Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
BloodHound has been documented in many security breach reports. Reconnaissance tools can make enumeration relatively easy to perform, but an attacker needs network access to the target Microsoft Active Directory (AD) domain to run BloodHound. Enumeration activity typically does not negatively affect network performance, but attackers can leverage this information to find new targets in an attack campaign.
Kill Chain
Risk Score
70
AD stores valuable information about objects (such as users, hosts, groups, organizational units, and sites) and privilege levels. BloodHound is an open-source tool that creates interactive visualizations that map out relationships between objects. A major component of BloodHound are data collectors, such as SharpHound or BloodHound.py, that leverage network protocols such as remote procedure call (RPC), SMB, and LDAP to retrieve data from domain controllers and domain workstations. For example, the data collector runs different types of LDAP queries to retrieve different collections of data, such as all administration accounts or workstations in a domain. BloodHound typically performs enumeration activity with encryption enabled. With these data collections, BloodHound builds visualizations in a user interface where the attacker can identify which AD objects to compromise to gain access to their targets.
Apply the principles of least privilege to domain users to reduce the information users can enumerate through scans and tools such as BloodHound
Because securing LDAP servers can be difficult without compromising functionality, monitor and investigate unusual LDAP activity quickly to minimize potential damage
