Data Collector

Andy Robbins edited this page Oct 22, 2018 · 7 revisions

SharpHound - The C# Ingestor

BloodHound now includes a completely custom C# ingestor written from the ground up to support collection activities. Two options exist for using the ingestor, an executable and a PowerShell script. Both ingestors support the same set of options. The command to run the PowerShell version is Invoke-BloodHound. Like all PowerShell scripts, it must be run in a PowerShell runspace without execution policy restrictions. For more information on running PowerShell with execution policy bypassed, see this blog post by NetSPI.

For detailed information, including flags and new features, see the blog post here.


Basic Usage

Invoke-BloodHound executes collection options necessary to populate the backend BloodHound database. With no options specified, by default it will gather all unrolled group membership information, all reachable domain trust information, and will gather all session/local admin data on all computers it can reach from your current domain. All data will be exported to JSON files in the current directory. The *-JSONFolder C:\Temp* parameter will modify the folder that the files are output to, and -JSONPrefix domainX will prepend the specified flag to the beginning of each output file.

For user session data without a logon domain, by default the global catalog is used to attempt to deconflict what domain the user may be located in. If the user exists in more than one domain in the forest, a series of weights is used to modify the attack path likelihood. If you want to skip this global catalog deconfliction approach, specify the -SkipGCDeconfliction flag.

Collector Options

Enumeration Options

  • CollectionMethod - The collection method to use. This parameter accepts a comma separated list of values. Has the following potential values (Default: Default):
    • Default - Performs group membership collection, domain trust collection, local admin collection, and session collection
    • Group - Performs group membership collection
    • LocalAdmin - Performs local admin collection
    • RDP - Performs Remote Desktop Users collection
    • DCOM - Performs Distributed COM Users collection
    • GPOLocalGroup - Performs local admin collection using Group Policy Objects
    • Session - Performs session collection
    • ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet
    • ComputerOnly - Performs local admin, RDP, DCOM and session collection
    • LoggedOn - Performs privileged session collection (requires admin rights on target systems)
    • Trusts - Performs domain trust enumeration
    • ACL - Performs collection of ACLs
    • Container - Performs collection of Containers
    • DcOnly - Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
    • All - Performs all Collection Methods except GPOLocalGroup and LoggedOn
  • SearchForest - Search all the domains in the forest instead of just your current one
  • Domain - Search a particular domain. Uses your current domain if null (Default: null)
  • Stealth - Performs stealth collection methods. All stealth options are single threaded.
  • SkipGCDeconfliction - Skip Global Catalog deconfliction during session enumeration. This can speed up enumeration, but will result in possible inaccuracies in data.
  • ExcludeDc - Excludes domain controllers from enumeration (avoids Microsoft ATA flags :) )
  • ComputerFile - Specify a file to load computer names/IPs from
  • OU - Specify which OU to enumerate

Connection Options

  • DomainController - Specify which Domain Controller to connect to (Default: null)
  • LdapPort - Specify what port LDAP lives on (Default: 0)
  • SecureLdap - Connect to AD using Secure LDAP instead of regular LDAP. Will connect to port 636 by default.
  • IgnoreLdapCert - Ignores LDAP SSL certificate. Use if there's a self-signed certificate for example
  • LDAPUser - Username to connect to LDAP with. Requires the LDAPPassword parameter as well (Default: null)
  • LDAPPass - Password for the user to connect to LDAP with. Requires the LDAPUser parameter as well (Default: null)
  • DisableKerbSigning - Disables LDAP encryption. Not recommended.

Performance Options

  • Threads - Specify the number of threads to use (Default: 10)
  • PingTimeout - Specifies the timeout for ping requests in milliseconds (Default: 250)
  • SkipPing - Instructs Sharphound to skip ping requests to see if systems are up
  • LoopDelay - The number of seconds in between session loops (Default: 300)
  • MaxLoopTime - The amount of time to continue session looping. Format is 0d0h0m0s. Null will loop for two hours. (Default: 2h)
  • Throttle - Adds a delay after each request to a computer. Value is in milliseconds (Default: 0)
  • Jitter - Adds a percentage jitter to throttle. (Default: 0)

Output Options

  • JSONFolder - Folder in which to store JSON files (Default: .)
  • JSONPrefix - Prefix to add to your JSON files (Default: "")
  • NoZip - Don't compress JSON files to the zip file. Leaves JSON files on disk. (Default: false)
  • EncryptZip - Add a randomly generated password to the zip file.
  • ZipFileName - Specify the name of the zip file
  • RandomFilenames - Randomize output file names
  • PrettyJson - Outputs JSON with indentation on multiple lines to improve readability. Tradeoff is increased file size.

Cache Options

  • CacheFile - Filename for the Sharphound cache. (Default: BloodHound.bin)
  • NoSaveCache - Don't save the cache file to disk. Without this flag, BloodHound.bin will be dropped to disk
  • Invalidate - Invalidate the cache file and build a new cache

Misc Options

  • StatusInterval - Interval to display progress during enumeration in milliseconds (Default: 30000)
  • Verbose - Enables verbose output
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.