BloodHound Tips and Tricks

Riccardo Ancarani
Aug 11 · 6 min read

Data Collection

SharpHound.exe -c All -s 
SharpHound.exe -c SessionLoop -s

Tips and Tricks

Remember to Mark Things as ‘Owned’

Edge Filtering

Mark Other Targets as ‘High Value’

MATCH (dc:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH "516" WITH COLLECT(dc) as domainControllers MATCH p = (d:Domain)-[:Contains*1..]->(c:Computer {unconstraineddelegation:true}) WHERE NOT c in domainControllers RETURN c
MATCH (dc:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH "516" WITH COLLECT(dc) as domainControllers MATCH p = (d:Domain)-[:Contains*1..]->(c:Computer {unconstraineddelegation:true}) WHERE NOT c in domainControllers SET c.highvalue = true RETURN c

What to do now? a.k.a shortest path to I don’t know

MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p
MATCH p=shortestPath((c {owned: true})-[*1..]->(s:Computer)) WHERE NOT c = s RETURN p

Shortest Path Revisited

MATCH p=shortestPath((u {highvalue: false})-[*1..]->(g:Group {name: 'DOMAIN ADMINS@HACKERS.LAB'})) WHERE NOT (u)-[:MemberOf*1..]->(:Group {highvalue: true}) RETURN p

Operational Tips


Riccardo Ancarani

Written by

Cyber Security & AI enthusiast

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade