BloodHound Basics

by | Aug 3, 2022 | cybersecurity, penetration testing, Uncategorized | 0 comments

Print PDF

Submit your email address to access the PDF of this post.
  • This field is for validation purposes and should be left unchanged.

“Hacking” isn’t magic, but sometimes it is presented that way. Much of penetration testing and “hacking” is learning the tools of the trade and how they work “under the hood.” In this series we hope to provide a high-level overview of common offensive tools, how they work, the techniques they use, defenses against them, and how some can even be used by blue teams to protect their organization.

The Tool

Manually querying Active Directory is time consuming. BloodHound (or BloodHoundAD) greatly simplifies Active Directory enumeration for offensive security professionals. The software has even been used by well-known APTs (advanced persistent threat) such as Wizard Spider in malicious campaigns. Using BloodHound can be boiled down into two phases: collection and analysis.

BloodHound has multiple means of data collection. The official BloodHound GitHub repository has three official collectors: an AzureHound .ps1 script, and SharpHound in both .exe and .ps1 formats. To use, these collectors need to be transferred to the victim machine joined to the targeted Active Directory domain (through whatever means are preferred) and then executed. The issue with these collectors is that they will frequently be detected as malicious code/software and be removed by any capable anti-virus. It is worth noting that what BloodHound does is not inherently malicious, but it allows for the collection of data that could be easily abused by malicious actors. Alternatively, multiple Command and Control frameworks such as Empire and Cobalt Strike make it easy to run BloodHound collectors in memory to evade detection.

Figure 1: Windows Defender Blocks the Official SharpHound Collector

Personally, I avoid dropping binaries or running easily detected malicious code directly on machines whenever there is an alternative. There are times for this, but in the interest of evading defenses, tools like the Python based BloodHound collector (BloodHound.py) are especially useful. With this handy tool, queries can be made from the attacker’s machine directly to Domain Controllers, collecting most of the data that the official collectors would, without even requiring direct compromise of a domain joined machine. After running our collector of choice, BloodHound creates a .zip file of all the collected data in .json format. This is the data we will analyze. By utilizing the Neo4j graph database, BloodHound takes all its collected data and turns it into meaningful visuals to map out domain trusts, group membership, privilege escalation paths and more! 

Figure 2: Starting the Neo4j Database
Figure 3: Starting BloodHound

For demonstration purposes I have used the BloodHound-Tools DBCreator to create a sample BloodHound database. Once all the data (JSON files) from our collector are uploaded to BloodHound’s database, we can view statistics, run built-in queries, and view properties for each object. To highlight the effectiveness of BloodHound’s pathfinding feature for offensive operations, consider the scenario where an initial foothold is gained in the target network through exploitation of an outdated Windows 7 machine (COMP00170). BloodHound can tell us information about the host such as the Operating System, local administrator privileges and any user sessions. After right-clicking the computer in BloodHound and marking it as “owned” we can run the built-in query “Shortest Paths to Domain Admins from Owned Principals” to see if there is a path for us to gain Domain Administrator privileges. In this case the answer is yes! 

Figure 4: Marking COMP00170 as “Owned”
Figure 5: Running Query “Shortest Paths to Domain Admins from Owned Principals”
Figure 6: Path from COMP00170 to Domain Admins

BloodHound even does a little handholding by allowing us to right-click relationships between nodes and providing a “Help” menu with details on exploiting the relationship.

Figure 7: Help Menu for “HasSession”

Digging a Little Deeper

BloodHound is a neat tool for offensive operations, but how does it work? What traffic does it send across the network? How does it query Active Directory? It is essential to understand how a tool works beyond just the command line arguments to implement comprehensive defenses and detections (though defenses such as blocking binaries with suspicious file names are still valid). 

Looking at some of the source code for BloodHound.py we can see that just like the official collectors, we can specify which collection methods we want to use individually or by groups (default, all, dconly). When run, the collector connects to the LDAP service on the Domain Controller. LDAP queries are the primary method of gathering the information desired.  Specific methods are then called, creating queries to gather computers, users, groups, and other objects within Active Directory (along with relevant properties such as the sAMAccountName, pwdLastSet, and adminCount). Even with only this basic knowledge we can better detect BloodHound.

Figure 8: Collection Methods for BloodHound.py
Figure 9: BloodHound.py “search” Method
Figure 10: BloodHound.py “get_computers” Method

Blue Team Considerations

For an easy win, consider using this Sigma rule for detecting BloodHound/SharpHound command line activity. Beyond this, more complex detections will need to be implemented. Monitoring anomalous LDAP activity, such as an unusual amount of LDAP queries from one host or over a specific time interval is one means of doing this. Consider also monitoring suspicious LDAP queries such as for the LAPS password attribute “ms-Mcs-AdmPwd” or the “servicePrincipalName” attribute to detect Kerberoastable accounts.

At the end of the day all BloodHound does is provide visibility, which is just as valuable for defenders as attackers. It is worth running BloodHound on your domain to understand what data attackers can obtain by simply gaining a pair of credentials or compromising a single host. By using the path finding feature with a “hacker mindset” it is simple to find the quickest paths to Domain Administrator access. To combat this, defenders can “break” the chain by removing users’ group membership and admin privileges, creating stronger passwords, implementing controls to limit access between certain hosts, and more. Another open-source tool that expands on blue team usage of BloodHound is PlumHound. 

PlumHound is specifically marketed to help blue and purple teams use BloodHound data to effectively defend their Active Directory environment. This tool makes it easy to create reports and task lists for security teams to act on and measure improvement in their security posture. Below are a few examples of how to generate useful data with PlumHound using our demo data. 

Figure 11: Creating a Report with PlumHound Default Tasks
Figure 12: PlumHound Default Tasks Report
Figure 13: PlumHound Analyzing Paths Between Domain Admins and All Active Directory Groups
Figure 14: PlumHound Suggestions to Break Paths for Privilege Escalation to Domain Admins

References & Additional Resources

https://github.com/BloodHoundAD/BloodHound

https://bloodhound.readthedocs.io/en/latest/index.html

https://github.com/fox-it/BloodHound.py

https://github.com/PlumHound/PlumHound

https://attack.mitre.org/software/S0521/

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml

https://m365internals.com/2021/05/22/how-to-hunt-for-ldap-reconnaissance-within-m365-defender/

https://www.youtube.com/watch?v=_GJDkbUTSLY