KQL Search

Query Details

Blood Hound Generatedfiles

Query


name: Collection, Indicators of bloodhound usage within the environment
description: Detects file dropped by BloodHound/SharpHound that contains AD information 
references: https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
tags: Collection, t1087.001
search_query: 
(DeviceFileEvents
| where FileName contains "users.json" or  FileName contains "*computers.jons" or  FileName contains "*groups.json" or  FileName contains "*ous.json" or  FileName contains "*domains.json" or  FileName contains "bloodhound" or  FileName contains "gpos.json" | where FileName != @"bloodhound.js"| where FileName != @"bloodhoundDropdown.js"
)
Notes:

Explanation

This query is looking for files dropped by BloodHound/SharpHound that contain Active Directory information within the environment. It specifically searches for files with certain names related to AD information and excludes specific files related to BloodHound.

Details

Ali Hussein

Released: February 18, 2024

Tables

DeviceFileEvents

Keywords

Devices,Intune,User,Bloodhound

Operators

wherecontainsor!=

KQL Search

Blood Hound Generatedfiles

Query

Explanation

Details

Actions