Running BloodHound in a locked down environment. BloodHound.xpab — Applocker bypass
A few weeks ago I created a proof of concept XAML browser application (XBAP) that demonstrates Presentationhost.exe bypassing default Applocker rules (you can read more about it here). Also recently, I wanted to run BloodHound’s PowerShell ingestor in a locked down environment only to be blocked by PowerShell’s “Constrained Language Mode” security feature. Seeing as how the bloodhound ingestor is now written in C# (which is the language used for XBAP) I thought it would be an quick win to wrap the project up as an XBAP so that I can easily take advantage of it when pentesting in a locked down environment.
If you want to use the wrapped bloodhound ingestor you can grab it from my GitHub release page here. Before you can run the release, you need to remove the “Mark of the Web” (MotW) from the following 3 files:
1. Sharphound2.xbap
2. Sharphound2.exe and
3. Sharphound2.exe.manifest
To remove the MotW, right click the file -> properties and tick the ‘Unlock’ checkbox.
After removing the MotW, double click Sharphound2.xbap or run the following command from the command line:
presentationhost.exe path/to/sharphound.xbap
I don’t generally spend too much time on development projects so the wrapper doesn’t look very pretty. Bare minimum POCs are the way to go in my opinion. However, if the projects starts getting a lot of usage I might put some more effort into the look of it. Below is a screenshot of the GUI:
To run the ingestor just hit the “run bloodhound” button on the left. If you want to add command line options add them to the edit box on the left as if you were adding them to the command line I.e. adding “--help” will show the help menu. “--JsonFolder “c:\temp” -c All” will run all enumeration methods and save the output to c:\temp
Once you start the ingestor running, the screen will freeze up until it completes. I hope that this helps you all in your pen testing life. Keep an eye on my twitter for more fun obscure stuff @JPG1nc
Josh is a senior penetration tester at TSS specialising in web application penetration testing.
TSS is a specialist cyber security company providing penetration testing, security assurance consulting and managed security services. More information is available at our website https://www.tsscyber.com.au.
