Detects default file names outputted by the BloodHound collection tool SharpHound
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
imFileEvent
| where (TargetFileName endswith "BloodHound.zip" or TargetFileName endswith "_computers.json" or TargetFileName endswith "_containers.json" or TargetFileName endswith "_gpos.json" or TargetFileName endswith "_groups.json" or TargetFileName endswith "_ous.json" or TargetFileName endswith "_users.json") and (not((TargetFilePath endswith "\\svchost.exe" and TargetFileName startswith "C:\\Program Files\\WindowsApps\\Microsoft." and TargetFileName endswith "\\pocket_containers.json")))| Sentinel Table | Notes |
|---|---|
imFileEvent | Ensure this data connector is enabled |
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such a
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific account
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provi
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Cit
Use these Atomic Red Team tests to validate this detection fires correctly: