7. BloodHound

Collecting with SharpHound:

• Can be used in different formats, e.g. non-compiled, pre-compiled binary, ps-script
• Also supports looping for running bloodhound continuously to catch changes
  Usage:

1. Get script to system and launch bypassed powershell.
2. Import module:

Import-Module .\Sharphound.ps1

3. Invoke Bloodhound:

Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp\ -OutputPrefix "audit"

4. Delete generated .bin cache file at output location!

Analyzing with BloodHound:

1. Start the Neo4j service:

sudo neo4j start

2. Browse to the interface at: http://localhost:7474
3. Authenticate using both username and password "neo4j". Then choose new password to database.
4. Start Bloodhound from the terminal and log in using the credentials created:

bloodhound

5. Unzip and upload data from "Upload Data" in GUI.

BloodHound analysis:

• Click "Analysis" and examine pre-built analysis options.
• Right click on hosts and hit "? Help" to further examine information such as abuse and opsec info.
• Use the "Shortest Paths" function to see the shortest path to domain admin from your initial access point.
• Return all objects in database with property "Computer":

MATCH (m:Computer) RETURN m

• All objects that contains word:

MATCH (c:Computer) WHERE c.name CONTAINS "SEARCH" RETURN c

• Display sessions between hosts:

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

• Kerberoastable Users with a path to Domain Admin:

MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.name CONTAINS 'DOMAIN ADMINS' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p

• Shortest paths to Domain Admins Group from computers:

MATCH (n:Computer),(m:Group {name:'DOMAIN ADMINS@ADM.HUDDINGE.SE'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p

Good queries to run:

• Find all Domain Admins
• Find Workstations where Domain Users can RDP
• Find Servers where Domain Users can RDP
• Find Computers where Domain Users are Local Admin
• Shortest Path to Domain Admins from Owned Principals
• List all Kerberoastable Accounts