PowerShell Ingestor

Rohan Vazarkar edited this page Aug 8, 2016 · 5 revisions

PowerShell Ingestor

The PowerShell ingestor is at the heart of data collection for BloodHound. Like all PowerShell scripts, it must be run in a PowerShell runspace without execution policy restrictions. For more information on running PowerShell with execution policy bypassed, see this blog post by NetSPI.

BloodHound includes a customized version of PowerView that implements the functionality to collect the data needed by BloodHound. Additionally, ./PowerShell/BloodHound.ps1 implements three additional functions that assist with data collection and ingestion.

  • Get-BloodHoundData automates the collection of data needed by BloodHound.
  • Export-BloodHoundData will export data from Get-BloodHoundData to a BloodHound Neo4j RESTful API ingestion interface.
  • Export-BloodHoundCSV will export data from Get-BloodHoundData to a series of CSVs that can be ingested by BloodHound offline.

Basic Usage

Get-BloodHoundData executes the collection options necessary to populate the backend BloodHound database. With no options specified, by default it will gather all unrolled group membership information, all reachable domain trust information, and will gather all session/local admin data on all computers it can reach from querying Active Directory. Additional collection method options are specified later in this page. The data returned from Get-BloodHoundData is returned as raw custom PSObject on the PowerShell pipeline and needs to be piped to either Export-BloodHoundData or Export-BloodHoundCSV.

Export-BloodHoundData takes custom tagged PowerView objects types from Get-BloodHoundData and packages/ingests them into a neo4j RESTful API batch ingestion interface. For user session data without a logon domain, by default the global catalog is used to attempt to deconflict what domain the user may be located in. If the user exists in more than one domain in the forest, a series of weights is used to modify the attack path likelihood. If you want to skip this global catalog deconfliction approach, specify the -SkipGCDeconfliction flag.

Cypher queries are built for each appropriate relationship to ingest, and the set of queries is 'batched' so '-Throttle X' queries are sent at a time in each batch request. All of the Cypher queries are jsonified using System.Web.Script.Serialization.javascriptSerializer. An example use case would be Get-BloodHoundData | Export-BloodHoundData -URI http://SERVER:7474/ -UserPass "user:pass", where SERVER is the BloodHound analysis server reachable from the enumeration server.

Export-BloodHoundCSV takes the custom tagged PowerView objects types from Get-BloodHoundData and exports the data to one custom CSV file per object type (sessions, local admin, domain trusts, etc.). For user session data without a logon domain, by default the global catalog is used to attempt to deconflict what domain the user may be located in. If the user exists in more than one domain in the forest, a series of weights is used to modify the attack path likelihood. If you want to skip this global catalog deconfliction approach, specify the -SkipGCDeconfliction flag. The -CSVFolder C:\Temp\ parameter will modify the folder that the files are output to, and -CSVPrefix domainX will prepend the specified flag to the beginning of each output file. An example use case would be Get-BloodHoundData | Export-BloodHoundCSV which would output data to group_memberships.csv, local_admins.csv, trusts.csv, and user_sessions.csv.

Collection Method Options

TODO: complete