title: AzureHound PowerShell Commands
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
status: experimental
description: 
references:
    - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Austin Songer (@austinsonger)
date: 2021/10/23
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains:
            - "Invoke-AzureHound"
    condition: selection
tags:
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
falsepositives:
    - Penetration testing
level: high