Query Details
Blood Hound Process Detection
Query
# BloodHound Detection
## Query Information
#### Description
This query detects the use of bloodhound based on the processes it creates. This detection is based on Threat Report by RedCanary.
#### References
- https://redcanary.com/threat-detection-report/threats/bloodhound/
## Defender For Endpoint
```
// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
Timestamp,
DeviceName,
AccountName,
AccountDomain,
ProcessCommandLine,
FileName,
InitiatingProcessCommandLine,
InitiatingProcessFileName
```
## Sentinel
```
// List with known bloodhound executions
let BloodhoundCommands = dynamic(['-collectionMethod', 'invoke-bloodhound' ,'get-bloodHounddata']);
DeviceProcessEvents
| where ProcessCommandLine has_any (BloodhoundCommands)
| project
TimeGenerated,
DeviceName,
AccountName,
AccountDomain,
ProcessCommandLine,
FileName,
InitiatingProcessCommandLine,
InitiatingProcessFileName
```
Explanation
This query detects the use of BloodHound based on the processes it creates. It looks for specific commands related to BloodHound and retrieves information about the processes, including timestamps, device names, account names, command lines, and file names. The query can be used in both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceProcessEvents
Keywords
Bloodhound,Processes,ThreatReport,RedCanary,DefenderForEndpoint,Sentinel,DeviceProcessEvents,Timestamp,DeviceName,AccountName,AccountDomain,ProcessCommandLine,FileName,InitiatingProcessCommandLine,InitiatingProcessFileName,TimeGenerated
Operators
letdynamicDeviceProcessEventswherehas_anyprojectTimestampDeviceNameAccountNameAccountDomainProcessCommandLineFileNameInitiatingProcessCommandLineInitiatingProcessFileNameTimeGenerated