Skip to content

S0521 BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.321

Item Value
ID S0521
Associated Names
Version 1.4
Created 28 October 2020
Last Modified 16 February 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account BloodHound can identify users with local administrator rights.2
enterprise T1087.002 Domain Account BloodHound can collect information about domain users, including identification of domain admin accounts.2
enterprise T1560 Archive Collected Data BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.34
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell BloodHound can use PowerShell to pull Active Directory information from the target environment.2
enterprise T1482 Domain Trust Discovery BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.2
enterprise T1615 Group Policy Discovery BloodHound has the ability to collect local admin information via GPO.3
enterprise T1106 Native API BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.3
enterprise T1201 Password Policy Discovery BloodHound can collect password policy information on the target environment.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups BloodHound can collect information about local groups and members.2
enterprise T1069.002 Domain Groups BloodHound can collect information about domain groups and members.2
enterprise T1018 Remote System Discovery BloodHound can enumerate and collect the properties of domain computers, including domain controllers.2
enterprise T1033 System Owner/User Discovery BloodHound can collect information on user sessions.2

Groups That Use This Software

ID Name References
G0114 Chimera 5
G0092 TA505 6
G0016 APT29 7
G0102 Wizard Spider 8910


  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  2. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. 

  3. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. 

  4. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  5. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  6. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. 

  7. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022. 

  8. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  9. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  10. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.