← Back to SOC feed Coverage →

HackTool - Bloodhound/Sharphound Execution

sigma HIGH SigmaHQ
T1087.001T1087.002T1482T1069.001T1069.002T1059.001
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects command line parameters used by Bloodhound and Sharphound hack tools

Detection Rule

Sigma (Original)

title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessFileProduct contains "SharpHound" or TargetProcessFileDescription contains "SharpHound" or (TargetProcessFileCompany contains "SpecterOps" or TargetProcessFileCompany contains "evil corp") or (TargetProcessName contains "\\Bloodhound.exe" or TargetProcessName contains "\\SharpHound.exe")) or (TargetProcessCommandLine contains " -CollectionMethod All " or TargetProcessCommandLine contains " --CollectionMethods Session " or TargetProcessCommandLine contains " --Loop --Loopduration " or TargetProcessCommandLine contains " --PortScanTimeout " or TargetProcessCommandLine contains ".exe -c All -d " or TargetProcessCommandLine contains "Invoke-Bloodhound" or TargetProcessCommandLine contains "Get-BloodHoundData") or (TargetProcessCommandLine contains " -JsonFolder " and TargetProcessCommandLine contains " -ZipFileName ") or (TargetProcessCommandLine contains " DCOnly " and TargetProcessCommandLine contains " --NoSaveCache ")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml