Quick Overview
This module takes you on an in-depth exploration of BloodHound, a powerful tool for analyzing Active Directory (AD) and Azure environments. You’ll learn how to gather data using the SharpHound ingestor, interpret relationships between objects, and use Cypher queries to map attack paths. The module emphasizes practical techniques for extending BloodHound’s functionality to uncover hidden vulnerabilities and create actionable insights.
Why This Module Matters
Active Directory environments are complex, and even minor misconfigurations can lead to significant security risks. BloodHound simplifies the process of identifying these risks by using graph theory to visualize relationships within AD. Understanding how attackers exploit AD weaknesses helps defenders better secure their environments. This module equips you with the skills to analyze attack paths, enhance enumeration strategies, and extend BloodHound’s capabilities.
What You’ll Learn
- Core Concepts of BloodHound: Nodes, edges, and graph theory in Active Directory.
- Data Collection: Using SharpHound for Windows and BloodHound.py for Linux.
- Navigating BloodHound GUI: Understanding the interface to analyze data effectively.
- Cypher Queries: Writing custom queries to reveal specific attack paths.
- AD Enumeration: Techniques from domain-joined and non-domain-joined attack boxes.
- Azure Enumeration and Attacks: Extending BloodHound’s utility beyond AD.
Hands-On Learning
The module includes practical, step-by-step exercises:
- Setting up BloodHound and SharpHound.
- Collecting data in varied scenarios, including Linux and compromised hosts.
- Running Cypher queries to simulate real-world attack scenarios.
- Analyzing AD objects such as users, groups, ACLs, and GPOs to uncover potential attack paths.
- Extending BloodHound with custom queries for more advanced data analysis.
Why You Should Take This Module
- Comprehensive Coverage: It covers everything from foundational concepts to advanced enumeration techniques.
- Hands-On Focus: Practical exercises ensure you’re ready to apply your knowledge in real-world scenarios.
- Relevance: With attackers increasingly targeting AD, mastering BloodHound is a must for penetration testers and defenders.
- Custom Query Building: Learn how to tailor BloodHound to your specific needs.
Final Thoughts & Rating
I found this module to be an incredibly fun and insightful dive into BloodHound’s capabilities and sniffing my way to something i could abuse. Even though I was already familiar with BloodHound, I gained new insights, especially in Azure AD enumeration…….. a challenging but rewarding area. The exercises were engaging, and creating custom Cypher queries added a creative element (i posted the custom queries ive made below).
I’d rate this module a sweet
9/10
The hands-on experience and detailed explanations were excellent, though Azure AD could use more beginner-friendly guidance (maybe its just me).
For those interested, here’s a look at the exam table of contents:
Feel free to join our study group for CAPE or ask questions here: https://discord.gg/g3GUZPUp3W.
CUSTOM QUERYS FOR BLOODHOUND
locate your customqueries.json and add:
{
"queries": [
{
"name": "Find WinRM Users",
"category": "Dangerous Rights",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((u:User)-[r:MemberOf*1..]->(g:Group)) MATCH p2=(u)-[:CanPSRemote*1..]->(c:Computer) RETURN p2",
"allowCollapse": true
}
]
},
{
"name": "Find Kerberoastable Users",
"category": "Privilege Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) RETURN u.name, u.hasspn",
"allowCollapse": true
}
]
},
{
"name": "Find Shadow Admins with WriteDACL",
"category": "Privilege Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[:MemberOf]->(g:Group {shadowadmin:true}) MATCH (g)-[:AddAllowed]->(o) RETURN u.name, o.name",
"allowCollapse": true
}
]
},
{
"name": "Find Computers with High Session Counts",
"category": "Enumeration",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)<-[:HasSession]-(u:User) WITH c, COUNT(u) AS sessionCount WHERE sessionCount > 10 RETURN c.name, sessionCount ORDER BY sessionCount DESC",
"allowCollapse": true
}
]
},
{
"name": "Identify Unconstrained Delegation Users",
"category": "Misconfigurations",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[:AllowedToDelegate]->(c:Computer {unconstraineddelegation:true}) RETURN u.name, c.name",
"allowCollapse": true
}
]
},
{
"name": "Find Users with Weak Encryption (DES Only)",
"category": "Misconfigurations",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {doesnotrequirepreauth:true}) RETURN u.name",
"allowCollapse": true
}
]
},
{
"name": "Enumerate High-Value Computers",
"category": "Enumeration",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {highvalue:true}) RETURN c.name",
"allowCollapse": true
}
]
},
{
"name": "Find Shortest Path to Group Policy Creators Owners",
"category": "Attack Paths",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n)-[*1..]->(g:Group {name: 'Group Policy Creator Owners'})) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Lateral Movement via SMB",
"category": "Lateral Movement",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[:HasSession]->(c1:Computer) MATCH (c1)-[:CanRDP]->(c2:Computer) RETURN u.name, c1.name, c2.name",
"allowCollapse": true
}
]
},
{
"name": "Enumerate Domain Trust Relationships",
"category": "Enumeration",
"queryList": [
{
"final": true,
"query": "MATCH (d:Domain)-[:TrustedBy]->(td:Domain) RETURN d.name, td.name",
"allowCollapse": true
}
]
},
{
"name": "Find All Users with AdminTo Rights",
"category": "Privilege Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[:AdminTo]->(c:Computer) RETURN u.name, c.name",
"allowCollapse": true
}
]
},
{
"name": "Find Privileged Computers",
"category": "Enumeration",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[:AdminTo]-(:Group {privileged:true}) RETURN c.name",
"allowCollapse": true
}
]
},
{
"name": "Find Paths to Kerberos Delegation Misconfigurations",
"category": "Misconfigurations",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true})<-[:AllowedToDelegate]-(u:User) RETURN u.name, c.name",
"allowCollapse": true
}
]
},
{
"name": "Enumerate Groups with High Membership Counts",
"category": "Enumeration",
"queryList": [
{
"final": true,
"query": "MATCH (g:Group)-[:MemberOf*1..]->(u:User) WITH g, COUNT(u) AS memberCount WHERE memberCount > 50 RETURN g.name, memberCount ORDER BY memberCount DESC",
"allowCollapse": true
}
]
},
{
"name": "Find Computers Without SMB Signing",
"category": "Misconfigurations",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {smbsigningrequired:false}) RETURN c.name",
"allowCollapse": true
}
]
},
{
"name": "Find Path from Owned Users to Domain Admins",
"category": "Attack Paths",
"queryList": [
{
"final": true,
"query": "MATCH p=allshortestPaths((n:User {owned:true})-[*1..]->(da:Group {name:'DOMAIN ADMINS'})) RETURN p",
"allowCollapse": true
}
]
}
]
}
Feel free to join our study group for CAPE or ask questions here:
Join the Discord
Want to start learning ethical hacking the right way?
Join Hack The Box Academy and dive into hands-on labs, real-world scenarios, and structured learning paths:
👉 https://referral.hackthebox.com/mzwQocs