Adversaries may use custom queries to document their compromise, identify spread across owned nodes, and track privilege changes to understand their attack surface. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect lateral movement and privilege escalation activities that may indicate a deeper compromise.
YARA Rule
rule hacktool_multi_bloodhound_owned
{
meta:
description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains"
reference = "https://github.com/porterhau5/BloodHound-Owned/"
author = "@fusionrace"
id = "cffa3b8a-cf55-531b-aa67-ca8a8841bdec"
strings:
$s1 = "Find all owned Domain Admins" fullword ascii wide
$s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide
$s3 = "List all directly owned nodes" fullword ascii wide
$s4 = "Set owned and wave properties for a node" fullword ascii wide
$s5 = "Find spread of compromise for owned nodes in wave" fullword ascii wide
$s6 = "Show clusters of password reuse" fullword ascii wide
$s7 = "Something went wrong when creating SharesPasswordWith relationship" fullword ascii wide
$s8 = "reference doc of custom Cypher queries for BloodHound" fullword ascii wide
$s9 = "Created SharesPasswordWith relationship between" fullword ascii wide
$s10 = "Skipping finding spread of compromise due to" fullword ascii wide
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 10 string patterns in its detection logic.
Scenario: A system administrator is using Bloodhound to perform a routine security assessment and is running a custom query to analyze privilege escalation paths in a controlled environment.
Filter/Exclusion: Exclude queries executed by non-privileged users or those not associated with a known security assessment task (e.g., user.name != "security_admin").
Scenario: A scheduled job runs PowerShell scripts to generate reports on user access and privilege levels, which may trigger the rule due to query patterns resembling compromise analysis.
Filter/Exclusion: Exclude PowerShell scripts executed by scheduled tasks with known reporting purposes (e.g., script.name LIKE '%report%' OR script.path LIKE '%scheduled_tasks%').
Scenario: An Active Directory administrator is using PowerView to query domain controllers for group membership and privilege information as part of routine administrative tasks.
Filter/Exclusion: Exclude queries executed by AD administrators or those involving known administrative tools (e.g., tool.name = "PowerView" OR user.role = "AD_Admin").
Scenario: A Windows Task Scheduler job runs a PowerShell script to clean up temporary files and logs, which may inadvertently trigger the rule due to query patterns.
Filter/Exclusion: Exclude tasks associated with system maintenance or cleanup (e.g., task.name LIKE '%cleanup%' OR task.description LIKE '%maintenance%').
Scenario: A security analyst is using Bloodhound to investigate a potential breach and is querying the environment for lateral movement patterns, which may match the rule’s logic.
Filter/Exclusion: Exclude queries executed during known incident response activities (e.g., user.role = "security_analyst" AND query_context = "incident_response") or those with timestamps matching known investigation windows.