title: AzureHound PowerShell Commands
author: Austin Songer (@austinsonger)
date: 2021/10/23
description:
detection:
  SELECTION_1:
    ScriptBlockText:
    - '*Invoke-AzureHound*'
  condition: SELECTION_1
falsepositives:
- Penetration testing
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
level: high
logsource:
  category: ps_script
  definition: Script Block Logging must be enable
  product: windows
references:
- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
ruletype: SIGMA