BloodHound is a tool for Red and Blue teams. It is used for graphical representation domain and the possible attack vectors. It shows the relationships between the individual objects and can also be used for Azure. The tool itself works on Windows, Linux, macOS and requires a neo4j database.
BloodHound was created by @_wald0, @CptJesus and @harmj0y.
The following picture shows the graphical user interface (GUI)
The default data collector for BloodHound. It is an executable file that contains all the data of the domain can read and saves them in .json format for BloodHound. It should be run from a domain-integrated client. Since both BloodHound and SharpHound are classified as pentesting or hacking tools, many antivirus programs and some browsers classify them as malicious. As a pentester or RedTeamer you should use an AV Evasion technique and run it in-memory. As a BlueTeam, I can define an exception for the moment of execution, which I should remove again after data collection. The collected .json files can be dragged and dropped into the GUI and thus loaded into the database.
The AzureHound is a PowerShell script that can access the Azure via the AZ and Azure AD modules and collects the data there. Also the tool creates .json files like the SharpHound. Like most Powershell scripts, this one should also get stuck on the PowershellScriptExecution Policy and therefore not be executed. Therefore, an exception must also be defined here.
The Python ingestor based on Impacket can be run on all systems but does not have all the features of the SharpHound. BloodHound Python can be installed via git or pip and is compatible with BloodHound version 4.1 or later. There is now one too Docker containers, which you can spawn and use the BloodHound python from there. Data from an Azure cannot be read with it.
A tool by @ly4k_ for one to that Active Directory tethered Public Key Infrastructure with ADCS read out. Using the find parameter, an output is then generated for Bloodhound.
BloodHound knows two different object types. Nodes which the objects from the domain like users and groups with all their properties: name, ID, last login and much more.
The other type are the edges, which represent the connections or relationships between the nodes
The advantage for the attacker is that he can have the complete path shown to him with additional markings on the nodes and his own queries.
The way up to domain from already adopted nodes (the skull icon)
Possible paths to High Value Goals (the Diamond).
BloodHound supports attackers and defenders with many good queries, which are then turned into graphs. If the existing ones are not enough for you, you can use the relatively simple language and write your own queries. As an example here to show all high value targets:
MATCH (m) WHERE m.highvalue=TRUE RETURN m
BloodHound is very good for attackers, but also for the defenders, for checking and finding possible privilege escalations. But also like from @_wald0 published such a misconfiguration on Twitter.
The “Unrolled Members” means that users or computers are in subgroups. Due to this misconfiguration, there are in the domain 43622 domain admins.
