BloodHound: Six Degrees of Domain Admin¶
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Depending on which operating system you’re using, install Neo4j, then download the BloodHound GUI. You can also build the BloodHound GUI from source.
Collect Your First Dataset¶
BloodHound is a data analysis tool and needs data to be useful. There are two officially supported data collection tools for BloodHound: SharpHound and AzureHound. Download AzureHound and/or SharpHound to collect your first data set. From a domain-joined system in your target Active Directory environnment, collecting your first dataset is quite simple:
Collecting your first data set with AzureHound:
PS C:\> Import-Module Az PS C:\> Import-Module AzureADPreview PS C:\> Connect-AzureAD PS C:\> Connect-AzAccount PS C:\> . .\AzureHound.ps1 PS C:\> Invoke-AzureHound
Import and Explore the Data¶
By default, SharpHound and AzureHound will generate several JSON files and place them into one zip. Drag and drop that zip into the BloodHound GUI, and BloodHound will import that data.
Once complete, you’re ready to explore the data. Search for the Domain Users group using the search bar in the upper left. See if the Domain Users group has local admin rights anywhere, or control of any objects in Active Directory.
Click the Pathfinding button (looks like a road) and search for Domain Admins in the box that drops below. See if there are any attack paths from Domain Users to Domain Admins.
For a full tour of the BloodHound GUI and its data analysis capabilities, see the Data Analysis section.