======================
== gkourgkoutas.net ==
======================
Rethink Security

BloodHound Part II

security tools windows AD

The first part of my BloodHound post was about the setup and usage of the tool. This part will mainly focous on the built-in queries and some small tips and tricks. I think the only way to fully grasp BloodHound is by frequently using it.

Built-in queries

After dumping our raw data with SharpHound1, it’s time to get to work. BH has some built-in queries which helps us to get a quick overview of the domain we are facing. Some of the queries I often use for this are the following:

  • Find Shortest Paths to Domain Admins
  • Shortest Paths to Domain Admins from Kerberoastable Users
  • Shortest Path from Owned Principals
  • Find All Paths from Domain Users to High Value Targets
  • Find AS-REP Roastable Users

And lastly one which often falls under the radar but (in my opinion) shouldn’t be underestimated:

  • Find Domain Admin Logons to non-Domain Controllers

There are a lot more of those built-in queries and the usefulness dependends entirely on the project you’re currently working on. Sometimes queries like the last one from above are useless in a CTF environment. In a real world assessment, this is not as uncommon as one might think.

Writing your own queries

Since BH uses neo4j as the database, you can write your own queries in neo4j’s cypher language2. Here are a few query examples3:

Find all kerberoastable users (users with an SPN)

MATCH (n:User)WHERE n.hasspn=true RETURN n

Find computers with unconstrained delegation

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Write your custom queries into a JSON file (customqueries.json) and put it under the following (default) directory: Windows:

%USERPROFILE%\AppData\Roaming\bloodhound\customqueries.json

Macintosh:

~/Library/Application Support/bloodhound/customqueries.json

*NIX:

~/.config/bloodhound/customqueries.json

Since this could mean a lot of work, I would suggest to use the custom queries from hausec’s GitHub.

Escalating priviledges

There are a lot of ways in which BH can help us to escalate our priviledges. Keep in mind that we use BH to identify misconfigurations in the Domain which means we have to analyse the edges4 of the network we are working with.

Edge: AddMembers

If we find an edge from our initial foothold with the “AddMember” attribute, we can start our lateral movement because we have the ability to write our user to a group the edge is connected to. This attribute doesn’t necessariliy mean, that we can instantly write to the “Domain Admins” group, but the more points in the network we are able to access, to more our chance to escalate further priviledges.

Edge: WriteDacl

Sometimes we find edges in the wild with the “WriteDacl” attribute. This is a scary one, since this allows us to change permission of the object. To quote the abuse straight from the documentation:

“With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish.5

Final Thoughts

I finally found the time and leisure to finalize a short second part. The BH documentation is excellent, I would suggest to dive into it since it’s a great read.


  1. https://github.com/BloodHoundAD/SharpHound3 ↩︎

  2. https://neo4j.com/developer/cypher/ ↩︎

  3. https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json ↩︎

  4. https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html ↩︎

  5. https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#writedacl ↩︎