BloodHound-Tools: reflect the network dimension into Bloodhound’s data

What is BloodHound-Tools?

A collection of tools that integrate to BloodHound.

Bloodhound is the defacto standard that both blue and red security teams use to find lateral movement and privilege escalation paths that can potentially be exploited inside an enterprise environment. A typical environment can yield millions of paths, representing almost endless opportunities for red teams to attack and creating a seemingly insurmountable number of attack vectors for blue teams to tackle.

However, a critical dimension that Bloodhound ignores, namely network access, could hold the key to shutting down excessive lateral movement. This repository contains tools that integrate with Bloodhound’s database in order to reflect network access, for the benefit of both red and blue teams.

Tools List

ShotHound

ShotHound is a standalone script that integrates with BloodHound’s Neo4j database and CornerShot. It allows security teams to validate logical paths discovered by BloodHound against physical network access.

Use Cases

Blue Teams

Because a typical environment can yield millions of logical paths by BloodHound, it is crucial for blue teams to focus their mitigation efforts on practical paths, which may pose a fraction of all logical paths in a Least Privilege Network.

ShotHound helps blue teams filter out impractical paths discovered by BloodHound.

Red Teams

Red teams that run BloodHound in a network, are often “blind” to network access. This can cause them to follow an impractical path, only to discover it somewhere along the path.

ShotHound can assist red teams to discover practical paths when network visibility is not possible through other means.

Ransomulator

Ransomulator is a ransom simulator for the BloodHound database. It can be used to measure network resilience for ransomware infections, and identify “weak links” in the network.

How Ransomulator Works

For each computer node, Ransomulator will try to propagate to other computers through infection waves. Propagation to other computers is possible when there is a logical path between them, and there is also a network path. Network access is assumed to exist in the database and should be represented with “Open” edges in the data.

Ransomulator will generate for each computer, a wave map, showing how many hosts will be compromised by each infection wave. This information can also be exported to csv.

DBCreator

This is a script, based on SpecterOps DBCreator. The goal of this script is to simulate network access between computer nodes in the generated database.

Besides creating nodes and edges for BloodHound, it can also receive an average number of hosts, that each host will have access to. Each host has additional “Open” edges between other hosts it has access to.

CustomQueries

A list of common queries that reflect the network dimension, if it is integrated into the dataset.

Download

Copyright (C) 2021 zeronetworks