Bloodhoud Azurehound Sharphound
About
BloodHound is a monolithic web application composed of an embedded React frontend with Sigma.js and a Go based REST API backend. It is deployed with a Postgresql application database and a Neo4j graph database, and is fed by the SharpHound and AzureHound data collectors.
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible to find. Defenders can use BloodHound to identify and eliminate those same attack paths. Both red and blue teams can use BloodHound to better understand privileged relationships in an Active Directory or Azure environment.
Links
Sharphound Github - For AD Ingestion
Azurehound Github - For EntraID and Azure Ingestion
Bloodhound.py Github - For AD Ingestion
Installing
Kali
Purge older versions of neo4j and bloodhound
sudo apt purge -t neo4j bloodhoundReinstall neo4j and bloodhound
sudo apt install -y neo4j bloodhoundFirst time running is
sudo bloodhound-setupIf you get this error:
sudo -u postgres psql
ALTER DATABASE postgres REFRESH COLLATION VERSION;
ALTER DATABASE template1 REFRESH COLLATION VERSION;
\qRerun:
sudo bloodhound-setupThis should open a wepbage to http://localhost:7474/browser for you to log in with neo4js default credentials: neo4j:neo4j. This info will also be shown when running the setup. You will need to: Change the neo4j default password, and edit the /etc/bhapi/bhapi.json file with the updated password.
Now we can run bloodhound
This will open a webpage to http://127.0.0.1:8080
The default username and password is admin. Afterlogging in, it will want a new password.
Usage
Ingesting
Ingest files from SharpHound, AzureHound, or Bloodhound-python. They also have sample data you can use, for Active Directory (AD) or Azure
Bloodhound-Python
bloodhound-python -u USER -p 'PASSWORD' -ns DNS-SERVER -d DOMAIN -c AllThen by going to http://127.0.0.1:8080/ui/administration/file-ingest - or Highlighting the Icon that looks like a User and a cog wheel on the left, and selecting File Ingest, then selecting upload file(s).
After uploading has completed, you will see it here. It may take a few minutes to ingest and look at all the data depending how much data you have. Wait until the status says complete.
Analyzing the data
On the left hand side, click the line graph icon and select explore, or go to http://127.0.0.1:8080/u/explore. From here is where we can look into any information needed.
For good base information, under </> CYPHER we can click the folder icon to see all their queries pre-loaded.
For example, All Domain Admins.
Queries
Tier Zero users with email
MATCH (n)
WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
AND n.email <> ""
AND n.enabled = true
AND NOT toUpper(n.email) ENDS WITH ".ONMICROSOFT.COM"
AND NOT (
(toUpper(n.email) STARTS WITH "HEALTHMAILBOX"
OR toUpper(n.email) STARTS WITH "MSEXCHDISCOVERYMAILBOX"
OR toUpper(n.email) STARTS WITH "MSEXCHDISCOVERY"
OR toUpper(n.email) STARTS WITH "MSEXCHAPPROVAL"
OR toUpper(n.email) STARTS WITH "FEDERATEDEMAIL"
OR toUpper(n.email) STARTS WITH "SYSTEMMAILBOX"
OR toUpper(n.email) STARTS WITH "MIGRATION.")
AND
(n.name STARTS WITH "SM_"
OR n.name STARTS WITH "HEALTHMAILBOX")
)
RETURN nAS-REP Roastable Tier Zero users (DontReqPreAuth)
MATCH (n:Base)
WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
AND n.dontreqpreauth = true
RETURN nTier Zero computers not owned by Tier Zero
MATCH p=(n:Base)-[:Owns]->(:Computer)
WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
RETURN pTier Zero accounts that can be delegated
MATCH (m:Base)
WHERE ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')
AND m.enabled = true
AND m.sensitive = false
OPTIONAL MATCH (g:Group)<-[:MemberOf*1..]-(n:Base)
WHERE g.objectid ENDS WITH '-525'
WITH m, COLLECT(n) AS matchingNs
WHERE NONE(n IN matchingNs WHERE n.objectid = m.objectid)
RETURN mTier Zero AD principals synchronized with Entra ID
MATCH (ENTRA:AZBase)
MATCH (AD:Base)
WHERE ((AD:Tag_Tier_Zero) OR COALESCE(AD.system_tags, '') CONTAINS 'admin_tier_0')
AND ENTRA.onpremsyncenabled = true
AND ENTRA.onpremid = AD.objectid
RETURN ENTRA
// Replace 'RETURN ENTRA' with 'RETURN AD' to see the corresponding AD principals
LIMIT 100Kerberoastable members of Tier Zero / High Value groups
MATCH (u:User)
WHERE (u:Tag_Tier_Zero) AND u.hasspn=true
AND u.enabled = true
AND NOT u.objectid ENDS WITH '-502'
AND NOT COALESCE(u.gmsa, false) = true
AND NOT COALESCE(u.msa, false) = true
RETURN u
LIMIT 100Enabled Tier Zero / High Value principals inactive for 60 days
WITH 60 as inactive_days
MATCH (n:Base)
WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
AND n.enabled = true
AND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value
AND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value
AND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals
AND NOT n.name STARTS WITH 'AZUREADKERBEROS.' // Removes false positive, Azure KRBTGT
AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator
AND NOT n.name STARTS WITH 'AZUREADSSOACC.' // Removes false positive, Entra Seamless SSO
RETURN nEnabled users inactive for 180 days
WITH 180 as inactive_days
MATCH (n:User)
WHERE n.enabled = true
AND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value
AND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value
AND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals
AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator
RETURN n
LIMIT 1000Stopping
Linux
Top stop the bloodhound service, run:
sudo pkill bhapi
sudo pkill neo4jLast updated