Query Details

BloodHound Detection

Blood Hound Process Detection

Query

// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
     Timestamp,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     FileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

About this query

BloodHound Detection

Query Information

Description

This query detects the use of bloodhound based on the processes it creates. This detection is based on Threat Report by RedCanary.

References

Defender XDR

Sentinel

// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
     TimeGenerated,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     FileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

Explanation

This query is designed to detect the use of BloodHound, a tool often used for analyzing Active Directory environments, by identifying specific processes it creates. The query looks for known BloodHound command patterns in the command lines of processes running on devices. It checks if any of these processes contain certain keywords associated with BloodHound execution, such as -collectionMethod, invoke-bloodhound, or get-bloodHounddata.

The query is written for two different platforms, Defender XDR and Sentinel, but both perform the same function. They search through device process events to find any command lines that match the known BloodHound patterns. If a match is found, the query extracts and displays relevant information such as the timestamp, device name, account details, and the command lines of both the process and its initiating process. This helps in identifying and investigating potential unauthorized use of BloodHound in the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

BloodhoundDetectionDeviceProcessEventsTimestampNameAccountDomainCommandLineFileInitiatingTimeGenerated

Operators

letdynamichas_anyprojectwhere

Actions

GitHub