BloodHound v5.9 releases: Active Directory Toolkit

BloodHound

BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Usage

Using the Interface

The BloodHound interface is designed to be intuitive and operationally focused. Because BloodHound is compiled as an Electron app, it is platform-independent and runs on Windows, OSX, and Linux.

Authentication

When you first open BloodHound, you are greeted by the logon prompt:

The “Database URL” is the IP address and port where your neo4j database is running and should be formatted as bolt://ip:7687/

The DB Username is the username for the neo4j database. The default username for a neo4j database is neo4j.

The DB Password is the password for the neo4j database. The default password for a neo4j database is neo4j. The password for the provided example database is BloodHound.

Overview

Upon successful logon, BloodHound will draw any group(s) with the “Domain Admins” in their name, and show you the effective users that belong to the group(s):

Above, the BloodHound interface is split into 5 parts:

1. Menu and search bar
2. Graph drawing area
3. Settings
4. Zoom in/out and reset
5. Raw cypher query

1. Menu and search bar

The search bar and menu are designed to be intuitive and operationally focused. The triple line in the top left will toggle the drop-down for the ‘Database Info’, ‘Node Info’, and ‘Queries’ tabs.

The ‘Database Info’ tab shows basic information about your currently loaded database, including the number of users, computers, groups, and relationships (or edges). You may also perform basic DB management functions here, including logging out and switching DBs, as well as clearing (read: DELETING ALL INFORMATION FROM) your currently loaded DB (be careful!).

The ‘Node Info’ tab will display information about a node that you click on in the graph.

The ‘Queries’ tab will show the pre-built queries we include with BloodHound, as well as additional queries you can build in yourself. More information about this will be available later.

2. Graph drawing area

This is the area where BloodHound will draw nodes and edges. Hitting ctrl will cycle through three options for displaying node labels: Default Threshold, Always Show, Never Show. You may click and hold a node to drag it to a different spot. You may also click a node, and BloodHound will populate the node info tab with information about that node.

3. Settings

1. Refresh – BloodHound will re-calculate and re-draw the current display.
2. Export Graph – BloodHound can export the currently drawn graph to JSON format, or as a PNG.
3. Import Graph – BloodHound will draw an imported graph in JSON format.
4. Upload Data – BloodHound will automatically detect and then ingest CSV formatted data. For more information on this, see CSV ingestion.
5. Change Layout Type – Toggle between hierarchical (dagre) and force directed graph layouts.
6. Settings – Alter node collapse behavior, and switch between low detail mode.

4. Zoom in/out and reset

The plus sign (+) will zoom in. The minus sign (–) will zoom out. The center icon will reset the graph to the default zoom.

5. Raw cipher query

BloodHound allows you to run custom cipher queries against the currently loaded neo4j database. For more information on this topic, see Cypher query language.

Changelog v5.9

• chore: BED-4141 – added parameters and supporting schemas to openapi src by @sircodemane in #518
• chore: BED-4141 – Added common responses to openapi spec src by @sircodemane in #519
• return errors during file ingest by @irshadaj in #540
• Clarify configuration process in documentation by @juggernot325 in #549
• BED-4229: St Bernard by @superlinkx in #535
• fix: rootca chain logic, expand processing to uncollected domains, up… by @urangel in #538
• ADCSESC13 Post Processing by @rvazarkar in #542
• fix: empty ADSCESC1 composition path edge case by @mistahj67 in #548
• BED-4311: Minor logging fixes by @superlinkx in #552
• Stage/v5.8.1 by @brandonshearin in #554
• fix: ability to import from dumps by @mistahj67 in #557
• Don’t filter T0 assets from DCSync edges by @juggernot325 in #556
• postgres indexing improvements by @irshadaj in #559
• fix: rm tmp if it exists by @benwaples in #560
• [BED-4258] ADCS ESC13 ExtendedByPolicy edge creation by @definitelynotagoblin in #543
• BED-3852 – Pathfinding search when primary and destination node selected by @benwaples in #561
• ESC13 Edge Composition by @rvazarkar in #555
• BED-4336: Cue file problem by @superlinkx in #564
• Edge help text for OIDGroupLink and ExtendedByPolicy by @elikmiller in #563
• fix: broken ADCSESC3 composition by @JonasBK in #566
• [BED-4338] Add ADCS ESC 13 edge to Edge Composition Relationship by @definitelynotagoblin in #565
• BED 4329: Add Sample Data and Link by @StephenHinck in #562
• Issuance Policy Entity Panel by @rvazarkar in #570
• Remove ESC13 Feature Flags by @rvazarkar in #572
• feat: add ESC2 pre-defined query by @JonasBK in #569
• fix: issuance policy data quality count by @urangel in #573
• update cypher query timeouts, additional logging by @irshadaj in #574
• Open password reset dialog when updating user to use username/password based authentication by @elikmiller in #577
• fixed bug in logging high complexity query rejections by @irshadaj in #581
• feat: add RoleSeparationEnabled property by @JonasBK in #584
• feat: post process AZAddSecret edges from roles instead of principals by @mistahj67 in #585
• chore: update collectors for 5.9.0 release by @irshadaj in #589
• Reverse edge direction on ExtendedByPolicy by @definitelynotagoblin in #595
• Revert “return errors during file ingest (#540)” by @juggernot325 in #594
• chore: update sh version in dockerfiles by @urangel in #596
• fix: update certificate policy property display name by @urangel in #597

Tutorial

Copyright (C) 2016-2023 Specter Ops Inc

Source: https://github.com/SpecterOps/