{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bloodhound/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["bloodhound","active-directory","reconnaissance","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eBloodHound is a popular tool used to map relationships within Active Directory environments, enabling attackers to identify attack paths for privilege escalation. SharpHound is a data collector for BloodHound, written in C#, that gathers information about users, groups, computers, and other objects in the Active Directory domain. Detection of SharpHound's data collection activity is crucial to identify potential reconnaissance attempts by attackers aiming to map out attack vectors within the network. This activity often precedes lateral movement and privilege escalation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target environment (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes SharpHound.exe on the compromised system. This could be done via command line execution or a script.\u003c/li\u003e\n\u003cli\u003eSharpHound enumerates users, groups, computers, organizational units (OUs), Group Policy Objects (GPOs), and containers within the Active Directory domain.\u003c/li\u003e\n\u003cli\u003eSharpHound writes the collected data to JSON files with default names such as \u003ccode\u003e_users.json\u003c/code\u003e, \u003ccode\u003e_computers.json\u003c/code\u003e, \u003ccode\u003e_groups.json\u003c/code\u003e, \u003ccode\u003e_ous.json\u003c/code\u003e, \u003ccode\u003e_gpos.json\u003c/code\u003e, and \u003ccode\u003e_containers.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress these JSON files into a \u003ccode\u003eBloodHound.zip\u003c/code\u003e archive for easier transfer.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the collected data from the compromised system to a location where they can analyze it with BloodHound.\u003c/li\u003e\n\u003cli\u003eUsing BloodHound, the attacker analyzes the collected data to identify attack paths and potential privilege escalation opportunities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages identified attack paths to move laterally within the network and escalate privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful BloodHound data collection allows attackers to map out attack paths within the Active Directory environment. This can lead to privilege escalation, lateral movement, and ultimately, compromise of critical assets. Depending on the targeted environment, this can impact hundreds or thousands of systems and user accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;BloodHound Collection Files\u0026quot; to your SIEM to detect the creation of BloodHound data collection files (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files ending with \u003ccode\u003e_computers.json\u003c/code\u003e, \u003ccode\u003e_containers.json\u003c/code\u003e, \u003ccode\u003e_gpos.json\u003c/code\u003e, \u003ccode\u003e_groups.json\u003c/code\u003e, \u003ccode\u003e_ous.json\u003c/code\u003e, \u003ccode\u003e_users.json\u003c/code\u003e, and \u003ccode\u003eBloodHound.zip\u003c/code\u003e (reference: rules section).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential BloodHound data collection activities (reference: attack chain).\u003c/li\u003e\n\u003cli\u003eRestrict the use of tools like SharpHound within the environment to authorized personnel only (reference: overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-bloodhound-collection/","summary":"Adversaries may use the SharpHound tool to collect Active Directory data, saving it into default JSON files for BloodHound analysis, potentially leading to privilege escalation or lateral movement.","title":"BloodHound Data Collection Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-30-bloodhound-collection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Azure","Microsoft 365","Microsoft Entra ID"],"_cs_severities":["medium"],"_cs_tags":["azuread","bloodhound","enumeration","discovery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of reconnaissance activities within Microsoft Azure and Microsoft 365 environments through the use of BloodHound tools. Specifically, it addresses the use of AzureHound, SharpHound, and BloodHound by adversaries or red teams to map out users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD). The Elastic detection rule published on 2026-04-10 identifies activity based on the presence of suspicious user agent strings (e.g., \u003ccode\u003eazurehound/\u003c/code\u003e, \u003ccode\u003esharphound/\u003c/code\u003e, \u003ccode\u003ebloodhound/\u003c/code\u003e) in various Azure and M365 logs. This technique allows attackers to gain a comprehensive understanding of the target environment's structure and potential vulnerabilities, often as a precursor to further exploitation. The scope of the detection includes Azure Graph API Activity Logs, Microsoft 365 Audit Logs, Entra ID Sign-in Logs, Entra ID Audit Logs, and Azure Activity Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a compromised account or obtains valid credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Deployment:\u003c/strong\u003e The attacker deploys a BloodHound tool (AzureHound, SharpHound) on a compromised system or uses a cloud-based instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The tool authenticates to Azure AD using the compromised credentials or a service principal.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnumeration:\u003c/strong\u003e The BloodHound tool begins enumerating users, groups, roles, applications, and access relationships using the Microsoft Graph API. This involves sending numerous API requests.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The tool collects data about the Azure AD environment, including user details, group memberships, role assignments, and application permissions. API endpoints such as \u003ccode\u003e/v1.0/users\u003c/code\u003e, \u003ccode\u003e/v1.0/groups\u003c/code\u003e, and \u003ccode\u003e/v1.0/organization\u003c/code\u003e are accessed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Analysis:\u003c/strong\u003e The collected data is analyzed to identify potential attack paths, such as privileged accounts, weak access controls, and lateral movement opportunities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e Based on the identified attack paths, the attacker attempts to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e Using compromised credentials or service principals, the attacker moves laterally within the Azure AD environment to access additional resources and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration using BloodHound tools can expose the entire structure of an Azure AD environment, leading to significant security risks. This includes the potential for privilege escalation, lateral movement, and data exfiltration. Attackers can leverage the gathered information to identify critical assets, high-value accounts, and vulnerable configurations, enabling them to launch targeted attacks. The impact could affect organizations of any size relying on Azure AD and Microsoft 365 for identity management and cloud services. If exploited, attackers can pivot to critical infrastructure and cause severe business disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID Sign-in BloodHound Suite User-Agent Detected\u0026quot; to your SIEM and tune for your environment to detect enumeration attempts.\u003c/li\u003e\n\u003cli\u003eEnable verbose audit logging on Azure AD and Microsoft 365 services to capture detailed information about API requests, sign-in attempts, and user activity.\u003c/li\u003e\n\u003cli\u003eReview the false positives outlined in the overview section of the rule and implement appropriate allowlist conditions based on \u003ccode\u003eapp_id\u003c/code\u003e, user context or source address.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies in Azure AD to enforce multi-factor authentication (MFA) for all users, especially for privileged accounts and API access.\u003c/li\u003e\n\u003cli\u003eRegularly review and reduce excessive privileges assigned to users and service principals to minimize the impact of potential breaches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-bloodhound-azuread-discovery/","summary":"Detection of BloodHound tools like AzureHound and SharpHound being used to enumerate Microsoft Entra ID and Microsoft 365 environments, potentially indicating reconnaissance activity by red teams or malicious actors.","title":"BloodHound Suite User-Agent Detected in Entra ID Sign-ins","url":"https://feed.craftedsignal.io/briefs/2024-01-bloodhound-azuread-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Bloodhound","version":"https://jsonfeed.org/version/1.1"}