Skip to content

Data Collection Intro

Jump to bottom Edit New page
Andy Robbins edited this page Aug 6, 2016 · 12 revisions

#Data Collection Intro

BloodHound requires three sets of information from an Active Directory environment in order to function:

  1. Who is logged on where?
  2. Who has admin rights where?
  3. What users and groups belong to what groups?

In most instances, collecting this information does not require Administrator privileges, and does not require executing code on remote systems. The PowerShell ingestor, based on PowerView, makes data collection fast and simple. The ingestor is located in the BloodHound repo at /PowerShell/BloodHound.ps1.

PowerShell execution policy

PowerShell by default will not allow execution of PowerShell scripts; however, bypassing this restriction is very simple in most instances. Typically you will be able to enter a PowerShell runspace without this restriction by running:

PS C:\> PowerShell -Exec Bypass

For more options, see this great blog post from NetSPI on 15 different ways to bypass PowerShell execution policy.

Data Ingestion

We currently have two methods of ingesting data into BloodHound:

The PowerShell ingestor

CSV ingestion via the BloodHound interface

Add a custom footer

Overview

  1. Home
  2. Getting started
  3. Building BloodHound from source
  4. Running BloodHound dev server

Data Collection

  1. Intro
  2. PowerShell ingestor
  3. CSV ingestion
  4. Ingestion through C2

Using the Interface

  1. Intro
  2. Users
  3. Computers
  4. Groups
  5. Pathfinding

Advanced

  1. Cypher query language
  2. BloodHound graph design
  3. neo4j REST API
  4. BloodHound CSV format
Clone this wiki locally