AzureHound
AzureHound is a Go-based, open-source data collection and enumeration tool developed by SpecterOps as part of the BloodHound suite for penetration testing in Microsoft cloud environments. It is used to enumerate Azure resources and Microsoft Entra ID (formerly Azure Active Directory) data and map potential attack paths, including via Microsoft Graph and Azure REST APIs. The content describes AzureHound being used for post-compromise discovery and internal reconnaissance in Microsoft Azure and Entra ID environments. Microsoft observed the Iranian nation-state threat actor Peach Sandstorm (HOLMIUM, with overlap to public reporting on APT33/Elfin/Refined Kitten) using AzureHound in successful intrusions since 2023, alongside ROADtools, after password-spray activity and other access methods. Reported targeting in that campaign focused on satellite, defense, and to a lesser extent pharmaceutical organizations worldwide. The content also notes detection opportunities based on AzureHound/BloodHound-related user-agent activity across Microsoft cloud services and Entra ID sign-in telemetry. No specific file hashes or other AzureHound-specific IOCs are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Abuse of AzureHound in the Wild — ...leveraged a Go-based open-source data collection tool called AzureHound... enumerate Azure resources and map potential attack paths...
Abuse of AzureHound in the Wild — ...leveraged a Go-based open-source data collection tool called AzureHound... enumerate Azure resources and map potential attack paths...
Abuse of AzureHound in the Wild — ...leveraged a Go-based open-source data collection tool called AzureHound... enumerate Azure resources and map potential attack paths...
"They used password spray activity, internal reconnaissance with AzureHound or Roadtools..."
"Threat Actors Abuse AzureHound for Post-Compromise Discovery in Microsoft Azure Environments" ... "AzureHound is an open-source data collection tool initially developed by SpecterOps (@SpecterOps) for penetration testing within the BloodHound suite."
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniqueLet's authorize a Microsoft public client application using Python. In this example, we will complete an device authorization grant flow as the Azure CLI public client application.
Persistence
1 techniqueCredential Access
1 techniqueAccessing cleartext access and refresh tokens for various MS APIs (e.g., MS Graph) is often a requirement during engagements and research, especially using pre-consented clients (e.g., AzureCLI) to avoid additional consent prompts.
Discovery
10 techniques"AD Explorer for Active Directory environment mapping"; "AzureHound and Roadtools for Azure AD reconnaissance"
The threat actor has also in some cases enumerated the compromised organization's Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.
Detect AzureHound Command-Line Arguments ... Local Groups ... Detect SharpHound Usage ... Local Groups ... Group Discovery Via Net ... Local Groups
Detect AzureHound Command-Line Arguments ... Domain Groups ... Detect SharpHound Usage ... Domain Groups ... Group Discovery Via Net ... Domain Groups
Tokens are needed not only for manual enumeration via APIs but also for tools like AzureHound or GraphRunner, which require a valid refresh token.
Detect AzureHound Command-Line Arguments ... Local Account ... Detect SharpHound Usage ... Local Account ... Windows SOAPHound Binary Execution ... Local Account
Step 2 - Reconnaissance T1087.002, T1482, T1518.001, T1057, T1082 | Affiliate Domain enumeration via obfuscated ADRecon.ps1, nltest, net group, tasklist, sc query.
Storm-0501 has conducted enumeration of users, roles, and resources within victim Azure tenants using the tool Azurehound.
Detect AzureHound Command-Line Arguments ... Domain Trust Discovery ... Detect SharpHound Usage ... Domain Trust Discovery ... Windows SOAPHound Binary Execution ... Domain Trust Discovery
APT33 conducts massive password-spraying campaigns against Microsoft 365 and AAD tenants, using TOR exit nodes and open-source tools such as Roadtools and AzureHound for post-compromise reconnaissance.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source Azure/Entra ID data collection tool (part of the BloodHound ecosystem) used post-compromise to enumerate identities, roles, resources, and relationships to map privilege-escalation paths and facilitate lateral movement in Azure environments.
Go-based Azure enumeration/attack-path mapping tool abused post-compromise to identify misconfigurations and privilege-escalation paths in Azure environments.
Reconnaissance tool used to collect and dump data from Microsoft Entra ID (Azure AD) environments.
Tool used for internal reconnaissance in Azure/Entra ID environments to help map relationships and identify paths for privilege escalation and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.