BloodHound is one of the most effective Active Directory attack path tools ever built — and it’s freely available. Red teams use it to map privilege escalation paths from any compromised account to Domain Admin. Real threat actors including SCATTERED SPIDER, Midnight Blizzard, and numerous ransomware groups use it for the same purpose. SharpHound is the collection component: a .NET binary (and PowerShell module variant) that runs LDAP queries against a domain controller and writes output JSON files that BloodHound ingests for graph analysis.

Detecting BloodHound isn’t about catching the binary — attackers rename it constantly. It’s about detecting the characteristic LDAP query patterns, volume anomalies, and enumeration activity that SharpHound generates regardless of what the executable is called.

Detection Surface

SharpHound collection generates four categories of detectable activity:

  1. High-volume LDAP queries — enumerating all users, computers, groups, GPOs, OUs, and trusts against a domain controller
  2. Process execution — SharpHound.exe or renamed equivalents; PowerShell-based collection via Invoke-BloodHound
  3. Remote SAM API calls — to enumerate local admin group membership across domain computers
  4. Net commandsnet group "Domain Admins", net user /domain, etc. for quick domain recon

Sigma Rules

High-Volume LDAP Enumeration Burst

title: Suspicious High-Volume LDAP Query Enumeration
id: a3f2c1d9-4e67-4b8a-9f0e-123456789abc
status: experimental
description: Detects unusually high volume of LDAP queries from a single source, consistent with BloodHound/SharpHound collection
references:
  - https://attack.mitre.org/techniques/T1087/002/
  - https://attack.mitre.org/techniques/T1069/002/
author: SOC Analyst Hub
date: 2026-06-16
tags:
  - attack.discovery
  - attack.t1087.002
  - attack.t1069.002
  - attack.t1482
logsource:
  product: windows
  service: security
  definition: 'Requires LDAP query audit logging (Event ID 1644 on DCs, or Directory Service audit)'
detection:
  selection:
    EventID: 1644
  timeframe: 5m
  condition: selection | count() by SubjectUserName > 200
falsepositives:
  - Directory synchronisation services (AAD Connect, Azure AD Sync)
  - Enterprise IAM platforms performing bulk LDAP queries
  - DLP tools doing AD-based classification
level: medium

SharpHound Binary or Module Execution

title: SharpHound Collector Execution
id: b4e8d2f1-5a79-4c9b-8e3d-234567890bcd
status: stable
description: Detects execution of SharpHound collection binary or PowerShell-based Invoke-BloodHound
references:
  - https://github.com/BloodHoundAD/SharpHound
author: SOC Analyst Hub
date: 2026-06-16
tags:
  - attack.discovery
  - attack.t1087.002
  - attack.t1069.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_binary:
    CommandLine|contains:
      - 'SharpHound'
      - 'Invoke-BloodHound'
      - 'Get-BloodHoundData'
  selection_args:
    CommandLine|contains:
      - '--CollectionMethod'
      - '-c All'
      - '-c DCOnly'
      - 'CollectAllProperties'
      - '--zipfilename'
      - '--outputdirectory'
  selection_imphash:
    Imphash:
      - '14c55ce1bdb1b1a50a3bdef31e4a7e97'  # known SharpHound imphash
  condition: selection_binary or selection_args or selection_imphash
falsepositives:
  - Authorised red team engagements
  - Security tooling that wraps BloodHound for assessment
level: high

Net Commands for Domain Group Discovery

title: Net Command Domain Group and User Enumeration
id: c5f9e3a2-6b8a-4d0c-9f4e-345678901cde
status: stable
description: Detects use of net.exe commands commonly used for domain user and group enumeration
author: SOC Analyst Hub
date: 2026-06-16
tags:
  - attack.discovery
  - attack.t1087.002
  - attack.t1069.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\net.exe'
    CommandLine|contains:
      - 'group "Domain Admins"'
      - 'group "Enterprise Admins"'
      - 'group "Schema Admins"'
      - 'user /domain'
      - 'localgroup administrators'
  condition: selection
falsepositives:
  - IT admin scripts performing legitimate group membership queries
  - Help desk tooling checking user membership
level: medium

KQL — Microsoft Sentinel

SharpHound Process or PowerShell Collection

// Detect SharpHound collection — binary or PowerShell-based
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has_any (
    "SharpHound",
    "Invoke-BloodHound",
    "Get-BloodHoundData",
    "--CollectionMethod",
    "CollectAllProperties",
    "--zipfilename"
  )
  or InitiatingProcessCommandLine has_any (
    "SharpHound",
    "Invoke-BloodHound"
  )
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FileName
| sort by TimeGenerated desc

LDAP Query Burst from Single Account (Sentinel via MDE)

// Detect unusually high LDAP query volume from single account
// Proxy: hunt for high-frequency domain controller logon events from the same source in short window
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769  // Kerberos service ticket request to LDAP service
  and ServiceName startswith "ldap"
| summarize QueryCount = count() by Account, Computer, bin(TimeGenerated, 5m)
| where QueryCount > 150
| sort by QueryCount desc
| project TimeGenerated, Account, Computer, QueryCount

Remote SAM Enumeration for Local Admin Mapping

// SharpHound uses Remote SAM to enumerate local admins on every computer
// Detects the DCE/RPC calls to samr pipe from unusual sources
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort == 445
  and InitiatingProcessFileName != "svchost.exe"
  and InitiatingProcessFileName != "lsass.exe"
| summarize 
    UniqueTargets = dcount(RemoteIP),
    TotalConnections = count()
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(TimeGenerated, 10m)
| where UniqueTargets > 30
| sort by UniqueTargets desc

Threat Hunting: BloodHound Collection Output Files

SharpHound writes characteristically named JSON files to disk before zipping them. Hunt for these artifact patterns:

DeviceFileEvents
| where TimeGenerated > ago(7d)
| where FileName matches regex @"^\d{8}T\d{6}\d+_(users|groups|computers|domains|gpos|containers|ous)\.json$"
  or FileName matches regex @"^\d{14}_BloodHound\.zip$"
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessFileName

Investigation Workflow

When a high-confidence SharpHound signal fires:

  1. Identify the source account — is this a service account, user account, or machine account? Service accounts running enumeration are a common attacker-controlled technique.
  2. Check parent process — was SharpHound dropped by a PowerShell session, LOLBin, or known attack framework (Cobalt Strike, Sliver, Metasploit)?
  3. Check for zip output — SharpHound writes output files. Identify where they landed and whether they were transferred out.
  4. Pivot to lateral movement — BloodHound is used to plan the next attack step. After collection, look for privilege escalation attempts on paths identified in the graph (Kerberoasting, ACL abuse, DCSync).
  5. Scope the compromise — if this is post-initial-access collection, the account running it is compromised. Pivot to determine initial access vector.

The LDAP burst pattern is the most reliable indicator when attackers rename the binary. Tune your volume thresholds based on your environment’s baseline — AAD Connect and similar sync tools generate similar LDAP volume patterns and need exclusion.