Skip Navigation
Get a Demo



BloodHound is an open source tool that provides visibility into Active Directory environments. It is a common precursor to follow-on activity, whether that’s further testing or ransomware.

Pairs with this song





Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2023. 


Analysis Icon


BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable further lateral movement throughout a network.

BloodHound has multiple components, including SharpHound, which is a data collector for BloodHound written in C#. Continuing a trend from the past several years, SharpHound was one of the most common BloodHound components we observed in 2022. Though we remove customer-reported testing from our threats counted for this report, we assess BloodHound’s appearance as the #9 threat is likely due in part to its use in testing that was not reported as such.

Though BloodHound is commonly used by testers, multiple adversaries used BloodHound during 2022. BloodHound was regularly observed in ransomware intrusions, and its use by Conti was confirmed via the leaks about their operations. BloodHound was also used in an intrusion to conduct discovery after Gootloader execution and before lateral movement.

Because adversaries often leverage BloodHound early in their intrusion, defenders should be prepared with robust detection and a quick response to stop the malware in its tracks. BloodHound’s role as a dual-use tool can make it particularly challenging to determine if its presence is authorized or malicious, meaning that a solid understanding of its allowed use in an environment is critical to respond appropriately.

Identifying SharpHound components gathering data can be challenging. To gather AD data, SharpHound connects to multiple hosts over ports 137 and 445, along with multiple named pipe connections. As your environment scales larger, the noise from SharpHound will scale accordingly. For most organizations, SharpHound activity will likely appear to be SMB scanning activity until investigated further.

Additionally, BloodHound can be identified through hunting in LDAP data, as described in this Microsoft blog.

Icon-threat detection

Detection opportunities


Common BloodHound command-line options

This detection analytic identifies processes that contain common command lines consistent with the execution of BloodHound. While this is a simple analytic, we’ve found it to be effective in identifying BloodHound.

command_includes ('-collectionMethod' || 'invoke-bloodhound' || 'get-bloodHounddata')

Testing Icon


Atomic Red Team includes a pair of tests for running BloodHound locally or via a download cradle that may help security teams emulate the detection logic described above.

Back to Top