BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
BloodHound can identify users with local administrator rights.[2] |
| .002 | Account Discovery: Domain Account |
BloodHound can collect information about domain users, including identification of domain admin accounts.[2] |
||
| Enterprise | T1560 | Archive Collected Data |
BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[1][4] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
BloodHound can use PowerShell to pull Active Directory information from the target environment.[2] |
| Enterprise | T1482 | Domain Trust Discovery |
BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[2] |
|
| Enterprise | T1615 | Group Policy Discovery |
BloodHound has the ability to collect local admin information via GPO.[1] |
|
| Enterprise | T1106 | Native API |
BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[1] |
|
| Enterprise | T1201 | Password Policy Discovery |
BloodHound can collect password policy information on the target environment.[2] |
|
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
BloodHound can collect information about local groups and members.[2] |
| .002 | Permission Groups Discovery: Domain Groups |
BloodHound can collect information about domain groups and members.[2] |
||
| Enterprise | T1018 | Remote System Discovery |
BloodHound can enumerate and collect the properties of domain computers, including domain controllers.[2] |
|
| Enterprise | T1033 | System Owner/User Discovery |
BloodHound can collect information on user sessions.[2] |
|
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0014 | Operation Wocao |
During Operation Wocao, threat actors used BloodHound discover trust between domains.[3] |
References
- Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.