SharpHound
SharpHound is an open-source Microsoft C#-based Active Directory reconnaissance and data-ingestion tool used with BloodHound to map AD environments and enumerate users, groups, computers, sessions, shares, SPNs, service accounts, domain relationships, and broader AD topology. The content repeatedly describes it being used for Active Directory infrastructure mapping and reconnaissance, including via LDAP queries and RPC calls that enumerate users, sessions, and shares. It is commonly executed in memory, including through Cobalt Strike beacons or reflective .NET loading in IIS worker processes, and may also save collected output to disk. Reported command-line, file-modification, LDAP-query, and user-agent detections exist for SharpHound/BloodHound activity.
The tool appears in multiple intrusion contexts in the provided content. Sophos reported its use by Cluster Charlie in Operation Crimson Palace, assessed as a Chinese state-directed cyberespionage campaign targeting a Southeast Asian government agency and related regional organizations, where Havoc was used to deploy SharpHound for AD mapping. Cisco Talos reported UAT-8837, assessed with medium confidence as China-nexus and targeting North American critical infrastructure, downloading SharpHound to collect Active Directory information after exploiting vulnerable servers or using compromised credentials. SharpHound was also described in Ryuk-related intrusions for AD discovery and pathing, in Black Basta intrusions where operators used SharpHound and BloodHound for AD enumeration via LDAP queries, in Egregor intrusions for reconnaissance of users, groups, and computers, and in a BlackSuit intrusion where SharpHound was run in memory via Cobalt Strike with output written to locations including C:\Windows\Temp\Dogi, C:\Windows\System32, and C:\Perflogs. Additional references note its use alongside tools such as Certipy, setspn, dsquery, dsget, AdFind, Impacket, Rubeus, EarthWorm, and DWAgent.
High-confidence indicators and detection-relevant artifacts mentioned in the content include SharpHound command-line usage, file modifications, LDAP query patterns, BloodHound-suite user-agent detections, RPC-based reconnaissance of sessions, and observed renamed execution such as sh.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network. | A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...most likely accomplished through the use of SharpHound, a Microsoft C#-based data 'injestor' tool for BloodHound..."
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
the injected process used WMIC to query Windows Defender exclusion paths... the attackers used a command shell session spawned from the malicious DLL to move laterally via WMIC
Powershell -exec bypass Import-module SharpHound.ps1 Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -CompressData –SkipPing
Privilege Escalation
1 technique
Privilege Escalation
Discovery
10 techniques
Discovery
“SharpHound & Certipy: Used for deep reconnaissance of Active Directory environments.”
Adding Discovery since t1033 is already enabled on the rule.
This included EARTHWORM for creating secret tunnels, DWAGENT for remote access, and SHARPHOUND for mapping the network.
SharpHound collects network permissions, user sessions, and group configurations through this process.
Account Discovery [T1087]: Used by a small subset of cases where the threat actor uses Sharphound to collect domain information.
Collection
1 technique
Collection
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A reconnaissance tool used to enumerate users, sessions, and shares in Active Directory environments via RPC calls.
Active Directory reconnaissance collector used to enumerate directory relationships and privileges.
An Active Directory reconnaissance tool (commonly used with BloodHound) for enumerating users, groups, and domain relationships to map attack paths.
A tool used to collect Active Directory information for reconnaissance and privilege mapping.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.