Detecting the presence of BloodHound tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon/auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to detect use of BloodHound, an open-source tool primarily used for Active Directory reconnaissance. It allows attackers to map out user accounts, computer accounts, and their relationships within a network.

Data source:

Windows: Active directory, application log, network traffic, user account, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0043 - Reconnaissance, TA0005 - Defense Evasion

Techniques: T1595 - Active Scanning, T1589 - Gather Victim Identity Information, T1036 - Masquerading

Sub-techniques: T1595.001: Scanning IP Blocks, T1589.001: Credentials

Criteria:

Command line contains bloodhound: This part checks if the command line used to launch a process includes the term "bloodhound" (case-insensitive). This could indicate that a Bloodhound binary is being executed.

Command line contains --CollectionMethod: This condition looks for the presence of the specific argument "--CollectionMethod" within the command line. This argument is frequently used with Bloodhound to specify the collection method for gathering information from Active Directory.

Command line contains azurehound: Bloodhound has a module called AzureHound for querying Azure Active Directory. If the command line includes "azurehound", it suggests an attempt to gather information from Azure AD.

Process name contains Windows Script Interpreter: This condition checks if the name of the process associated with the command line is "Windows Script Interpreter" (wscript.exe).

When to enable this rule:

Enable this rule when the user suspects the network might be compromised or wants to proactively improve defense against tools such as BloodHound used for Active Directory reconnaissance and lateral movement.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

• Irregular Access to Credential Stores (DE.CM-1): Detection of attempts to access or manipulate privileged accounts and resources.
• Unusual Network Traffic Patterns (DE.AE-1): Monitoring for unusual network traffic indicative of BloodHound's reconnaissance activities.
• Security Log Anomalies (DE.CM-7): Alerting on suspicious activities associated with privilege escalation or unusual access patterns.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of BloodHound and similar tools used for Active Directory reconnaissance.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Analyze audit logs for anomalies indicating BloodHound's presence or unauthorized access attempts.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.