The operational effectiveness of the HackTool:PowerShell/BloodHound framework is derived from its ability to perform high-speed, multi-threaded enumeration of an entire domain without relying on software exploits. Instead, it utilizes native Windows API calls and standard network protocols to gather information that is generally accessible to any authenticated user in a default Active Directory configuration. SharpHound interacts with domain controllers via the Lightweight Directory Access Protocol (LDAP) and interacts with individual workstations and servers using the Server Message Block (SMB) protocol and Remote Procedure Calls (RPC).
SharpHound optimizes its directory enumeration by constructing complex and unified LDAP filters. These filters allow the tool to combine multiple collection methods into a single query, which minimizes the number of authentication events and reduces the likelihood of triggering security alerts on domain controllers. The tool specifically targets attributes that reveal security weaknesses. For example, it searches for the userAccountControl attribute to find accounts where Kerberos pre-authentication is deactivated, making them vulnerable to AS-REP roasting. It also queries for servicePrincipalName (SPN) to identify targets for Kerberoasting attacks.
The framework handles communication security by defaulting to Kerberos signing for all LDAP traffic. This approach encrypts the queries even when they are sent over the standard, non-encrypted port 389, which complicates the efforts of network-based security solutions to inspect the traffic for malicious patterns. When the ingestor runs, it targets a variety of Active Directory objects including enabled and disabled accounts, organizational units, group policy objects, and all security and non-security groups.
To map relationships that are not stored directly in the Active Directory database, such as active user sessions and local administrative rights, SharpHound must interact with remote workstations and servers. This is achieved primarily through SMB on port 445. The tool connects to the IPC$ share on target devices and uses specific named pipes to query the local Security Account Manager (SAM) and the registry. The following named pipes and their associated API functions are used to collect different categories of information:
- srvsvc: Uses the NetSessionEnum API function to enumerate active remote logon sessions on the host, identifying where privileged users are logged in.
- wkssvc: Uses the NetWkstaUserInfo API function to retrieve information about interactive, service, and batch logons on the target system.
- winreg: Uses the RegEnumKeyW API function to access the remote registry and identify interactive users by searching for Security Identifiers (SIDs) under HKEY_USERS.
- samr: Uses the SAMR interface to query the local SAM database to identify members of local administrative groups.
- lsarpc: Uses the LSARPC interface to interact with the Local Security Authority to gather detailed policy and account information.
The framework also profiles the local system before starting its collection. It queries the registry to obtain the MachineGuid from HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\MachineGuid. This value is used to fingerprint the host and is often incorporated into the naming convention of temporary cache files.
As SharpHound harvests data, it serializes the information into JavaScript Object Notation (JSON) files. These files follow a standardized schema that categorizes the relationships and attributes of the discovered objects. Once the collection process is complete, the tool typically compresses these JSON files into a ZIP archive for easier exfiltration or ingestion into the visualization engine. The naming patterns and categories of these files include:
- *_users.json: Contains user objects including group memberships, password age, and administrative status.
- *_groups.json: Maps group nesting, members, and specific permissions assigned to the group.
- *_computers.json: Details operating system versions, local admins, and container paths.
- *_sessions.json: Correlates user accounts with the specific hosts where they have active sessions.
- *_gpos.json: Identifies Group Policy Object links and settings that could be exploited for persistence or lateral movement.
BloodHound.bin: A local cache that stores SID and hostname mappings to reduce network noise during large scans.
The runtime of SharpHound leaves a distinct forensic trail on the compromised system and throughout the network. Because threat actors often rename the SharpHound binary to evade detection, analysts must look for functional patterns and behavioral indicators rather than relying solely on file names. Common aliases used for the tool include sh.exe, sp.exe, sd.exe, or sd.ico. Host-based indicators include the creation of temporary files in directories such as C:\Windows\Temp, %USERPROFILE%, or %APPDATA%, as well as Prefetch files recorded as SharpHound.exe-*.pf and entries in the Shimcache (AppCompatCache) that confirm the binary was launched.
In some campaigns, registry keys have been used to store payloads and loaders that eventually launch SharpHound, such as HKCU:\SOFTWARE\Microsoft\Phone\Username for encoded payloads and HKCU:\SOFTWARE\Microsoft\Phone\Username0 for .NET loaders. The tool is often staged alongside tunneling utilities to provide threat actors with a reverse SOCKS proxy, allowing them to run the ingestor from an external command and control server while appearing to originate from a legitimate internal workstation.
While the BloodHound framework is not inherently malware and does not maintain its own command-and-control channel, it is frequently delivered by malware families that do. The information collected by SharpHound is often exfiltrated to threat-actor-controlled infrastructure. Infrastructure indicators associated with campaigns where BloodHound was utilized for reconnaissance include IP addresses such as 130[.]33[.]156[.]194, 103[.]235[.]46[.]102, 185[.]112[.]82[.]235, 45[.]9[.]74[.]14, 185[.]202[.]0[.]111, 45[.]141[.]87[.]55, 94[.]26[.]90[.]133, 45[.]148[.]10[.]92, 185[.]68[.]93[.]17, and 170[.]238[.]117[.]187. Data exfiltration has been observed using legitimate services and file transfer tools.
