BloodHound Data Collection Activity
Adversaries may use the SharpHound tool to collect Active Directory data, saving it into default JSON files for BloodHound analysis, potentially leading to privilege escalation or lateral movement.
BloodHound is a popular tool used to map relationships within Active Directory environments, enabling attackers to identify attack paths for privilege escalation. SharpHound is a data collector for BloodHound, written in C#, that gathers information about users, groups, computers, and other objects in the Active Directory domain. Detection of SharpHound's data collection activity is crucial to identify potential reconnaissance attempts by attackers aiming to map out attack vectors within the network. This activity often precedes lateral movement and privilege escalation attempts.
Attack Chain
- An attacker gains initial access to a system within the target environment (e.g., via compromised credentials or exploiting a vulnerability).
- The attacker executes SharpHound.exe on the compromised system. This could be done via command line execution or a script.
- SharpHound enumerates users, groups, computers, organizational units (OUs), Group Policy Objects (GPOs), and containers within the Active Directory domain.
- SharpHound writes the collected data to JSON files with default names such as
_users.json,_computers.json,_groups.json,_ous.json,_gpos.json, and_containers.json. - The attacker may compress these JSON files into a
BloodHound.ziparchive for easier transfer. - The attacker exfiltrates the collected data from the compromised system to a location where they can analyze it with BloodHound.
- Using BloodHound, the attacker analyzes the collected data to identify attack paths and potential privilege escalation opportunities.
- The attacker leverages identified attack paths to move laterally within the network and escalate privileges.
Impact
Successful BloodHound data collection allows attackers to map out attack paths within the Active Directory environment. This can lead to privilege escalation, lateral movement, and ultimately, compromise of critical assets. Depending on the targeted environment, this can impact hundreds or thousands of systems and user accounts.
Recommendation
- Deploy the Sigma rule "BloodHound Collection Files" to your SIEM to detect the creation of BloodHound data collection files (reference: rules section).
- Monitor file creation events for files ending with
_computers.json,_containers.json,_gpos.json,_groups.json,_ous.json,_users.json, andBloodHound.zip(reference: rules section). - Implement network segmentation to limit the scope of potential BloodHound data collection activities (reference: attack chain).
- Restrict the use of tools like SharpHound within the environment to authorized personnel only (reference: overview).
Detection coverage 2
BloodHound Collection Files
highDetects default file names outputted by the BloodHound collection tool SharpHound
BloodHound Collection via PowerShell
mediumDetects execution of SharpHound using PowerShell
Detection queries are available on the platform. Get full rules →