BloodHound

Uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

Collectors

  • SharpHound_v4.1.ps1 (1101 kb)
  • SharpHound_v4.2.exe (1027 kb)
  • SharpHound_v4.2.ps1 (1287 kb)

    • To gather additional information directly from ADExplorer for BloodHound, check ADExplorerSnapshot.py

    Installation

    Download newest release from Github.com

    Apple macOS

    The BloodHound binary is not signed, to still use it the following should be executed.

    xattr -d com.apple.quarantine /Applications/BloodHound.app

    Usage

    Bloodhound - Run ingestor on target domain joined system

    .\SharpHound.exe CollectionMethod All

    Or:

    . .\SharpHound.ps1 /exe

    Invoke-BloodHound -CollectionMethod All

    Bloodhound - Remote ingestor

    Please check BloodHound.py

    AzureHound

    Please check AzureHound

    Examples

    Example Example

    Example dataset

    Dataset based on lab environment with BadBlood.

    Statistics:

    • Users: 2497
    • Groups: 551
    • Computers: 103
    • OUS: 223
    • GPOs: 2
    • Domains: 1
  • SampleDataset_Offsec_nl_20220815_BloodHound_v4.1.zip (282 kb)
  • SampleDataset_Offsec_nl_20220815_BloodHound_v4.2.zip (298 kb)

    • Custom Queries

  • customqueries.json (72 kb)

    • Linux

    ~/.config/bloodhound/customqueries.json

    macOS

    ~/Library/Application Support/bloodhound

    Some other custom queries:

    Filter users from json export Bloodhound

    Filter domain admins

    grep -E '"name":' da-export-bloodhound.json | cut -d '"' -f 4 | cut -d '@' -f1

    Excessive privileges allowing for shadow Domain Admins

    ForceChangePassword – Ability to reset password of another user
GenericAll          – Full control over an object (read/write)
GenericWrite        – Update of any attributes of an object
WriteOwner          – Assume ownership of an object
WriteDacl           – Modify the DACL of an object
Self                – Arbitrarily modify self

    High privilege user groups

    Administrators
Domain Admins
Enterprise Admins
Schema Admins
Account Operators
Server Operators
Backup Operators

    Helpfull Tools for BloodHound

    Neo4j

    Neo4j is usually used as database for BloodHound data. Please see neo4j for installation and multi-database usage.

    CypherHound

    Tool that can be used to interact with BloodHound collected data in the Neo4j database.

    Please see CypherHound.

    BloodHoundLoader

    Tool that helps marking objects in the database, for example as owned or high value.

    Please see BloodHoundLoader.

    URL List