sigmaDRL-1.1from SigmaHQ/sigma

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1087.001 T1087.002 T1482 T1069.001 T1069.002 T1059.001

Rule sourcerules/windows/file/file_event/file_event_win_bloodhound_collection.yml

title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high