BloodHound Analysis

Reconnaissance

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. It allows attackers to identify complex attack paths that would otherwise be impossible to see.

Domain Dominance Attack Flow

This diagram shows the typical attack path from Domain Admin to complete domain dominance via persistence techniques.

Data Collection

The first step is to collect data from the domain using an ingestor like SharpHound (Windows) or BloodHound-Python (Linux).

SharpHound (Windows)

Run SharpHound from a domain-joined machine.

Collect all data:

powershell 
.\SharpHound.exe -c All

Collect and zip to specific file:

powershell 
.\SharpHound.exe -c All --zipfilename loot.zip

PowerShell module:

powershell 
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -ZipFileName loot.zip

BloodHound-Python (Linux)

Run from a Linux machine (e.g., Kali) if you have credentials.

bash 
bloodhound-python -u user -p password -d corp.local -dc DC01.corp.local -c All

Analysis & Visualization

Once data is imported into the Neo4j database, you can use the BloodHound GUI to run queries and visualize paths.

Starting BloodHound

Start the Neo4j database service and then the BloodHound GUI.

Start Neo4j database:

bash 
neo4j console

Start BloodHound GUI:

bash 
bloodhound

Custom Cypher Queries

While BloodHound has built-in queries, custom Cypher queries can find specific patterns.

Find Users with Path to Domain Admins

cypher 
MATCH p=shortestPath((n:User)-[*1..]->(g:Group))
WHERE g.name = 'DOMAIN ADMINS@CORP.LOCAL'
RETURN p

Find Computers Administered by Domain Users

cypher 
MATCH p=(m:Group)-[:AdminTo]->(c:Computer)
WHERE m.name = 'DOMAIN USERS@CORP.LOCAL'
RETURN p

Cheatsheet

For a comprehensive list of BloodHound queries and collection options, check out the BloodHound Cheatsheet.

Related Topics

AD Attack Paths

ACL Abuse

BloodHound Cheatsheet