Zum Inhalt

SharpHound Cheat Sheet

generieren

Überblick

SharpHound ist der offizielle Datensammler für BloodHound, entworfen, um Informationen aus Active Directory-Umgebungen zu sammeln. Es sammelt verschiedene Arten von Daten, einschließlich Domain Trusts, lokale Admin-Rechte, Sitzungsinformationen, Gruppenmitgliedschaften und ACLs, um Angriffspfade und Privileg Eskalationsmöglichkeiten in Active Directory-Umgebungen zu identifizieren.

ZEIT Warning: Verwenden Sie nur SharpHound in Umgebungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Vorkompilierte Binäre

```bash

Download latest release from GitHub

wget https://github.com/BloodHoundAD/SharpHound/releases/latest/download/SharpHound.exe

Download specific version

wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.1/SharpHound.exe

Download PowerShell version

wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.ps1 ```_

Gebäude aus der Quelle

```bash

Clone repository

git clone https://github.com/BloodHoundAD/SharpHound.git cd SharpHound

Build with .NET Framework

msbuild SharpHound.sln /p:Configuration=Release

Build with .NET Core

dotnet build -c Release

Output location

ls bin/Release/net*/SharpHound.exe ```_

PowerShell Modul Installation

```powershell

Import PowerShell module

Import-Module .\SharpHound.ps1

Alternative: Download and execute in memory

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')

Bypass execution policy if needed

powershell -ExecutionPolicy Bypass -File SharpHound.ps1 ```_

Basisnutzung

Standardsammlung

```bash

Basic collection (default: Default collection method)

SharpHound.exe

Specify collection methods

SharpHound.exe -c All SharpHound.exe -c Default,GPOLocalGroup SharpHound.exe -c Session,LoggedOn,Trusts

Collection with domain specification

SharpHound.exe -d example.com SharpHound.exe -d example.com -c All

Collection with specific domain controller

SharpHound.exe -d example.com -s dc01.example.com ```_

Verwendung von PowerShell

```powershell

Basic PowerShell collection

Invoke-BloodHound

Collection with specific methods

Invoke-BloodHound -CollectionMethod All Invoke-BloodHound -CollectionMethod Default,Session,Trusts

Collection with domain specification

Invoke-BloodHound -Domain example.com Invoke-BloodHound -Domain example.com -DomainController dc01.example.com

Collection with credentials

$cred = Get-Credential Invoke-BloodHound -Credential $cred -Domain example.com ```_

Erhebungsmethoden

Verfügbare Sammelmethoden

```bash

Default - Standard collection (Group, LocalAdmin, Session, Trusts, ACL)

SharpHound.exe -c Default

All - All collection methods

SharpHound.exe -c All

Group - Group memberships

SharpHound.exe -c Group

LocalAdmin - Local administrator rights

SharpHound.exe -c LocalAdmin

RDP - Remote Desktop Protocol rights

SharpHound.exe -c RDP

DCOM - Distributed COM rights

SharpHound.exe -c DCOM

PSRemote - PowerShell remoting rights

SharpHound.exe -c PSRemote

Session - User sessions

SharpHound.exe -c Session

Trusts - Domain trusts

SharpHound.exe -c Trusts

ACL - Access Control Lists

SharpHound.exe -c ACL

Container - Container ACLs

SharpHound.exe -c Container

GPOLocalGroup - Group Policy local groups

SharpHound.exe -c GPOLocalGroup

LoggedOn - Logged on users

SharpHound.exe -c LoggedOn

ObjectProps - Object properties

SharpHound.exe -c ObjectProps

SPNTargets - Service Principal Name targets

SharpHound.exe -c SPNTargets

CARegistry - Certificate Authority registry

SharpHound.exe -c CARegistry ```_

Kombinierte Sammlung Methoden

```bash

Common combinations

SharpHound.exe -c Group,LocalAdmin,Session SharpHound.exe -c Default,GPOLocalGroup,Container SharpHound.exe -c All --ExcludeDCs

Stealth collection (minimal noise)

SharpHound.exe -c Group,Trusts,ACL --Stealth

Comprehensive collection

SharpHound.exe -c All --CollectAllProperties ```_

Erweiterte Optionen

Authentication und Credentials

```bash

Use current user credentials

SharpHound.exe -d example.com

Specify username and password

SharpHound.exe -d example.com -u username -p password

Use domain\username format

SharpHound.exe -d example.com -u "EXAMPLE\username" -p password

LDAP authentication

SharpHound.exe --LdapUsername username --LdapPassword password

Kerberos authentication

SharpHound.exe --AuthType Kerberos ```_

Ausgabeoptionen

```bash

Specify output directory

SharpHound.exe -d example.com --OutputDirectory C:\temp\

Specify output filename prefix

SharpHound.exe -d example.com --OutputPrefix "audit_2024"

Compress output (default)

SharpHound.exe -d example.com --ZipFileName audit.zip

No compression

SharpHound.exe -d example.com --NoZip

Pretty print JSON (larger files)

SharpHound.exe -d example.com --PrettyJson

Randomize output filename

SharpHound.exe -d example.com --RandomFilenames ```_

Performance und Stealth Optionen

```bash

Stealth mode (slower but less detectable)

SharpHound.exe -c All --Stealth

Specify thread count

SharpHound.exe -c All --Threads 10

LDAP timeout

SharpHound.exe -c All --LdapTimeout 120

Skip port scanning

SharpHound.exe -c All --SkipPortScan

Exclude domain controllers from certain collections

SharpHound.exe -c All --ExcludeDCs

Throttle requests

SharpHound.exe -c All --Throttle 1000

Jitter (randomize timing)

SharpHound.exe -c All --Jitter 20 ```_

Filteroptionen

```bash

Exclude specific computers

SharpHound.exe -c All --ExcludeComputers "DC01,DC02"

Computer filter

SharpHound.exe -c All --ComputerFile computers.txt

Search forest

SharpHound.exe -c All --SearchForest

Collect all properties

SharpHound.exe -c All --CollectAllProperties

Skip registry collection

SharpHound.exe -c All --SkipRegistryLoggedOn

Cache filename

SharpHound.exe -c All --CacheFilename cache.bin

Invalidate cache

SharpHound.exe -c All --InvalidateCache ```_

PowerShell erweiterte Nutzung

Gründungsmanagement

```powershell

Create credential object

$username = "EXAMPLE\administrator" $password = ConvertTo-SecureString "password123" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential($username, $password)

Use credential with SharpHound

Invoke-BloodHound -Credential $cred -Domain example.com -CollectionMethod All

Pass-the-hash (requires additional tools)

Use with Invoke-Mimikatz or similar tools first

```_

Loop Collection

```powershell

Continuous collection loop

while ($true) \\{ $timestamp = Get-Date -Format "yyyyMMdd_HHmmss" Invoke-BloodHound -CollectionMethod Session,LoggedOn -OutputPrefix "sessions_$timestamp" Start-Sleep -Seconds 3600 # Wait 1 hour \\}

Scheduled collection

$trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM" $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-File C:\tools\collect.ps1" Register-ScheduledTask -TaskName "BloodHound Collection" -Trigger $trigger -Action $action ```_

Multi-Domain Sammlung

```powershell

Collect from multiple domains

$domains = @("domain1.com", "domain2.com", "domain3.com")

foreach ($domain in $domains) \\{ Write-Host "Collecting from $domain" Invoke-BloodHound -Domain $domain -CollectionMethod All -OutputPrefix $domain.Replace(".", "") \\} ```

Strategien der Sammlung

Stealth Collection

```bash

Minimal footprint collection

SharpHound.exe -c Group,Trusts,ACL --Stealth --Threads 1

Avoid session collection (noisy)

SharpHound.exe -c Default --ExcludeMethod Session

Use LDAP only

SharpHound.exe -c Group,ACL --LdapOnly

Randomize timing

SharpHound.exe -c All --Jitter 50 --Throttle 2000 ```_

Umfassende Sammlung

```bash

Full environment mapping

SharpHound.exe -c All --CollectAllProperties --SearchForest

Include certificate authorities

SharpHound.exe -c All,CARegistry

Include container ACLs

SharpHound.exe -c All,Container

Include GPO local groups

SharpHound.exe -c All,GPOLocalGroup ```_

Gezielte Sammlung

```bash

Focus on specific computers

SharpHound.exe -c LocalAdmin,Session --ComputerFile targets.txt

Focus on high-value targets

SharpHound.exe -c All --ComputerFilter "DC,EXCH,SQL*"

Focus on specific OUs

SharpHound.exe -c All --OU "OU=Servers,DC=example,DC=com" ```_

Ausgangsanalyse

Verstehen von Ausgabedateien

```bash

Default output files

computers.json - Computer objects and properties

users.json - User objects and properties

groups.json - Group objects and memberships

domains.json - Domain information and trusts

gpos.json - Group Policy Objects

ous.json - Organizational Units

containers.json - Container objects

Compressed output

BloodHound_YYYYMMDD_HHMMSS.zip - All JSON files compressed

```_

Analyse der Dateistruktur

```bash

Extract and examine files

unzip BloodHound_20240101_120000.zip

Count objects collected

jq '.data|length' computers.json jq '.data|length' users.json jq '.data|length' groups.json

Examine specific data

jq '.data[0]' computers.json # First computer object | jq '.data[] | select(.Properties.name | contains("ADMIN"))' users.json # Admin users | ```_

Import in BloodHound

```bash

Start BloodHound application

File > Import Data > Select ZIP file

Or use neo4j-admin import (for large datasets)

neo4j-admin import --database=bloodhound --nodes=computers.json --nodes=users.json --relationships=relationships.json ```_

Automatisierungsskripte

Batch Sammlung Skript

```powershell

!/usr/bin/env powershell

SharpHound Automation Script

param( [string]$Domain = $env:USERDNSDOMAIN, [string]$OutputDir = "C:\temp\bloodhound", [string]$CollectionMethod = "All", [switch]$Stealth, [int]$Threads = 10 )

Create output directory

if (!(Test-Path $OutputDir)) \\{ New-Item -ItemType Directory -Path $OutputDir -Force \\}

Set collection parameters

$params = @\\{ Domain = $Domain CollectionMethod = $CollectionMethod OutputDirectory = $OutputDir OutputPrefix = "$(Get-Date -Format 'yyyyMMdd_HHmmss')" Threads = $Threads \\}

if ($Stealth) \\{ $params.Add("Stealth", $true) $params.Threads = 1 \\}

try \\{ Write-Host "[+] Starting SharpHound collection for domain: $Domain" Write-Host "[+] Collection method: $CollectionMethod" Write-Host "[+] Output directory: $OutputDir"

# Import SharpHound module
Import-Module .\SharpHound.ps1 -Force

# Run collection
Invoke-BloodHound @params

Write-Host "[+] Collection completed successfully"

# List output files

| Get-ChildItem $OutputDir -Filter "*.zip" | Sort-Object LastWriteTime -Descending | Select-Object -First 5 |

\\} catch \\{ Write-Error "[-] Collection failed: $($.Exception.Message)" exit 1 \\} ```

Multi-Domain Sammlung Script

```bash

!/bin/bash

Multi-domain SharpHound collection

DOMAINS=("domain1.com" "domain2.com" "domain3.com") OUTPUT_DIR="/tmp/bloodhound_collection" SHARPHOUND_PATH="./SharpHound.exe"

Create output directory

mkdir -p "$OUTPUT_DIR"

for domain in "$\\{DOMAINS[@]\\}"; do echo "[+] Collecting from domain: $domain"

# Create domain-specific directory
domain_dir="$OUTPUT_DIR/$\\\\{domain//./_\\\\}"
mkdir -p "$domain_dir"

# Run SharpHound
wine "$SHARPHOUND_PATH" \
    -d "$domain" \
    -c All \
    --OutputDirectory "$domain_dir" \
    --OutputPrefix "$\\\\{domain//./_\\\\}_$(date +%Y%m%d_%H%M%S)" \
    --Stealth \
    --Threads 5

if [ $? -eq 0 ]; then
    echo "[+] Collection completed for $domain"
else
    echo "[-] Collection failed for $domain"
fi

# Wait between collections
sleep 60

done

echo "[+] All collections completed" ls -la "$OUTPUT_DIR"//.zip ```_

Continuous Monitoring Script

```powershell

Continuous session monitoring

param( [int]$IntervalMinutes = 60, [string]$OutputDir = "C:\temp\sessions" )

while ($true) \\{ try \\{ $timestamp = Get-Date -Format "yyyyMMdd_HHmmss" $outputPrefix = "sessions_$timestamp"

    Write-Host "[$(Get-Date)] Starting session collection..."

    Invoke-BloodHound -CollectionMethod Session,LoggedOn -OutputDirectory $OutputDir -OutputPrefix $outputPrefix

    Write-Host "[$(Get-Date)] Session collection completed"

    # Clean up old files (keep last 24 hours)
    $cutoffTime = (Get-Date).AddHours(-24)

| Get-ChildItem $OutputDir -Filter "sessions_*.zip" | Where-Object \\{ $_.LastWriteTime -lt $cutoffTime \\} | Remove-Item -Force |

\\\\} catch \\\\{
    Write-Error "[$(Get-Date)] Collection failed: $($_.Exception.Message)"
\\\\}

Start-Sleep -Seconds ($IntervalMinutes * 60)

\\} ```_

Integrationsbeispiele

SIEM Integration

```powershell

Export to SIEM-friendly format

function Export-BloodHoundToSIEM \\{ param( [string]$BloodHoundZip, [string]$OutputFile )

# Extract ZIP
$tempDir = New-TemporaryFile|ForEach-Object \\\\{ Remove-Item $_; New-Item -ItemType Directory -Path $_ \\\\}
Expand-Archive -Path $BloodHoundZip -DestinationPath $tempDir

# Process each JSON file
$siemData = @()

Get-ChildItem $tempDir -Filter "*.json"|ForEach-Object \\\\{
    $data = Get-Content $_.FullName|ConvertFrom-Json

    foreach ($item in $data.data) \\\\{
        $siemData += [PSCustomObject]@\\\\{
            Timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
            Source = "BloodHound"
            Type = $_.BaseName
            ObjectName = $item.Properties.name
            Domain = $item.Properties.domain
            Data = ($item|ConvertTo-Json -Compress)
        \\\\}
    \\\\}
\\\\}

# Export to CSV for SIEM ingestion
$siemData|Export-Csv -Path $OutputFile -NoTypeInformation

# Cleanup
Remove-Item $tempDir -Recurse -Force

\\}

Usage

Export-BloodHoundToSIEM -BloodHoundZip "collection.zip" -OutputFile "bloodhound_siem.csv" ```_

Automatisierte Analyse

```python

!/usr/bin/env python3

import json import zipfile import os from datetime import datetime

class BloodHoundAnalyzer: def init(self, zip_path): self.zip_path = zip_path self.data = \\{\\} self.extract_data()

def extract_data(self):
    """Extract and load BloodHound data"""
    with zipfile.ZipFile(self.zip_path, 'r') as zip_ref:
        for file_name in zip_ref.namelist():
            if file_name.endswith('.json'):
                with zip_ref.open(file_name) as json_file:
                    data_type = file_name.replace('.json', '')
                    self.data[data_type] = json.load(json_file)

def analyze_admin_rights(self):
    """Analyze local admin rights"""
    admin_rights = []

    if 'computers' in self.data:
        for computer in self.data['computers']['data']:
            if 'LocalAdmins' in computer:
                for admin in computer['LocalAdmins']:
                    admin_rights.append(\\\\{
                        'computer': computer['Properties']['name'],
                        'admin': admin['ObjectIdentifier'],
                        'type': admin['ObjectType']
                    \\\\})

    return admin_rights

def find_high_value_targets(self):
    """Identify high-value targets"""
    hvt = []

    if 'users' in self.data:
        for user in self.data['users']['data']:
            if user['Properties'].get('highvalue', False):
                hvt.append(\\\\{
                    'name': user['Properties']['name'],
                    'domain': user['Properties']['domain'],
                    'enabled': user['Properties'].get('enabled', False)
                \\\\})

    return hvt

def analyze_domain_trusts(self):
    """Analyze domain trusts"""
    trusts = []

    if 'domains' in self.data:
        for domain in self.data['domains']['data']:
            if 'Trusts' in domain:
                for trust in domain['Trusts']:
                    trusts.append(\\\\{
                        'source': domain['Properties']['name'],
                        'target': trust['TargetDomainName'],
                        'direction': trust['TrustDirection'],
                        'type': trust['TrustType']
                    \\\\})

    return trusts

def generate_report(self):
    """Generate analysis report"""
    report = \\\\{
        'timestamp': datetime.now().isoformat(),
        'source_file': self.zip_path,
        'admin_rights': self.analyze_admin_rights(),
        'high_value_targets': self.find_high_value_targets(),
        'domain_trusts': self.analyze_domain_trusts(),
        'statistics': \\\\{
            'total_computers': len(self.data.get('computers', \\\\{\\\\}).get('data', [])),
            'total_users': len(self.data.get('users', \\\\{\\\\}).get('data', [])),
            'total_groups': len(self.data.get('groups', \\\\{\\\\}).get('data', []))
        \\\\}
    \\\\}

    return report

Usage

if name == "main": import sys

if len(sys.argv) != 2:
    print("Usage: python3 analyze_bloodhound.py <bloodhound_zip>")
    sys.exit(1)

analyzer = BloodHoundAnalyzer(sys.argv[1])
report = analyzer.generate_report()

# Save report
with open('bloodhound_analysis.json', 'w') as f:
    json.dump(report, f, indent=2)

print(f"[+] Analysis complete. Report saved to bloodhound_analysis.json")
print(f"[+] Found \\\\{len(report['admin_rights'])\\\\} admin relationships")
print(f"[+] Found \\\\{len(report['high_value_targets'])\\\\} high-value targets")
print(f"[+] Found \\\\{len(report['domain_trusts'])\\\\} domain trusts")

```_

Fehlerbehebung

Gemeinsame Themen

Authentication Probleme

```bash

Test LDAP connectivity

ldapsearch -H ldap://dc01.example.com -D "username@example.com" -W -b "DC=example,DC=com" "(objectClass=user)"

Verify Kerberos tickets

klist

Clear Kerberos cache

kdestroy

Test with different authentication methods

SharpHound.exe -d example.com --AuthType Negotiate SharpHound.exe -d example.com --AuthType Ntlm SharpHound.exe -d example.com --AuthType Kerberos ```_

Genehmigungsfragen

```bash

Check current user permissions

whoami /groups whoami /priv

Test with different user context

runas /user:DOMAIN\username SharpHound.exe

Verify domain controller accessibility

nslookup example.com telnet dc01.example.com 389 telnet dc01.example.com 636 ```_

Sammlungsfehler

```bash

Enable verbose logging

SharpHound.exe -c All --Verbose

Check for specific errors

SharpHound.exe -c All --Debug

Test individual collection methods

SharpHound.exe -c Group --Verbose SharpHound.exe -c LocalAdmin --Verbose SharpHound.exe -c Session --Verbose

Reduce thread count

SharpHound.exe -c All --Threads 1

Increase timeouts

SharpHound.exe -c All --LdapTimeout 300 --Timeout 300 ```_

Netzwerkprobleme

```bash

Test network connectivity

ping dc01.example.com nmap -p 389,636,3268,3269 dc01.example.com

Check firewall rules

netsh advfirewall firewall show rule name=all|findstr LDAP

Test with different ports

SharpHound.exe -d example.com --LdapPort 389 SharpHound.exe -d example.com --LdapPort 636 --SecureLdap ```_

Leistungsoptimierung

```bash

Optimize for large environments

SharpHound.exe -c All --Threads 20 --Throttle 0

Use caching for repeated collections

SharpHound.exe -c All --CacheFilename cache.bin SharpHound.exe -c Session --CacheFilename cache.bin # Reuse cache

Skip expensive operations

SharpHound.exe -c All --SkipPortScan --ExcludeDCs

Use stealth mode for sensitive environments

SharpHound.exe -c All --Stealth --Jitter 30 ```_

Speicher- und Speicherprobleme

```bash

Monitor memory usage

Get-Process SharpHound|Select-Object ProcessName, WorkingSet, VirtualMemorySize

Use compression

SharpHound.exe -c All --CompressData

Split large collections

SharpHound.exe -c Group,ACL --OutputPrefix "part1" SharpHound.exe -c Session,LocalAdmin --OutputPrefix "part2"

Clean up temporary files

Remove-Item $env:TEMP\SharpHound* -Force ```_

Ressourcen

--

*Dieses Betrugsblatt bietet eine umfassende Referenz für die Verwendung von SharpHound für Active Directory-Datensammlung. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *