BloodHound is an open source tool that provides visibility into Active Directory environments. It is a common precursor to follow-on activity, whether that’s further testing or ransomware.

Pairs with this song






BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. Like Impacket, this is the first year BloodHound made it into our top 10 threat rankings, thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable further lateral movement throughout a network. BloodHound has multiple components, including SharpHound, which is a data collector for BloodHound written in C#. Throughout 2021, SharpHound was one of the most common BloodHound components we observed.

Multiple adversaries used BloodHound during 2021, including FIN12 and operators of Yanluowang ransomware. We also observed BloodHound being used by operators in conjunction with Cobalt Strike only 75 minutes after a user first opened a malicious XLS phishing lure that initiated a SquirrelWaffle malware payload.

Because adversaries often leverage BloodHound early in their intrusion, defenders should be prepared with robust detection and a quick response to stop the malware in its tracks. BloodHound’s role as a dual-use tool can make it particularly challenging to determine if its presence is authorized or malicious, meaning that a solid understanding of its allowed use in an environment is critical to respond appropriately.

Identifying SharpHound components gathering data can be challenging. To gather AD data, SharpHound connects to multiple hosts over ports 137 and 445, along with multiple named pipe connections. As your environment scales larger, the noise from SharpHound will scale accordingly. For most organizations, SharpHound activity will likely appear to be SMB scanning activity until investigated further.

Detection opportunities

High-volume port 445 connections

This detection opportunity identifies a single process exceeding a set threshold for a normal volume of network connections to port 445. We did not specify logic for this detection analytic, since the normal number of connections will differ in each environment. While it takes some tuning, this analytic helps detect not only BloodHound, but also various types of post-exploitation SMB scanning and lateral movement.

Common BloodHound command-line options

This detection analytic identifies processes that contain common command lines consistent with the execution of BloodHound. While this is a simple analytic, we’ve found it to be effective in identifying BloodHound. It’s a good supplement to the port 445 analytic, which can require more tuning.

command_line_includes ('-collectionMethod' || 'invoke-bloodhound' || 'get-bloodHounddata')