21 lines
1.1 KiB
Text
21 lines
1.1 KiB
Text
|
rule hacktool_multi_bloodhound_owned
|
||
|
{
|
||
|
meta:
|
||
|
description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains"
|
||
|
reference = "https://github.com/porterhau5/BloodHound-Owned/"
|
||
|
author = "@fusionrace"
|
||
|
strings:
|
||
|
$s1 = "Find all owned Domain Admins" fullword ascii wide
|
||
|
$s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide
|
||
|
$s3 = "List all directly owned nodes" fullword ascii wide
|
||
|
$s4 = "Set owned and wave properties for a node" fullword ascii wide
|
||
|
$s5 = "Find spread of compromise for owned nodes in wave" fullword ascii wide
|
||
|
$s6 = "Show clusters of password reuse" fullword ascii wide
|
||
|
$s7 = "Something went wrong when creating SharesPasswordWith relationship" fullword ascii wide
|
||
|
$s8 = "reference doc of custom Cypher queries for BloodHound" fullword ascii wide
|
||
|
$s9 = "Created SharesPasswordWith relationship between" fullword ascii wide
|
||
|
$s10 = "Skipping finding spread of compromise due to" fullword ascii wide
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|