BloodHound is one of the most effective Active Directory attack path tools ever built — and it’s freely available. Red teams use it to map privilege escalation paths from any compromised account to Domain Admin. Real threat actors including SCATTERED SPIDER, Midnight Blizzard, and numerous ransomware groups use it for the same purpose. SharpHound is the collection component: a .NET binary (and PowerShell module variant) that runs LDAP queries against a domain controller and writes output JSON files that BloodHound ingests for graph analysis.
Detecting BloodHound isn’t about catching the binary — attackers rename it constantly. It’s about detecting the characteristic LDAP query patterns, volume anomalies, and enumeration activity that SharpHound generates regardless of what the executable is called.
Detection Surface
SharpHound collection generates four categories of detectable activity:
- High-volume LDAP queries — enumerating all users, computers, groups, GPOs, OUs, and trusts against a domain controller
- Process execution — SharpHound.exe or renamed equivalents; PowerShell-based collection via
Invoke-BloodHound - Remote SAM API calls — to enumerate local admin group membership across domain computers
- Net commands —
net group "Domain Admins",net user /domain, etc. for quick domain recon
Sigma Rules
High-Volume LDAP Enumeration Burst
title: Suspicious High-Volume LDAP Query Enumeration
id: a3f2c1d9-4e67-4b8a-9f0e-123456789abc
status: experimental
description: Detects unusually high volume of LDAP queries from a single source, consistent with BloodHound/SharpHound collection
references:
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1069/002/
author: SOC Analyst Hub
date: 2026-06-16
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
product: windows
service: security
definition: 'Requires LDAP query audit logging (Event ID 1644 on DCs, or Directory Service audit)'
detection:
selection:
EventID: 1644
timeframe: 5m
condition: selection | count() by SubjectUserName > 200
falsepositives:
- Directory synchronisation services (AAD Connect, Azure AD Sync)
- Enterprise IAM platforms performing bulk LDAP queries
- DLP tools doing AD-based classification
level: medium
SharpHound Binary or Module Execution
title: SharpHound Collector Execution
id: b4e8d2f1-5a79-4c9b-8e3d-234567890bcd
status: stable
description: Detects execution of SharpHound collection binary or PowerShell-based Invoke-BloodHound
references:
- https://github.com/BloodHoundAD/SharpHound
author: SOC Analyst Hub
date: 2026-06-16
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_binary:
CommandLine|contains:
- 'SharpHound'
- 'Invoke-BloodHound'
- 'Get-BloodHoundData'
selection_args:
CommandLine|contains:
- '--CollectionMethod'
- '-c All'
- '-c DCOnly'
- 'CollectAllProperties'
- '--zipfilename'
- '--outputdirectory'
selection_imphash:
Imphash:
- '14c55ce1bdb1b1a50a3bdef31e4a7e97' # known SharpHound imphash
condition: selection_binary or selection_args or selection_imphash
falsepositives:
- Authorised red team engagements
- Security tooling that wraps BloodHound for assessment
level: high
Net Commands for Domain Group Discovery
title: Net Command Domain Group and User Enumeration
id: c5f9e3a2-6b8a-4d0c-9f4e-345678901cde
status: stable
description: Detects use of net.exe commands commonly used for domain user and group enumeration
author: SOC Analyst Hub
date: 2026-06-16
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\net.exe'
CommandLine|contains:
- 'group "Domain Admins"'
- 'group "Enterprise Admins"'
- 'group "Schema Admins"'
- 'user /domain'
- 'localgroup administrators'
condition: selection
falsepositives:
- IT admin scripts performing legitimate group membership queries
- Help desk tooling checking user membership
level: medium
KQL — Microsoft Sentinel
SharpHound Process or PowerShell Collection
// Detect SharpHound collection — binary or PowerShell-based
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has_any (
"SharpHound",
"Invoke-BloodHound",
"Get-BloodHoundData",
"--CollectionMethod",
"CollectAllProperties",
"--zipfilename"
)
or InitiatingProcessCommandLine has_any (
"SharpHound",
"Invoke-BloodHound"
)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FileName
| sort by TimeGenerated desc
LDAP Query Burst from Single Account (Sentinel via MDE)
// Detect unusually high LDAP query volume from single account
// Proxy: hunt for high-frequency domain controller logon events from the same source in short window
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769 // Kerberos service ticket request to LDAP service
and ServiceName startswith "ldap"
| summarize QueryCount = count() by Account, Computer, bin(TimeGenerated, 5m)
| where QueryCount > 150
| sort by QueryCount desc
| project TimeGenerated, Account, Computer, QueryCount
Remote SAM Enumeration for Local Admin Mapping
// SharpHound uses Remote SAM to enumerate local admins on every computer
// Detects the DCE/RPC calls to samr pipe from unusual sources
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort == 445
and InitiatingProcessFileName != "svchost.exe"
and InitiatingProcessFileName != "lsass.exe"
| summarize
UniqueTargets = dcount(RemoteIP),
TotalConnections = count()
by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(TimeGenerated, 10m)
| where UniqueTargets > 30
| sort by UniqueTargets desc
Threat Hunting: BloodHound Collection Output Files
SharpHound writes characteristically named JSON files to disk before zipping them. Hunt for these artifact patterns:
DeviceFileEvents
| where TimeGenerated > ago(7d)
| where FileName matches regex @"^\d{8}T\d{6}\d+_(users|groups|computers|domains|gpos|containers|ous)\.json$"
or FileName matches regex @"^\d{14}_BloodHound\.zip$"
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessFileName
Investigation Workflow
When a high-confidence SharpHound signal fires:
- Identify the source account — is this a service account, user account, or machine account? Service accounts running enumeration are a common attacker-controlled technique.
- Check parent process — was SharpHound dropped by a PowerShell session, LOLBin, or known attack framework (Cobalt Strike, Sliver, Metasploit)?
- Check for zip output — SharpHound writes output files. Identify where they landed and whether they were transferred out.
- Pivot to lateral movement — BloodHound is used to plan the next attack step. After collection, look for privilege escalation attempts on paths identified in the graph (Kerberoasting, ACL abuse, DCSync).
- Scope the compromise — if this is post-initial-access collection, the account running it is compromised. Pivot to determine initial access vector.
The LDAP burst pattern is the most reliable indicator when attackers rename the binary. Tune your volume thresholds based on your environment’s baseline — AAD Connect and similar sync tools generate similar LDAP volume patterns and need exclusion.