Detect Azurehound File Modifications

Detect Azurehound File Modifications

Description

The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop 20210601090751-azurecollection.zip. In addition to the zip, multiple .json files will be written to disk, which are in the zip.

   Help

Detect Azurehound File Modifications Help

To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the Endpoint datamodel in the Filesystem node.

   Search

Open in Search