Collection, Indicators of bloodhound usage within the environment
Blood Hound Generatedfiles
Query
DeviceFileEvents
| where FileName contains "users.json" or FileName contains "*computers.json" or FileName contains "*groups.json" or FileName contains "*ous.json" or FileName contains "*domains.json" or FileName contains "bloodhound" or FileName contains "gpos.json" | where FileName != @"bloodhound.js"| where FileName != @"bloodhoundDropdown.js"Explanation
This query is designed to detect the presence of files associated with BloodHound or SharpHound within an environment. BloodHound is a tool used to map Active Directory environments, and it typically generates specific JSON files containing information about users, computers, groups, organizational units (OUs), domains, and group policies (GPOs).
Here's a simple breakdown of what the query does:
-
Data Source: The query looks at
DeviceFileEvents, which likely logs file creation or modification events on devices. -
File Detection: It searches for files with names containing specific keywords:
- "users.json"
- "computers.json"
- "groups.json"
- "ous.json"
- "domains.json"
- "bloodhound"
- "gpos.json"
-
Exclusions: It excludes files named "bloodhound.js" and "bloodhoundDropdown.js" from the results.
-
Purpose: The goal is to identify potential indicators of BloodHound usage by detecting files that are typically generated by the tool during its data collection phase.
Overall, this query helps security teams identify potential unauthorized or suspicious activity related to Active Directory reconnaissance using BloodHound.
Details

Ali Hussein
Released: March 25, 2024
Tables
Keywords
Operators