Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ENUMERATION

BloodHound Collection

This note documents detection patterns related to BloodHound Collection within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security4662Directory object accessedHighLDAP queries against AD objects during enumeration.
Security4624Successful logonMediumAuthentication used for enumeration session.
Security4648Explicit credentials usedHighTools authenticating using alternate credentials.
Sysmon1Process creationHighExecution of SharpHound collector.
Sysmon3Network connectionMediumLDAP or SMB communication with domain controllers.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Large LDAP query volumeMultiple LDAP queries within short periodHighTypical enumeration behavior.
SharpHound executionProcess command line containing SharpHoundCriticalDirect BloodHound collection evidence.
SMB session enumerationAccess to multiple hosts during collectionMediumUsed to gather session data.
Domain controller query spikesHigh LDAP query load from workstationHighPossible automated enumeration.

Common Tools

ToolUsage
SharpHoundPrimary BloodHound data collector.
BloodHound.pyPython collector for Linux environments.
PowerViewUsed to collect AD relationship data.
CrackMapExecCan enumerate AD relationships.

Relevant Artifacts

  • Security logs (4662, 4624, 4648)
  • Sysmon process and network logs
  • LDAP query telemetry
  • EDR process monitoring
  • Network traffic to domain controllers

MITRE ATT&CK References

  • T1087 Account Discovery
  • T1069 Permission Groups Discovery
  • T1482 Domain Trust Discovery

Decision Tree

  1. Detect enumeration-related process execution.
  2. Identify querying host.
  3. Inspect LDAP query volume.
  4. Determine authenticated account.
  5. Evaluate scope of enumeration.

Example Detection Templates

KQL

DeviceProcessEvents
| where ProcessCommandLine contains "SharpHound"

EQL

process where process.command_line like "*SharpHound*"

Sigma

title: BloodHound Enumeration Activity
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    CommandLine|contains: SharpHound
  condition: selection
level: high

Splunk

index=main earliest=1690195896 latest=1690285475 source="WinEventLog:SilkService-Log" | spath input=Message | rename XmlEventData.* as * | table _time, ComputerName, ProcessName, ProcessId, DistinguishedName, SearchFilter | sort 0 _time | search SearchFilter="*(samAccountType=805306368)*" | stats min(_time) as _time, max(_time) as maxTime, count, values(SearchFilter) as SearchFilter by ComputerName, ProcessName, ProcessId | where count > 10 | convert ctime(maxTime)

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
MonitoringAlert on SharpHound executionHighDetects BloodHound collection.
LDAP monitoringDetect large query volumesMediumIdentifies automated enumeration.
Least privilegeLimit domain read access where possibleMediumReduces enumeration scope.