From 0fa5ba925ee06b62b4e58d5e7d9eb5b0890dc06c Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 20 Dec 2019 17:23:40 +0100
Subject: [PATCH] rule :improved bloodhound rule

---
 rules/windows/process_creation/win_hack_bloodhound.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml
index c966ef4ad..743cc2a06 100644
--- a/rules/windows/process_creation/win_hack_bloodhound.yml
+++ b/rules/windows/process_creation/win_hack_bloodhound.yml
@@ -19,6 +19,7 @@ detection:
     selection2:
         CommandLine|contains: 
             - ' -CollectionMethod All '
+            - '.exe -c All -d '
             - 'Invoke-Bloodhound'
             - 'Get-BloodHoundData'
     selection3: