SharpHound
SharpHound.exe --collectionmethods All
# Perform stealth collection methods
SharpHound.exe --collectionmethods All --Stealth
# Loop collections (especially useful for session collection)
# e.g. collect sessions every 10 minutes for 3 hours
SharpHound.exe --collectionmethods Session --Loop --loopduration 03:00:00 --loopinterval 00:10:00
# Use LDAPS instead of plaintext LDAP
SharpHound.exe --secureldap
It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\\$USER) (see Impersonation). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.
- Testers can absolutely run SharpHound from a computer that is not
enrolled in the AD domain, by running it in a domain user context (e.g.
with runas, pass-the-hash or overpass-the-hash). This is useful when domain computers have antivirus or other
protections preventing (or slowing) testers from using enumerate or
exploitation tools.
- When obtaining a foothold on an AD domain,
testers should first run SharpHound with all collection methods, and
then start a loop collection to enumerate more sessions
Analysis
Once the collection is over, the data can be uploaded and analyzed in BloodHound by doing the following.
- Find paths between specified nodes
- Run pre-built analytics queries to find common attack paths
- Run custom queries to help in finding more complex attack paths or interesting objects
- Run manual neo4j queries
- Mark nodes as high value targets for easier path finding
- Mark nodes as owned for easier path finding
- Find information about selected nodes: sessions, properties, group
membership/members, local admin rights, Kerberos delegations, RDP
rights, outbound/inbound control rights (ACEs), and so on
- Find help about edges/attacks (abuse, OPSEC considerations, references)
Using BloodHound can help find attack paths and abuses like ACEs abuse, Kerberos delegations abuse, credential dumping and credential shuffling, GPOs abuse, Kerberoast, ASREProast, domain trusts attacks, etc.