BloodHound Detection

Query Information

Description

This query detects the use of bloodhound based on the processes it creates. This detection is based on Threat Report by RedCanary.

References

https://redcanary.com/threat-detection-report/threats/bloodhound/

Defender For Endpoint

// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
     Timestamp,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     FileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

Sentinel

// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
     TimeGenerated,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     FileName,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BloodHoundProcessDetection.md

BloodHoundProcessDetection.md

BloodHound Detection

Query Information

Description

References

Defender For Endpoint

Sentinel

Files

BloodHoundProcessDetection.md

Latest commit

History

BloodHoundProcessDetection.md

File metadata and controls

BloodHound Detection

Query Information

Description

References

Defender For Endpoint

Sentinel