The following analytic identifies common command-line arguments used by SharpHound -collectionMethod and invoke-bloodhound. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.
Kill Chain Phase
Known False Positives
False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.
Possible SharpHound command-Line arguments identified on $dest$