BloodHound is a powerful and popular security tool designed to analyze and visualize Active Directory (AD) environments. It is used by both attackers and defenders to identify and understand complex relationships and attack paths within AD. The primary goal of BloodHound is to help security professionals discover hidden and often overlooked attack vectors that could be exploited to escalate privileges and move laterally within a network.
Navigation
BloodHound Collection Methods
BloodHound uses SharpHound to collect data from an Active Directory environment. The collection methods are executed via SharpHound, typically in PowerShell or a command-line environment.
Invoke-BloodHound -CollectionMethod All #Collects all data Invoke-BloodHound -CollectionMethod Default #Default collection methods Invoke-BloodHound -CollectionMethod Group #Collects group memberships Invoke-BloodHound -CollectionMethod LocalGroup #Collects local group memberships Invoke-BloodHound -CollectionMethod Session #Collects active sessions Invoke-BloodHound -CollectionMethod Trusts #Collects domain trusts Invoke-BloodHound -CollectionMethod ACL #Collects ACL information Invoke-BloodHound -CollectionMethod ObjectProps #Collects object properties Invoke-BloodHound -CollectionMethod Container #Collects container information Invoke-BloodHound -CollectionMethod RDP #Collects RDP sessions Invoke-BloodHound -CollectionMethod DCOM #Collects DCOM object information Invoke-BloodHound -CollectionMethod PSRemote #Collects PowerShell remoting sessions
SharpHound Collector Options
Invoke-BloodHound -Domain example.com #Specifies the target domain Invoke-BloodHound -LDAPUser username #LDAP username for authentication Invoke-BloodHound -LDAPPass password #LDAP password for authentication Invoke-BloodHound -SkipPortScan #Skips the port scanning phase Invoke-BloodHound -NoSaveCache #Does not save the cache to disk Invoke-BloodHound -Throttle 2000 #Adds a delay (in milliseconds) between each request Invoke-BloodHound -RandomDelay #Adds a random delay between requests to avoid detection Invoke-BloodHound -Stealth #Uses stealth collection methods to avoid detection Invoke-BloodHound -LdapOnly #Collects only LDAP information Invoke-BloodHound -CSVFolder C:\path\to\folder #Specifies the folder to save CSV files Invoke-BloodHound -ZipFileName C:\path\to\output.zip #Specifies the name of the output ZIP file
Python BloodHound Collection Methods
bloodhound-python -d example.com -u username -p password #Specifies the target domain and credentials bloodhound-python -dc dc.example.com #Specifies a specific Domain Controller to query bloodhound-python -c All #Collects all data (default) bloodhound-python -c Computers,Users,Groups #Collects specific object types (comma-separated) bloodhound-python -g #Retrieves group memberships bloodhound-python -acls #Collects ACL (Access Control List) information bloodhound-python --ldap #Uses LDAP only (no SMB or DCOM) bloodhound-python -ip 10.1.1.1 #Uses a specific Domain Controller by IP bloodhound-python -o output.zip #Specifies the output ZIP file bloodhound-python --disable-pooling #Disables connection pooling for stealthier queries bloodhound-python --kerberos #Uses Kerberos authentication (TGT required) bloodhound-python --hashes NTLM_HASH #Uses an NTLM hash instead of a plaintext password bloodhound-python --json #Outputs results in JSON format instead of ZIP bloodhound-python --zip #Forces ZIP output format
The combined full command I use is
bloodhound-python -u username -p password -c All --zip -d hacker.com -dc dc.hacker.com -ns 10.1.1.1 -gc dc.hack.com --auth-method ntlm
AzureHound
AzureHound is the Azure AD ingestor for BloodHound, used to collect information about Azure AD users, roles, groups, applications, and attack paths.
Install and Import
Install-Module -name Az -AllowClobber Install-Module -name AzureADPreview -AllowClobber Connect-AzureAD #Enter details on popup Connect-AzAccount #Enter details on popup or select signed in account Import-Module .\AzureHound.ps1 Invoke-AzureHound
AzureHound Commands
Invoke-AzureHound -CollectionMethod All #Collects all available Azure data Invoke-AzureHound -CollectionMethod Default #Uses default collection methods Invoke-AzureHound -CollectionMethod Users #Collects all Azure AD users Invoke-AzureHound -CollectionMethod Groups #Collects Azure AD groups Invoke-AzureHound -CollectionMethod Roles #Collects Azure AD roles and role assignments Invoke-AzureHound -CollectionMethod ServicePrincipals #Collects Azure AD service principals Invoke-AzureHound -CollectionMethod Applications #Collects Azure AD applications Invoke-AzureHound -CollectionMethod Devices #Collects registered Azure AD devices Invoke-AzureHound -CollectionMethod Subscriptions #Collects Azure subscriptions and permissions Invoke-AzureHound -CollectionMethod ResourceGroups #Collects Azure resource groups Invoke-AzureHound -CollectionMethod VMInstances #Collects Azure Virtual Machine instances Invoke-AzureHound -CollectionMethod KeyVaults #Collects Azure Key Vault information Invoke-AzureHound -CollectionMethod StorageAccounts #Collects Azure Storage Account permissions Invoke-AzureHound -CollectionMethod Networks #Collects Azure virtual networks and security groups Invoke-AzureHound -Tenant example.onmicrosoft.com #Specifies the target Azure AD tenant Invoke-AzureHound -AccessToken YOUR_ACCESS_TOKEN #Uses a provided Azure AD access token for authentication Invoke-AzureHound -ClientID YOUR_CLIENT_ID #Uses a specific Azure AD client ID for authentication Invoke-AzureHound -ClientSecret YOUR_CLIENT_SECRET #Uses a client secret for authentication Invoke-AzureHound -RefreshToken YOUR_REFRESH_TOKEN #Uses a refresh token for authentication Invoke-AzureHound -NoSaveCache #Does not save the cache to disk Invoke-AzureHound -Throttle 2000 #Adds a delay (in milliseconds) between each request Invoke-AzureHound -RandomDelay #Adds a random delay between requests to avoid detection Invoke-AzureHound -Stealth #Uses stealth collection methods to avoid detection Invoke-AzureHound -OutputDirectory C:\path\to\folder #Specifies the folder to save collected data Invoke-AzureHound -ZipFileName C:\path\to\output.zip #Specifies the name of the output ZIP file Invoke-AzureHound -Throttle 5000 -RandomDelay #Slows down queries to evade detection Invoke-AzureHound -CollectionMethod All -Tenant example.onmicrosoft.com -AccessToken YOUR_ACCESS_TOKEN #Collects all available Azure AD data while authenticating with an access token
Using SharpHound in Different Environments
Powershell
Import-Module .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain example.com -LDAPUser [email protected] -LDAPPass password #Collects all available data while authenticating with an LDAP username and password Invoke-BloodHound -CollectionMethod All #Collects all available data Invoke-BloodHound -CollectionMethod Default #Uses default collection methods Invoke-BloodHound -CollectionMethod Group #Collects group memberships Invoke-BloodHound -CollectionMethod LocalGroup #Collects local group memberships Invoke-BloodHound -CollectionMethod Session #Collects active sessions Invoke-BloodHound -CollectionMethod Trusts #Collects domain trusts Invoke-BloodHound -CollectionMethod ACL #Collects ACL (Access Control List) information Invoke-BloodHound -CollectionMethod ObjectProps #Collects object properties Invoke-BloodHound -CollectionMethod Container #Collects container information Invoke-BloodHound -CollectionMethod RDP #Collects RDP session data Invoke-BloodHound -CollectionMethod DCOM #Collects Distributed COM object data Invoke-BloodHound -CollectionMethod PSRemote #Collects PowerShell remoting session data Invoke-BloodHound -Domain example.com #Specifies the target domain Invoke-BloodHound -LDAPUser [email protected] #LDAP username for authentication Invoke-BloodHound -LDAPPass password #LDAP password for authentication Invoke-BloodHound -SkipPortScan #Skips the port scanning phase Invoke-BloodHound -NoSaveCache #Does not save the cache to disk Invoke-BloodHound -Throttle 2000 #Adds a delay (in milliseconds) between each request Invoke-BloodHound -RandomDelay #Adds a random delay between requests to avoid detection Invoke-BloodHound -Stealth #Uses stealth collection methods to avoid detection Invoke-BloodHound -LdapOnly #Collects only LDAP information Invoke-BloodHound -CSVFolder C:\path\to\folder #Specifies the folder to save CSV files Invoke-BloodHound -ZipFileName C:\path\to\output.zip #Specifies the name of the output ZIP file
Command Line (SharpHound.exe)
SharpHound.exe -c All -d example.com -u [email protected] -p password #Collects all available data while authenticating with a username and password SharpHound.exe -c All #Collects all available data SharpHound.exe -c Default #Uses default collection methods SharpHound.exe -c Computers,Users,Groups #Collects specific object types (comma-separated) SharpHound.exe -c LocalAdmin,Session,Trusts #Collects local admin, session, and trust data SharpHound.exe -d example.com #Specifies the target domain SharpHound.exe -u [email protected] -p password #Specifies credentials for authentication SharpHound.exe -u [email protected] --hashes NTLM_HASH #Uses an NTLM hash instead of a plaintext password SharpHound.exe -DomainController dc.example.com #Uses a specific Domain Controller SharpHound.exe -ldaponly #Uses only LDAP queries (stealth mode) SharpHound.exe -acls #Collects ACL (Access Control List) information SharpHound.exe -Stealth #Uses stealthy collection techniques SharpHound.exe -Throttle 2000 #Adds a delay (milliseconds) between each request SharpHound.exe -RandomDelay #Adds a random delay between requests SharpHound.exe -NoSaveCache #Prevents cache from being saved to disk SharpHound.exe -SkipPortScan #Skips the port scanning phase SharpHound.exe -JSON #Outputs results in JSON format SharpHound.exe -ZipFileName C:\path\to\output.zip #Specifies the name of the output ZIP file SharpHound.exe -OutputDirectory C:\path\to\folder #Specifies the folder to save output files SharpHound.exe -CollectMethod DCOM,PSRemote,RDP #Collects specific remote access data
BloodHound GUI
BloodHound itself is a graphical interface to visualize the collected data. Once the data is collected using SharpHound, it can be uploaded and analyzed in the BloodHound interface.
Running BloodHound
neo4j console #Starts the Neo4j database
or
neo4j desktop
bloodhound #Launches the BloodHound GUINeo4j Database Management
Starting Neo4j
neo4j console
Stopping Neo4j
neo4j stop
Checking Neo4j Status
neo4j status
BloodHound Data Import
- Open the BloodHound interface
- Use the “Upload Data” button in the GUI to import data collected by SharpHound.
Common Queries in BloodHound
BloodHound provides predefined queries to analyze the data. Here are a few examples:
- Find all Domain Admins
- Find shortest paths to Domain Admins
- Identify users with unconstrained delegation
- Detect computers with local admin rights
- Analyze Kerberos delegation
Custom Queries in BloodHound
#Return all users of a specific group
MATCH (g:Group {name: 'IT [email protected]'})<-[:MemberOf]-(u:User) RETURN u.name AS UserName
#Return users with keyword in description
MATCH (u:User) WHERE u.description CONTAINS "pass" return u.name, u.displayname, u.description, u.group
#Gets all owned users in the specified group
MATCH (g:Group {name: 'VPN ACCESS [email protected]'})<--(u:User) WHERE u.owned = true RETURN u.name AS OwnedUser, u.objectid AS ObjectID, g.name AS GroupName
#Gets all machines that a specific AD group is local Admin to
MATCH (g:Group {name: 'DOMAIN [email protected]'})-[:AdminTo]->(c:Computer) RETURN g.name AS GroupName, c.name AS ComputerName
#Find users with empty passwords
MATCH (n:User {enabled: True, passwordnotreqd: True}) RETURN n
#Find users with descriptions and display them
MATCH (c:User) WHERE c.description IS NOT NULL RETURN c.name,c.description
#Find computers with descriptions and display them
MATCH (c:Computer) WHERE c.description IS NOT NULL RETURN c.name,c.description
#Get all users and their emails from Bloodhound
In neo4j desktop browser
MATCH (u:User) RETURN u.name
MATCH (u:User) RETURN u.email
download as CSV
#Get all domain admins from Bloodhound
In neo4j desktop browser
MATCH (u:User)-[:MemberOf]->(g:Group {name: 'DOMAIN [email protected]'})
RETURN u.name
download as CSVAdditional SharpHound Collection Scenarios
SharpHound.exe -c Group -d example.com -u [email protected] -p password #Collecting Group Memberships Only SharpHound.exe -c Session -d example.com -u [email protected] -p password #Collecting Sessions Only SharpHound.exe -c All -d example.com -u [email protected] -p password --Stealth #Using Stealth Mode
Full SharpHound Command Syntax
SharpHound.exe -c <CollectionMethod> -d <Domain> -u <Username> -p <Password> --SkipPortScan --NoSaveCache --Throttle <Milliseconds> --RandomDelay --Stealth --LdapOnly --CSVFolder <FolderPath> --ZipFileName <ZipFileName>