Detect Azurehound File Modifications

Detect Azurehound File Modifications


The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop In addition to the zip, multiple .json files will be written to disk, which are in the zip.


Detect Azurehound File Modifications Help

To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the Endpoint datamodel in the Filesystem node.


Open in Search