<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bloodhound - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bloodhound/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bloodhound/feed.xml" rel="self" type="application/rss+xml"/><item><title>BloodHound Data Collection Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-bloodhound-collection/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-bloodhound-collection/</guid><description>Adversaries may use the SharpHound tool to collect Active Directory data, saving it into default JSON files for BloodHound analysis, potentially leading to privilege escalation or lateral movement.</description><content:encoded><![CDATA[<p>BloodHound is a popular tool used to map relationships within Active Directory environments, enabling attackers to identify attack paths for privilege escalation. SharpHound is a data collector for BloodHound, written in C#, that gathers information about users, groups, computers, and other objects in the Active Directory domain. Detection of SharpHound's data collection activity is crucial to identify potential reconnaissance attempts by attackers aiming to map out attack vectors within the network. This activity often precedes lateral movement and privilege escalation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a system within the target environment (e.g., via compromised credentials or exploiting a vulnerability).</li>
<li>The attacker executes SharpHound.exe on the compromised system. This could be done via command line execution or a script.</li>
<li>SharpHound enumerates users, groups, computers, organizational units (OUs), Group Policy Objects (GPOs), and containers within the Active Directory domain.</li>
<li>SharpHound writes the collected data to JSON files with default names such as <code>_users.json</code>, <code>_computers.json</code>, <code>_groups.json</code>, <code>_ous.json</code>, <code>_gpos.json</code>, and <code>_containers.json</code>.</li>
<li>The attacker may compress these JSON files into a <code>BloodHound.zip</code> archive for easier transfer.</li>
<li>The attacker exfiltrates the collected data from the compromised system to a location where they can analyze it with BloodHound.</li>
<li>Using BloodHound, the attacker analyzes the collected data to identify attack paths and potential privilege escalation opportunities.</li>
<li>The attacker leverages identified attack paths to move laterally within the network and escalate privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful BloodHound data collection allows attackers to map out attack paths within the Active Directory environment. This can lead to privilege escalation, lateral movement, and ultimately, compromise of critical assets. Depending on the targeted environment, this can impact hundreds or thousands of systems and user accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;BloodHound Collection Files&quot; to your SIEM to detect the creation of BloodHound data collection files (reference: rules section).</li>
<li>Monitor file creation events for files ending with <code>_computers.json</code>, <code>_containers.json</code>, <code>_gpos.json</code>, <code>_groups.json</code>, <code>_ous.json</code>, <code>_users.json</code>, and <code>BloodHound.zip</code> (reference: rules section).</li>
<li>Implement network segmentation to limit the scope of potential BloodHound data collection activities (reference: attack chain).</li>
<li>Restrict the use of tools like SharpHound within the environment to authorized personnel only (reference: overview).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>bloodhound</category><category>active-directory</category><category>reconnaissance</category><category>privilege-escalation</category></item><item><title>BloodHound Suite User-Agent Detected in Entra ID Sign-ins</title><link>https://feed.craftedsignal.io/briefs/2024-01-bloodhound-azuread-discovery/</link><pubDate>Tue, 09 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-bloodhound-azuread-discovery/</guid><description>Detection of BloodHound tools like AzureHound and SharpHound being used to enumerate Microsoft Entra ID and Microsoft 365 environments, potentially indicating reconnaissance activity by red teams or malicious actors.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of reconnaissance activities within Microsoft Azure and Microsoft 365 environments through the use of BloodHound tools. Specifically, it addresses the use of AzureHound, SharpHound, and BloodHound by adversaries or red teams to map out users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD). The Elastic detection rule published on 2026-04-10 identifies activity based on the presence of suspicious user agent strings (e.g., <code>azurehound/</code>, <code>sharphound/</code>, <code>bloodhound/</code>) in various Azure and M365 logs. This technique allows attackers to gain a comprehensive understanding of the target environment's structure and potential vulnerabilities, often as a precursor to further exploitation. The scope of the detection includes Azure Graph API Activity Logs, Microsoft 365 Audit Logs, Entra ID Sign-in Logs, Entra ID Audit Logs, and Azure Activity Logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to a compromised account or obtains valid credentials.</li>
<li><strong>Tool Deployment:</strong> The attacker deploys a BloodHound tool (AzureHound, SharpHound) on a compromised system or uses a cloud-based instance.</li>
<li><strong>Authentication:</strong> The tool authenticates to Azure AD using the compromised credentials or a service principal.</li>
<li><strong>Enumeration:</strong> The BloodHound tool begins enumerating users, groups, roles, applications, and access relationships using the Microsoft Graph API. This involves sending numerous API requests.</li>
<li><strong>Data Collection:</strong> The tool collects data about the Azure AD environment, including user details, group memberships, role assignments, and application permissions. API endpoints such as <code>/v1.0/users</code>, <code>/v1.0/groups</code>, and <code>/v1.0/organization</code> are accessed.</li>
<li><strong>Data Analysis:</strong> The collected data is analyzed to identify potential attack paths, such as privileged accounts, weak access controls, and lateral movement opportunities.</li>
<li><strong>Privilege Escalation (Potential):</strong> Based on the identified attack paths, the attacker attempts to escalate privileges or gain access to sensitive resources.</li>
<li><strong>Lateral Movement (Potential):</strong> Using compromised credentials or service principals, the attacker moves laterally within the Azure AD environment to access additional resources and data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful enumeration using BloodHound tools can expose the entire structure of an Azure AD environment, leading to significant security risks. This includes the potential for privilege escalation, lateral movement, and data exfiltration. Attackers can leverage the gathered information to identify critical assets, high-value accounts, and vulnerable configurations, enabling them to launch targeted attacks. The impact could affect organizations of any size relying on Azure AD and Microsoft 365 for identity management and cloud services. If exploited, attackers can pivot to critical infrastructure and cause severe business disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Entra ID Sign-in BloodHound Suite User-Agent Detected&quot; to your SIEM and tune for your environment to detect enumeration attempts.</li>
<li>Enable verbose audit logging on Azure AD and Microsoft 365 services to capture detailed information about API requests, sign-in attempts, and user activity.</li>
<li>Review the false positives outlined in the overview section of the rule and implement appropriate allowlist conditions based on <code>app_id</code>, user context or source address.</li>
<li>Implement Conditional Access policies in Azure AD to enforce multi-factor authentication (MFA) for all users, especially for privileged accounts and API access.</li>
<li>Regularly review and reduce excessive privileges assigned to users and service principals to minimize the impact of potential breaches.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azuread</category><category>bloodhound</category><category>enumeration</category><category>discovery</category></item></channel></rss>