BloodHound JSON Format

Rohan Vazarkar edited this page Aug 7, 2018 · 1 revision

Data exported by SharpHound is stored in JSON files. There are eight seperate JSON files that provide different data. The structure is documented here

Basic JSON Format

All JSON files end with a meta tag that contains the number of objects in the file as well as the type of data in the file. The actual data is stored in an array with a key that matches the string in the meta tag.

{
    "users":[
        {
            "name": "ADMIN@TESTLAB.LOCAL"
        }
    ],
    "meta":{
        "type" : "users",
        "count": 1
    }
}

Possible types/meta tags are:

  • users
  • groups
  • ous
  • computers
  • gpos
  • domains
  • gpoadmins
  • sessions

Object Formats

users

"Name": "ADMINISTRATOR@TESTLAB.LOCAL",
"PrimaryGroup": "DOMAIN USERS@TESTLAB.LOCAL",
"Properties": {
    "domain": "TESTLAB.LOCAL",
    "objectsid": "S-1-5-21-883232822-274137685-4173207997-500",
    "enabled": true,
    "lastlogon": 1532041405,
    "pwdlastset": 1531772261,
    "serviceprincipalnames": [],
    "hasspn": false,
    "displayname": null,
    "email": null,
    "title": null,
    "homedirectory": null,
    "description": "Built-in account for administering the computer/domain",
    "userpassword": "Password123!",
    "admincount": true
},
"Aces": [
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "Owner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    }
],
"AllowedToDelegate": []

computers

"Name": "WINDOWS1.TESTLAB.LOCAL",
"PrimaryGroup": "DOMAIN COMPUTERS@TESTLAB.LOCAL",
"Properties": {
    "objectsid": "S-1-5-21-883232822-274137685-4173207997-1106",
    "highvalue": false,
    "domain": "TESTLAB.LOCAL",
    "enabled": true,
    "unconstraineddelegation": false,
    "lastlogon": 1532094035,
    "pwdlastset": 1530133811,
    "serviceprincipalnames": [
        "RestrictedKrbHost/WINDOWS1",
        "HOST/WINDOWS1",
        "RestrictedKrbHost/WINDOWS1.testlab.local",
        "HOST/WINDOWS1.testlab.local"
    ],
    "operatingsystem": "Windows 7 Ultimate N Service Pack 1",
    "description": null
},
"LocalAdmins": [
    { "Name": "DOMAIN ADMINS@TESTLAB.LOCAL", "Type": "Group" },
    { "Name": "ADMINISTRATOR@TESTLAB.LOCAL", "Type": "User" },
    { "Name": "ADMIN@TESTLAB.LOCAL", "Type": "User" }
],
"RemoteDesktopUsers": [
    { "Name": "DFM@TESTLAB.LOCAL", "Type": "User" }
],
"DcomUsers": [
    { "Name": "DFM.A@TESTLAB.LOCAL", "Type": "User" }
],
"AllowedToDelegate": []
}

groups

{
"Name": "SCHEMA ADMINS@TESTLAB.LOCAL",
"Properties": {
    "highvalue": false,
    "domain": "TESTLAB.LOCAL",
    "objectsid": "S-1-5-21-883232822-274137685-4173207997-518",
    "admincount": true,
    "description": "Designated administrators of the schema"
},
"Aces": [
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "Owner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericWrite",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    }
],
"Members": [
        { 
            "MemberName": "ADMIN@TESTLAB.LOCAL", 
            "MemberType": "user" 
        },
        {
            "MemberName": "ADMINISTRATOR@TESTLAB.LOCAL",
            "MemberType": "user"
        }
    ]
}

domains

{
"Name": "TESTLAB.LOCAL",
"Properties": {
    "objectsid": "S-1-5-21-883232822-274137685-4173207997",
    "highvalue": true,
    "description": null,
    "functionallevel": "2012 R2"
},
"Links": [
    { "IsEnforced": false, "Name": "LOCALADMINS@TESTLAB.LOCAL" },
    {
        "IsEnforced": false,
        "Name": "DEFAULT DOMAIN POLICY@TESTLAB.LOCAL"
    }
],
"Trusts": [
    {
        "TargetName": "DEV.TESTLAB.LOCAL",
        "IsTransitive": true,
        "TrustDirection": 2,
        "TrustType": "ParentChild"
    },
    {
        "TargetName": "EXTERNAL.LOCAL",
        "IsTransitive": true,
        "TrustDirection": 2,
        "TrustType": "External"
    }
],
"Aces": [
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "Owner",
        "AceType": ""
    },
    {
        "PrincipalName":
            "ENTERPRISE READ-ONLY DOMAIN CONTROLLERS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "GetChanges"
    },
    {
        "PrincipalName": "DOMAIN CONTROLLERS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "GetChangesAll"
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "GetChanges"
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "GetChangesAll"
    },
    {
        "PrincipalName":
            "ENTERPRISE DOMAIN CONTROLLERS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "GetChanges"
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "All"
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "GenericAll",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ADMINISTRATORS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "ExtendedRight",
        "AceType": "All"
    }
],
"ChildOus": ["357F42BA-7892-441B-8836-DC148D651F3F"],
"Computers": [
    "WINDOWS1.TESTLAB.LOCAL",
    "WINDOWS2.TESTLAB.LOCAL",
    "WINDOWS10.TESTLAB.LOCAL"
],
"Users": [
    "DFM@TESTLAB.LOCAL",
    "DFM.A@TESTLAB.LOCAL",
    "ADMINISTRATOR@TESTLAB.LOCAL",
    "GUEST@TESTLAB.LOCAL",
    "ADMIN@TESTLAB.LOCAL",
    "KRBTGT@TESTLAB.LOCAL",
    "HARMJ0Y@TESTLAB.LOCAL",
    "TESTUSER$@TESTLAB.LOCAL"
]
}

gpos

{
"Name": "DEFAULT DOMAIN POLICY@TESTLAB.LOCAL",
"Properties": {
    "highvalue": false,
    "description": null,
    "gpcpath":
        "\\\\testlab.local\\sysvol\\testlab.local\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}"
},
"Guid": "31B2F340-016D-11D2-945F-00C04FB984F9",
"Aces": [
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "Owner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "ENTERPRISE ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteOwner",
        "AceType": ""
    },
    {
        "PrincipalName": "DOMAIN ADMINS@TESTLAB.LOCAL",
        "PrincipalType": "group",
        "RightName": "WriteDacl",
        "AceType": ""
    }
    ]
}

ous

{
    "Guid": "357F42BA-7892-441B-8836-DC148D651F3F",
    "Properties": {
        "name": "DOMAIN CONTROLLERS@TESTLAB.LOCAL",
        "highvalue": false,
        "blocksinheritance": false,
        "description": "Default container for domain controllers"
    },
    "ChildOus": [],
    "Computers": ["PRIMARY.TESTLAB.LOCAL"],
    "Users": [],
    "Links": [
        {
            "IsEnforced": false,
            "Name": "DEFAULT DOMAIN CONTROLLERS POLICY@TESTLAB.LOCAL"
        }
    ]
}

sessions

{
    "UserName": "DFM@TESTLAB.LOCAL",
    "ComputerName": "WINDOWS1.TESTLAB.LOCAL",
    "Weight": 1
}

gpoadmins

{
    "Computer": "PRIMARY.TESTLAB.LOCAL",
    "Name": "DOMAIN ADMINS@TESTLAB.LOCAL",
    "Type": "group"
}
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.