BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. Like Impacket, this is the first year BloodHound made it into our top 10 threat rankings, thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable further lateral movement throughout a network. BloodHound has multiple components, including SharpHound, which is a data collector for BloodHound written in C#. Throughout 2021, SharpHound was one of the most common BloodHound components we observed.
Multiple adversaries used BloodHound during 2021, including FIN12 and operators of Yanluowang ransomware. We also observed BloodHound being used by operators in conjunction with Cobalt Strike only 75 minutes after a user first opened a malicious XLS phishing lure that initiated a SquirrelWaffle malware payload.
Because adversaries often leverage BloodHound early in their intrusion, defenders should be prepared with robust detection and a quick response to stop the malware in its tracks. BloodHound’s role as a dual-use tool can make it particularly challenging to determine if its presence is authorized or malicious, meaning that a solid understanding of its allowed use in an environment is critical to respond appropriately.
Identifying SharpHound components gathering data can be challenging. To gather AD data, SharpHound connects to multiple hosts over ports 137 and 445, along with multiple named pipe connections. As your environment scales larger, the noise from SharpHound will scale accordingly. For most organizations, SharpHound activity will likely appear to be SMB scanning activity until investigated further.