S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
Analyst context for executives and security teams
BloodHound matters because it turns Active Directory relationships into a map of potential privilege and lateral-movement paths. For leaders, the business issue is not the tool name itself; it is whether hidden AD trust, group, account, and policy relationships could let an intruder quickly identify routes to high-value access during an incident.
Executive priority
Prioritize this as an identity and resilience question: can the organization prove that privileged access paths in Windows/AD are understood, monitored, and reduced? ATT&CK links BloodHound to multiple groups and one campaign, which makes it a useful control-validation scenario for SOC readiness, incident response playbooks, AD hardening, audit evidence, and ransomware/espionage preparedness without assuming current exposure.
Technical view
BloodHound is documented as a Windows Active Directory reconnaissance tool. ATT&CK relationships associate it with discovery of remote systems, users, local and domain groups, local and domain accounts, domain trusts, Group Policy, plus execution via PowerShell and Native API, and archiving collected data. SOC and IR teams should validate whether they can detect abnormal AD enumeration patterns, PowerShell-based collection activity, unusual access to domain policy or trust information, and creation of compressed collections after directory discovery.
Likely telemetry
- Windows endpoint process creation with command line and parent process context
- PowerShell execution and script block/module logging where enabled
- Domain controller authentication and directory service query/audit events
- Account, group, domain trust, and Group Policy access/change telemetry
- Network connections from workstations or servers to domain controllers and SYSVOL paths
Detection direction
- Do not rely on a BloodHound binary name alone; validate behavior-based coverage for AD account, group, trust, GPO, and remote system discovery.
- Baseline legitimate administrative enumeration so detection logic can distinguish approved identity engineering or audit activity from unusual user, host, timing, or volume patterns.
- Correlate PowerShell execution with bursts of domain discovery and subsequent archive creation rather than treating each event in isolation.
- Review visibility from both endpoints and domain controllers; endpoint-only monitoring can miss directory-query context, while DC-only monitoring may miss collection tooling and archives.
- Use the ATT&CK relationships to build test cases across Discovery, Execution, and Collection behaviors, since the official object does not provide a detection analytic.
Mitigation priorities
- Reduce unnecessary privileged group membership and hidden administrative paths in Active Directory.
- Review domain trusts, Group Policy permissions, and account delegation paths that could create unintended privilege routes.
- Restrict and monitor administrative scripting, especially PowerShell, according to business need.
- Ensure AD auditing, endpoint logging, and retention are sufficient for incident reconstruction.
- Include AD attack-path review in identity governance, compliance evidence, and incident response exercises.
Analyst notes and limits
The key defensive value is using BloodHound as a lens for AD attack-path exposure. ATT&CK records use of this tool by Operation Wocao and groups including APT29, TA505, Wizard Spider, Chimera, Ember Bear, and Play, but that relationship should inform prioritization and test planning rather than imply activity in a specific environment.
MITRE provides no official detection text for this object, and the supplied platform is Windows while several related techniques have broader platform coverage. Local logging configuration, AD architecture, administrative tooling, and approved assessment activity are required to determine actual detection coverage and risk.
BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1069.002 | Domain Groups Sub-technique | BloodHound can collect information about domain groups and members.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1615 | Group Policy Discovery | BloodHound has the ability to collect local admin information via GPO.CitationGitHub Bloodhound |
| Enterprise | T1560 | Archive Collected Data | BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.CitationGitHub BloodhoundCitationTrend Micro Black Basta October 2022 |
| Enterprise | T1069.001 | Local Groups Sub-technique | BloodHound can collect information about local groups and members.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1087.002 | Domain Account Sub-technique | BloodHound can collect information about domain users, including identification of domain admin accounts.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1087.001 | Local Account Sub-technique | BloodHound can identify users with local administrator rights.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1033 | System Owner/User Discovery | BloodHound can collect information on user sessions.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1018 | Remote System Discovery | BloodHound can enumerate and collect the properties of domain computers, including domain controllers.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1106 | Native API | BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.CitationGitHub Bloodhound |
| Enterprise | T1059.001 | PowerShell Sub-technique | BloodHound can use PowerShell to pull Active Directory information from the target environment.CitationCrowdStrike BloodHound April 2018 |
| Enterprise | T1482 | Domain Trust Discovery | BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.CitationCrowdStrike BloodHound April 2018 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G0114: Chimera
G0092: TA505
G1040: Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
C0014: Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.7 | Current bundle | 3520d0be31f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub Bloodhound
Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
Open source URL -
[2]
CrowdStrike BloodHound April 2018
Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
Open source URL -
[3]
FoxIT Wocao December 2019
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Open source URL -
[4]
mitre-attack S0521Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.