BloodHound 8.0 with OpenGraph Cheatsheet

BloodHound 8.0 with OpenGraph Cheatsheet

Overview

BloodHound 8.0 is a major update to the widely used open-source attack path management tool. The most significant new feature is OpenGraph, which expands BloodHound's capabilities beyond Active Directory to map identity attack paths across various systems like GitHub, Snowflake, and more.

Key Features of BloodHound 8.0

• OpenGraph: A new, extensible graph model that allows for the ingestion and analysis of data from any source, not just Active Directory.
• Expanded Attack Paths: Visualize and analyze attack paths across multiple platforms and services.
• Improved Usability: Faster and clearer access to information with an improved user interface.
• Enhanced Extensibility: Easier to add new data sources and attack primitives.
• Community-Driven: The BloodHound community can create and share custom collectors and queries for new data sources.

OpenGraph Concepts

• Nodes: Represent objects like users, groups, roles, and computers.
• Edges: Represent relationships between nodes, such as "MemberOf" or "AdminTo".
• Attack Paths: A chain of edges that an attacker can use to gain privileged access.
• Collectors: Scripts that gather data from target systems and format it for BloodHound.

Installation and Upgrade

# For detailed installation instructions, refer to the official BloodHound documentation.
# Generally, you will need to download the latest release from the SpecterOps GitHub.

# Example of running the BloodHound GUI (replace with actual command)
./BloodHound-linux-x64

Data Collection (Ingestors)

BloodHound uses collectors (ingestors) to gather data. For BloodHound 8.0, you will need to use updated collectors that support the OpenGraph format.

• SharpHound: The official collector for Active Directory.
• AzureHound: The official collector for Azure.
• Community Collectors: Look for community-developed collectors for other platforms like GitHub, AWS, etc.

Common Cypher Queries

BloodHound uses the Cypher query language. Here are some example queries:

// Find all Domain Admins
MATCH (u:User)-[:MemberOf*1..]->(g:Group {name: "DOMAIN ADMINS@your.domain"}) RETURN u.name, g.name

// Find the shortest path to Domain Admin from a specific user
MATCH (u:User {name: "user@your.domain"}), (g:Group {name: "DOMAIN ADMINS@your.domain"}), p = shortestPath((u)-[*1..]->(g)) RETURN p

// Find all computers where a specific user is an admin
MATCH (u:User {name: "user@your.domain"})-[r:AdminTo]->(c:Computer) RETURN u.name, c.name

Using OpenGraph

With OpenGraph, you can now ingest data from various sources and create custom queries to find cross-platform attack paths.

Example Scenario: Find a user who is an admin on a computer that has access to a sensitive GitHub repository.

1. Ingest Data: Use SharpHound to collect AD data and a community collector to gather GitHub data.
2. Custom Query: Write a Cypher query that links the AD user to the computer, and the computer to the GitHub repository.

// Example query (syntax may vary based on the collector)
MATCH (u:User)-[:AdminTo]->(c:Computer)-[:HasAccessTo]->(r:GitHubRepo {name: "sensitive-repo"}) RETURN u.name, c.name, r.name

Additional Resources

• SpecterOps Blog: BloodHound v8 Announcement
• BloodHound GitHub Repository
• BloodHound Community Slack