groups.json
  - _ous.json
  - _users.json