S0521 BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.321
| Item | Value |
|---|---|
| ID | S0521 |
| Associated Names | |
| Type | TOOL |
| Version | 1.4 |
| Created | 28 October 2020 |
| Last Modified | 16 February 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | BloodHound can identify users with local administrator rights.2 |
| enterprise | T1087.002 | Domain Account | BloodHound can collect information about domain users, including identification of domain admin accounts.2 |
| enterprise | T1560 | Archive Collected Data | BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.34 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | BloodHound can use PowerShell to pull Active Directory information from the target environment.2 |
| enterprise | T1482 | Domain Trust Discovery | BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.2 |
| enterprise | T1615 | Group Policy Discovery | BloodHound has the ability to collect local admin information via GPO.3 |
| enterprise | T1106 | Native API | BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.3 |
| enterprise | T1201 | Password Policy Discovery | BloodHound can collect password policy information on the target environment.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | BloodHound can collect information about local groups and members.2 |
| enterprise | T1069.002 | Domain Groups | BloodHound can collect information about domain groups and members.2 |
| enterprise | T1018 | Remote System Discovery | BloodHound can enumerate and collect the properties of domain computers, including domain controllers.2 |
| enterprise | T1033 | System Owner/User Discovery | BloodHound can collect information on user sessions.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0114 | Chimera | 5 |
| G0092 | TA505 | 6 |
| G0016 | APT29 | 7 |
| G0102 | Wizard Spider | 8910 |
References
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. ↩↩↩↩↩↩↩↩↩↩
-
Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. ↩↩↩↩
-
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. ↩
-
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. ↩
-
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. ↩
-
ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. ↩
-
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. ↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. ↩