BloodHound
BloodHound is an open-source post-compromise reconnaissance and visualization tool used to map relationships and attack paths in Active Directory, Microsoft Entra ID, and Azure environments. Its SharpHound ingestor collects directory and host data via LDAP, PowerShell, and .NET API calls, including domain users, domain administrator accounts, local accounts, local and domain groups, user sessions, domain computers including domain controllers, domain trust relationships, and Group Policy-derived local administrator information. BloodHound can also compress collected data into a ZIP archive written to disk, and AzureHound, part of the BloodHound suite, can collect Microsoft Graph and Azure REST API data for Entra ID and Azure enumeration.
The content shows BloodHound being used for Active Directory mapping, account discovery, remote system discovery, domain trust discovery, permission group discovery, and identification of privilege escalation paths. It is commonly used by penetration testers and internal security teams, but multiple threat actors and intrusion sets have also used it in real intrusions, including ransomware-related operations. Reported examples in the content include Russian state-sponsored actors targeting U.S. cleared defense contractors, attackers in the Capita 2023 intrusion, Play, and other operators using BloodHound alongside tools such as Cobalt Strike, Mimikatz, CrackMapExec, PowerView, and PsExec.
Observed execution patterns in the content include PowerShell-based download cradles and direct invocation of SharpHound.ps1 and Invoke-BloodHound. Detection-relevant details directly mentioned include SharpHound/BloodHound LDAP query patterns, anomalous SPN requests associated with Kerberoasting, large-scale Active Directory enumeration, and the use of the default AzureHound user-agent format "azurehound/<version>" in cloud audit logs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.
During an intrusion, tools such as Cobalt Strike, PowerShell Empire, Bloodhound, PSExec... are used for network discovery and traversal, privilege escalation, staging, and ransomware deployment.
"SharpHound... for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments)."
...UNC2447 has been observed using the following tools: ADFIND, BLOODHOUND...
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
1 technique
Execution
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Privilege Escalation
2 techniques
Privilege Escalation
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
По классификации MITRE ATT&CK - подтехника T1003.006 (DCSync). ... ты прикидываешься вторым контроллером домена и запрашиваешь у настоящего DC репликацию учётных данных через протокол MS-DRSR.
Discovery
13 techniques
Discovery
In BOFHound output mode, all attributes for every object are parsed and outputted to BOFHound format... Computers collection
LDAP is commonly used by criminals for lateral movement and critical assets enumeration in on-premises cyberattacks. | Threat actors often use LDAP for network enumeration during the discovery phase of an attack. Attackers query directories to extract sensitive information such as user accounts, group memberships and permissions, which they then use to escalate privileges and target critical assets.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
For four days – March 24-28 – they conducted network reconnaissance using Cobalt Strike and Bloodhound before Capita detected three compromised staff devices and contained them.
System Networks Connections Discovery [T1049]: A common tool used for this network enumeration tactic is Bloodhound.
We’ll use BloodHound to find users we have these rights over. Our current user is blwasp, so we’ll look for “Outbound Object Control” permissions in BloodHound.
Impacket Active Directory user enumeration identifying SQL service users, Citrix administrators and CyberArk vault operators from AD logs; GPP XML privilege mapping.
T1069.003: Permission Groups Discovery: Cloud Groups Once threat actors know the identities within the target environment, they need to understand the relationships between the identities by discovering permission structures... For Permissions Groups Discovery: Cloud Accounts, AzureHound has the following capabilities: list groups list roles list group-members list group-owners list role-assignments list app-role-assignments list key-vault-access-policies list management-group-role-assignments list resource-group-role-assignments list subscription-role-assignments list virtual-machine-role-assignments
GeminiDuke focuses primarily on gathering details about the victim’s computer’s configuration.
In Active Directory environments, attackers search for accounts that are unjustifiably members of privileged groups, service accounts with unnecessary administrative rights, or delegation settings that allow them to impersonate other users. Tools like BloodHound automatically map these relationships, revealing the shortest path from their compromised account to domain administrator privileges.
PasswordLastSet and LastLogon attribute correlation to reconstruct the IT hierarchy; SAP BAPI_USER_GET_DETAIL role and profile enumeration.
We also know the DC’s name is Deaddrop-DC and the domain is deaddrop.loc. Let’s try collecting all the domain information to feed into BloodHound
T1580: Cloud Infrastructure Discovery To fully grasp the architecture of the target environment, a threat actor must discover the foundational infrastructure components... For Cloud Infrastructure Discovery, AzureHound has the following capabilities: list tenants list subscriptions list resource-groups list management-groups list virtual-machines list key-vaults
Recent activity
55 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Active Directory enumeration tool discussed as part of possible lateral movement and privilege-mapping activity inside the compromised environment.
Referenced through detection names indicating use or testing of Active Directory discovery and attack-path mapping capabilities within the broader framework.
An Active Directory reconnaissance and attack-path mapping tool referenced via detections tied to this threat activity.
Explicitly described as a tool for Active Directory mapping used during intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.