Skip to content
Vampire is an aggressor script which integrates with BloodHound to mark nodes as owned.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Coalfire License Apr 16, 2019 Update with vampire_creds.cna details May 22, 2019
Screen_Shot_2019-04-02_at_3.31.54_PM.png Initial commit Apr 8, 2019
vampire.cna Treat Administrator the same as SYSTEM Apr 18, 2019
vampire_creds.cna Create vampire_creds.cna May 22, 2019


Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons. This allows you to select either the Computer or User (or Default, which will choose based on your user), along with the domain they belong to. There is an additional optional cna script for marking new credentials as owned. Vampire will communicate with your neo4j REST API on localhost:7474 to mark the node as owned.

How to use

  1. Put vampire.cna, vampire_creds.cna, and in the root of your cobaltstrike folder
  2. chmod u+x
  3. Load vampire.cna and vampire_creds.cna into Cobalt Strike through the Script Manager
  4. Rain shells
  5. Start neo4j and BloodHound as normal
  6. Run BloodHound data collection and import data
  7. Right click your beacon(s) and mark them as owned
  8. Run logonpasswords


  • neo4j must be running on localhost, on the standard port - 7474
  • Your neo4j database creds should be Kali standard neo4j:BloodHound (you can change the base64 in otherwise)


  • Never miss an attack path
  • Quickly keep up with other team members' movement

How it works

  1. Uses to query the list of domains from neo4j
  2. Obtain user selection
  3. Foreach selected beacon ID:
  4. Append @ + the specified domain to the user/computer name
  5. For Default, it will choose based on whether you're a local admin
  6. Uses to query the neo4j REST API
    • 'START n = node(*) WHERE lower( = "' + nodelabel.lower() + '" SET n.owned = TRUE'

  1. Listens for the on credentials callback
  2. Loops through all the credentials, keeping an internal state
  3. Optionally excludes 32 byte passwords (NTLM hashes - see $ignore_hash)
  4. Reconstructs a valid domain for the user
  5. Checks the user exists
  6. Marks new credentials as owned


Patrick Hurd

You can’t perform that action at this time.