Windows.ActiveDirectory.BloodHound

This artifact allows deployment of the BloodHound collection tool Sharphound.

BloodHound is a popular Active Directory Assessment tool that uses graph theory to reveal the hidden and often unintended relationships. It can also be used to identify and eliminate potentially risky domain configuration.

The Sharphound collection is in json format and upload to the server for additional processing.

NOTE: Do not run this artifact as an unrestricted hunt. General recommendation is to run this artifact on only a handful of machines in a typical domain, then deduplicate output.


name: Windows.ActiveDirectory.BloodHound
description: |
   This artifact allows deployment of the BloodHound collection tool Sharphound.

   BloodHound is a popular Active Directory Assessment tool that uses graph
   theory to reveal the hidden and often unintended relationships. It can also be
   used to identify and eliminate potentially risky domain configuration.

   The Sharphound collection is in json format and upload to the server for
   additional processing.

   NOTE: Do not run this artifact as an unrestricted hunt. General recommendation
   is to run this artifact on only a handful of machines in a typical domain,
   then deduplicate output.


author: Matt Green - @mgreen27

reference:
  - https://github.com/BloodHoundAD/BloodHound
  - https://github.com/chryzsh/awesome-bloodhound

required_permissions:
  - EXECVE

tools:
  - name: SharpHound
    url: https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe

type: CLIENT

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- obtain hostname for output prefix
      LET hostname <= SELECT Fqdn FROM info()

      -- get context on target binary
      LET payload <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
                    ToolName="SharpHound")

      -- build tempfolder for output
      LET tempfolder <= tempdir()

      -- execute payload
      LET deploy = SELECT * FROM execve(argv=[payload.OSPath[0],'--outputdirectory',
                tempfolder,'--nozip','--outputprefix',hostname.Fqdn[0] ])

      -- output rows
      SELECT * FROM if(condition= deploy.ReturnCode[0]= 0,
        then={
            SELECT Name, upload(file=OSPath,name=Name)
            FROM glob(globs="/*.json", root=tempfolder)
        },
        else=deploy)