BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]

ID: S0521
Type: TOOL
Platforms: Windows
Version: 1.6
Created: 28 October 2020
Last Modified: 25 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

BloodHound can identify users with local administrator rights.[2]

.002 Account Discovery: Domain Account

BloodHound can collect information about domain users, including identification of domain admin accounts.[2]

Enterprise T1560 Archive Collected Data

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[1][4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BloodHound can use PowerShell to pull Active Directory information from the target environment.[2]

Enterprise T1482 Domain Trust Discovery

BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[2]

Enterprise T1615 Group Policy Discovery

BloodHound has the ability to collect local admin information via GPO.[1]

Enterprise T1106 Native API

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[1]

Enterprise T1201 Password Policy Discovery

BloodHound can collect password policy information on the target environment.[2]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

BloodHound can collect information about local groups and members.[2]

.002 Permission Groups Discovery: Domain Groups

BloodHound can collect information about domain groups and members.[2]

Enterprise T1018 Remote System Discovery

BloodHound can enumerate and collect the properties of domain computers, including domain controllers.[2]

Enterprise T1033 System Owner/User Discovery

BloodHound can collect information on user sessions.[2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[5][6][7][8]

G0016 APT29

[9]

G0114 Chimera

[10]

G0092 TA505

[11]

G1040 Play

[12]

G1003 Ember Bear

Ember Bear has used BloodHound to profile Active Directory environments.[13]

Campaigns

ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used BloodHound discover trust between domains.[3]

References