Alert Loaded
Loading Navigation
Part of incident: Multiple threat families detected on one endpoint View incident page
desktop-finley
Risk level
High
DESKTOP-FINLEY\Administrator
Alert story
Process tree

Bloodhound post-exploitation tool

Informational
Detected
New
Details
INSIGHT
Quickly classify this and 2 similar alertsClassify alerts to improve alert accuracy and get more insights about threats to your organization.

Classification
Not Set
Assigned to
API-Automated Investigation and Response

Category
Suspicious activity
MITRE ATT&CK Techniques
T1087: Account Discovery
Detection source
Antivirus
Service source
Microsoft Defender for Endpoint
Detection status
Detected
Detection technology
Client
Generated on
Sep 10, 2024 10:53:12 AM
First activity
Sep 10, 2024 10:52:16 AM
Last activity
Sep 10, 2024 10:52:16 AM

Bloodhound, a post-exploitation open-source reconnaissance tool, has been detected on this device. Bloodhound has been used in a wide range of documented attacks, including attacks involving state-sponsored groups and groups associated with ransomware campaigns. An attacker might be attempting to collect information about users, user sessions, groups, accounts, domain controller properties and permissions. Detections of Bloodhound tools and activity should be thoroughly investigated.

Incident
Multiple threat families detected on one endpoint
Incident severity
Informational
Active alerts1/2
Devices1
Users0
Mailboxes0
Apps0

Linked by

Investigation ID
Bloodhound post-exploitation tool
Investigation status
No threats found
Start time
Sep 10, 2024 10:53:13 AM
End time
Sep 10, 2024 11:07:05 AM
Duration
13:51m

emily.eaton@thisisarealcompany.com
Status changed from 'Resolved' to 'New'.
Sep 27, 2024 8:18:40 PM
API-Automated Investigation and Response
Status changed from 'New' to 'Resolved'.
Sep 10, 2024 11:07:05 AM
Automation
Alert linked to incident #189
Sep 10, 2024 10:54:50 AM
Automation
Alert linked to incident #190
Sep 10, 2024 10:53:12 AM
Expand all