Detecting BloodHound
My original post is no longer available. I have posted it on my personal blog now. It's a couple of years old, but I have been asked about it so here it is: Regardless of what attack life cycle you follow there are couple items which everyone can agree on: Companies have to assume they are already compromised. The earlier in the lifecycle that you can catch an attacker the lower the overall cost of remediation will be. After a host is compromised, the attacker has to create a command and control channel, establish persistence and start to do internal reconnaissance. SpectorOps continues to raise the bar with the way they (ab)use PowerShell for reconnaissance, lateral movement, and privilege exploitation. Their tools are meant to mimic advanced attackers and help the blue team see how they can improve. Many red teams/pentesters use their tools and at least one hacker, Phineas Fisher, used it when he successfully hacked Hacking Team. BloodHound John Lambert’s blog post