Full Report
This blog will not dive too deeply into BloodHound itself; instead, we will focus on various methods to collect AD data to provide BloodHound as input. The post A Practical Guide to BloodHound Data Collection appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: BloodHound Data Collection
## Overview
BloodHound is an Active Directory (AD) enumeration and analysis tool that uses graph theory to reveal hidden relationships and attack paths within an AD environment. It allows attackers and defenders to visualize privilege escalation routes. This summary focuses on the specific data collection utilities and methods used to feed the BloodHound database.
## Technical Details
- **Type**: Tool / Framework
- **Platform**: Windows, Linux (Python-based collectors), and Active Directory environments.
- **Capabilities**: AD object enumeration, relationship mapping, attack path visualization, and automated cypher query execution for privilege escalation identification (e.g., ADCS ESC1).
- **First Seen**: Circa 2016 (BloodHound project inception).
## MITRE ATT&CK Mapping
- **TA0007 - Discovery**
- **T1087.002** - Account Discovery: Domain Account
- **T1069.002** - Permission Groups Discovery: Domain Groups
- **T1484.002** - Domain Policy Modification: Domain Trust Discovery
- **T1615** - Stealthy Active Directory Enumeration (via ADExplorer method)
## Functionality
### Core Capabilities
- **BloodHound.py**: A Python-based ingestor that executes from non-domain joined systems (usually Linux). It requires valid domain credentials and enumerates all AD objects into JSON format.
- **SharpHound**: The official C# data collector. It is designed to run on domain-joined Windows hosts, often running in the context of the current user without needing explicit credential input.
- **PlumHound**: A reporting engine for BloodHound that converts graph data into actionable HTML/CSV reports. It features "Tasks Mode" for custom cypher queries and "BusiestPath Mode" for path analysis.
### Advanced Features
- **Stealthy Collection (ADExplorer Method)**: Utilizes Microsoft Sysinternals `ADExplorer.exe` to create a snapshot (`.dat` file) of the AD database. This is a trusted administrative tool and less likely to trigger EDR alerts compared to SharpHound.
- **Data Conversion Pipeline**: Includes the use of `ADExplorerSnapshot.py` and `BOFHound` to parse offline snapshots and LDAP query results into BloodHound-compatible JSON blobs.
## Indicators of Compromise
- **File Names**:
- `SharpHound.exe`
- `BloodHound.py`
- `ADExplorer.exe` / `ADExplorer64.exe`
- `*.json` (specifically files like `*_users.json`, `*_computers.json`)
- `*.bin` / `*.zip` (ingestor output packages)
- **Behavioral Indicators**:
- High volume of LDAP queries (Port 389/636/3268/3269).
- Rapid SMB connections to the IPC$ share of multiple computers for session enumeration.
- Execution of `ADExplorer.exe` followed by the creation of large `.dat` files in temp directories.
## Associated Threat Actors
- Extensively used by both **Red Teams** (Penetration Testers) and **Ransomware Operators** (e.g., Conti, REvil, FIN6) for internal lateral movement and domain dominance.
## Detection Methods
- **Signature-based detection**: AV/EDR signatures for SharpHound and common Python ingestors.
- **Behavioral detection**:
- Monitoring for unusual LDAP traffic patterns coming from a single workstation.
- Detecting "Honeytokens" or "Decoy" AD objects; if BloodHound queries these objects, it triggers an alert.
- Tracking command-line arguments for SharpHound (e.g., `--CollectionMethod All`).
## Mitigation Strategies
- **Prevention measures**: Implement the "Tiered Administration" model to prevent Domain Admin credentials from being stored on lower-tier workstations.
- **Hardening recommendations**:
- Limit the ability of standard users to enumerate sessions or perform remote SAM queries.
- Restrict LDAP traffic to authorized administrative hosts/jump boxes only.
- Regularly audit AD permissions and ACLs to break identified attack paths.
## Related Tools/Techniques
- **ADExplorerSnapshot**: Converts ADExplorer snapshots to BloodHound format.
- **BOFHound**: A tool to process LDAP logs into ingestible formats.
- **AzureHound**: The specialized collector for Azure/Entra ID environments.
- **PowerView**: A PowerShell script used for similar AD enumeration tasks.