VOOZH about

URL: https://attack.mitre.org/software/S0521/

⇱ BloodHound, Software S0521 | MITRE ATT&CK®

ATT&CKcon 7.0 is coming October 27-28, 2026. Learn more about ATT&CKcon 7.0 and submit your proposal.
  1. Home
  2. Software
  3. BloodHound

BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]

ID: S0521
Type: TOOL
Platforms: Windows
Version: 1.7
Created: 28 October 2020
Last Modified: 12 March 2025
Enterprise Layer
download view 👁 Image

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

BloodHound can identify users with local administrator rights.[2]
.002 Account Discovery: Domain Account

BloodHound can collect information about domain users, including identification of domain admin accounts.[2]
Enterprise T1560 Archive Collected Data

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[1][4]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BloodHound can use PowerShell to pull Active Directory information from the target environment.[2]
Enterprise T1482 Domain Trust Discovery

BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[2]
Enterprise T1615 Group Policy Discovery

BloodHound has the ability to collect local admin information via GPO.[1]
Enterprise T1106 Native API

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

BloodHound can collect information about local groups and members.[2]
.002 Permission Groups Discovery: Domain Groups

BloodHound can collect information about domain groups and members.[2]
Enterprise T1018 Remote System Discovery

BloodHound can enumerate and collect the properties of domain computers, including domain controllers.[2]
Enterprise T1033 System Owner/User Discovery

BloodHound can collect information on user sessions.[2]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[5][6][7][8]
G0016 APT29

[9]
G0114 Chimera

[10]
G0092 TA505

[11]
G1040 Play

[12]
G1003 Ember Bear

Ember Bear has used BloodHound to profile Active Directory environments.[13]

Campaigns

ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used BloodHound discover trust between domains.[3]

References

  1. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  2. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  5. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  6. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  7. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
×