Sigma rules for BloodHound
6 rules · scoped to tool · back to BloodHound
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
TargetFilename|endswith: '.dat'
condition: selection
falsepositives:
- Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium
title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
- id: ef61af62-bc74-4f58-b49b-626448227652
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_cli:
CommandLine|contains: 'snapshot'
condition: all of selection_*
falsepositives:
- Unknown
level: medium