Skip to content

Data Collection Intro

Rohan Vazarkar edited this page Sep 12, 2018 · 18 revisions

Data Collection Intro

BloodHound requires three pieces of information from an Active Directory environment in order to function:

  1. Who is logged on where?
  2. Who has admin rights where?
  3. What users and groups belong to what groups?
  4. (Optionally) What principals have control over other user and group objects?

In most instances, collecting this information does not require Administrator privileges, and does not require executing code on remote systems. The PowerShell ingestor, based on PowerView, makes data collection fast and simple. The ingestor is located in the BloodHound repo at /Ingestors/

The collector collects many additional pieces of data which give further paths, as well as node properties for convenience.

PowerShell Execution Policy

PowerShell by default will not allow execution of PowerShell scripts; however, bypassing this restriction is very simple in most instances. Typically you will be able to enter a PowerShell runspace without this restriction by running:

PS C:\> PowerShell -Exec Bypass

For more options, see this great blog post from NetSPI on 15 different ways to bypass PowerShell execution policy.

Data Ingestion

Data ingestion is done using the BloodHound interface. The interface supports uploading Zip files with data, as well as individual JSON files.

JSON ingestion via the BloodHound interface

You can’t perform that action at this time.