BloodHound

Uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

Collectors

To gather additional information directly from ADExplorer for BloodHound, check ADExplorerSnapshot.py

Installation

Download newest release from Github.com

Usage

Bloodhound - Run ingestor on target domain joined system

.\SharpHound.exe CollectionMethod All

Or:

. .\SharpHound.ps1 /exe
Invoke-BloodHound -CollectionMethod All

Bloodhound - Remote ingestor

Please check BloodHound.py

AzureHound

Please check AzureHound

Examples

Example Example

Example dataset

Dataset based on lab environment with BadBlood.

Statistics:

  • Users: 2497
  • Groups: 551
  • Computers: 103
  • OUS: 223
  • GPOs: 2
  • Domains: 1

Custom Queries

Linux

~/.config/bloodhound/customqueries.json

macOS

~/Library/Application Support/bloodhound

Some other custom queries:

Filter users from json export Bloodhound

Filter domain admins

grep -E '"name":' da-export-bloodhound.json | cut -d '"' -f 4 | cut -d '@' -f1

Excessive privileges allowing for shadow Domain Admins

ForceChangePassword – Ability to reset password of another user
GenericAll          – Full control over an object (read/write)
GenericWrite        – Update of any attributes of an object
WriteOwner          – Assume ownership of an object
WriteDacl           – Modify the DACL of an object
Self                – Arbitrarily modify self

High privilege user groups

Administrators
Domain Admins
Enterprise Admins
Schema Admins
Account Operators
Server Operators
Backup Operators

Troubleshooting

Installation of Neo4j and BloodHound interface on Ubuntu

sudo wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add -
sudo echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee -a /etc/apt/sources.list.d/neo4j.list
sudo apt update && sudo apt install neo4j openjdk-8-jdk apt-transport-https

Download newest binary from Github.com

sudo neo4j console
./BloodHound -no-sandbox

Change default Java JDK to 8

$ sudo update-alternatives --config java

There are 2 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      auto mode
  1            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      manual mode
  2            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode

Press <enter> to keep the current choice[*], or type selection number: 2

Change DefaultLimitNOFILE for Neo4j to run without standard 1024 limit. After changing the files reboot your system.

$ cat /etc/systemd/user.conf 
DefaultLimitNOFILE=60000

$ cat /etc/systemd/system.conf 
DefaultLimitNOFILE=60000

URL list