1. Home
  2. Software
  3. BloodHound

BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]

ID: S0521
Type: TOOL
Platforms: Windows
Version: 1.6
Created: 28 October 2020
Last Modified: 25 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 命令与脚本解释器: PowerShell

BloodHound can use PowerShell to pull Active Directory information from the target environment.[2]
Enterprise T1482 域信任发现

BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[2]
Enterprise T1201 密码策略发现

BloodHound can collect password policy information on the target environment.[2]
Enterprise T1560 归档收集数据

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[1][4]
Enterprise T1106 本机API

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[1]
Enterprise T1069 .001 权限组发现: Local Groups

BloodHound can collect information about local groups and members.[2]
.002 权限组发现: Domain Groups

BloodHound can collect information about domain groups and members.[2]
Enterprise T1033 系统所有者/用户发现

BloodHound can collect information on user sessions.[2]
Enterprise T1615 组策略发现

BloodHound has the ability to collect local admin information via GPO.[1]
Enterprise T1087 .001 账号发现: Local Account

BloodHound can identify users with local administrator rights.[2]
.002 账号发现: Domain Account

BloodHound can collect information about domain users, including identification of domain admin accounts.[2]
Enterprise T1018 远程系统发现

BloodHound can enumerate and collect the properties of domain computers, including domain controllers.[2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[5][6][7][8]
G0016 APT29

[9]
G0114 Chimera

[10]
G0092 TA505

[11]
G1040 Play

[12]
G1003 Ember Bear

Ember Bear has used BloodHound to profile Active Directory environments.[13]

Campaigns

ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used BloodHound discover trust between domains.[3]

References

  1. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  2. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  5. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  6. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  7. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  1. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  2. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  3. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  4. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  5. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  6. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.