BloodHound

BloodHound is an identity risk management platform and graph-based attack path analyzer used to map identity relationships and permissions in Active Directory. It functions as a security tool for auditing directory services, uncovering unintended privilege relationships, and visualizing sequences of permissions that can lead to domain compromise.

The project differentiates itself as a comprehensive adversary emulation framework that coordinates remote agents and executes post-exploitation commands. It includes a reverse proxy for bypassing multi-factor authentication via real-time session hijacking and a system for simulating phishing campaigns to track user interactions.

The platform covers a broad set of offensive security capabilities, including credential harvesting from memory and local stores, Kerberos and PKI manipulation, and infrastructure enumeration targeting system management tools. It also provides tools for remote command execution, lateral movement through authentication coercion, and the discovery of privilege escalation vectors across host configurations.

The system is deployed as a multi-tier container architecture and can be installed and configured via a command-line utility.

Features

Active Directory Security - Maps identity relationships and permissions in Active Directory to uncover hidden privilege escalation paths.

Graph Relationship Modeling - Models environments as a graph by ingesting data from identity and device management systems to identify attack paths.

Attack Path Graphs - Uses graph-based attack path modeling to visualize privilege escalation routes and hidden identity relationships.

Privilege Relationship Visualization - Visualizes hidden connections between users and assets across identity and access platforms using graph analysis.

Identity Risk Mitigation - Identifies and removes unintended privilege relationships to harden identity structures and block attack vectors.

Phishing Campaign Orchestrators - Orchestrates the delivery of simulated phishing emails and tracks target interactions for security auditing.

Remote Agent Payload Execution - Executes binary files and assemblies on remote agents to extend their operational capabilities.

Active Directory Enumeration - Performs domain reconnaissance and collects identity data to map network relationships in Active Directory.

Attack Path Visualizations - Uses graph databases to discover and visualize sequences of permissions that lead to domain compromise.

Attack Path Analysis - Visualizes privilege escalation routes and hidden identity relationships using graph-based analysis.

Permission Chain Discovery - Identifies sequences of permissions that can be exploited to escalate privileges or move laterally.

Identity Management - Audits directory services to uncover unintended privilege relationships and mitigate identity-based risks.

Identity Data Collection - Deploys specialized collectors to gather and upload access management data for analysis.

Identity Data Ingestion - Imports environment data into a graph database to analyze permissions and relationship mappings.

Post-Exploitation Plugins - Runs tasks such as process injection and credential harvesting across multiple operating systems.

Red Teaming Frameworks - Tracks assets and assessments to simplify report generation for offensive security engagements.

Relationship Pattern Analysis - Analyzes the structural topology of identity relationships to identify suspicious patterns and attack paths.

Adversary Emulation Frameworks - Coordinates remote agents and command control to simulate realistic cyber attacks and test security defenses.

Active Directory Security Tools - Provides a graph-based tool to map Active Directory permissions and identify security vulnerabilities.

Session Hijacking - Captures real-time session tokens via a reverse proxy to bypass multi-factor authentication.

MFA Bypass Proxies - Implements a reverse proxy to stream live browser sessions and bypass multi-factor authentication.

WMI-Based Command Execution - Executes system queries and commands on a remote Windows machine using management instrumentation.

Multi-User Agent Coordination - Coordinates multiple agents and communication profiles in real-time to conduct adversary emulation.

Remote Command Execution - Runs scripts or binaries across remote collections and targeted devices to move laterally.

Privilege Escalation - Scans for common privilege escalation paths such as insecure services and registry keys.

Custom Graph Schema Mapping - Ingests diverse data into a graph schema to visualize non-standard attack paths.

External Data Ingestion - Uses configurable extension definitions to ingest diverse external identity data into a structured graph database.

Infrastructure Data Imports - Imports access lists and permission data from external providers into a graph database to analyze attack paths.

Graph Schema Definition - Creates extension definitions to map custom nodes and edges into a structured graph.

OSINT Automation Frameworks - Discovers employees and enriches profiles using AI to generate personalized social engineering pretexts.

REST APIs - Provides a programmable REST API to connect external tools and custom workflows to the platform.

Phishing Target Directories - Maintains directories of email addresses and metadata to personalize simulated phishing attacks.

Credential Memory Dumping - Extracts credentials and sensitive data from active process memory using in-memory loaders.

Locked Data Extraction - Implements techniques for extracting files currently locked by the operating system to facilitate data exfiltration.

Captured File Enrichment - Processes files automatically to extract credentials and perform advanced data analysis.

Certificate Forgeries - Creates arbitrary user certificates using stolen private keys to establish persistent backdoors.

Certificate Services Exploitation - Uses misconfigurations in certificate services to achieve persistence and privilege escalation.

Configuration Manager Attacks - Profiles and attacks configuration manager environments to move laterally and gather credentials.

Credential Extraction - Provides capabilities to retrieve sensitive passwords from SCCM network accounts and task sequences using decryption.

Credential Harvesting Simulations - Extracts secrets from memory, local stores, and network protocols to enable lateral movement.

Embedded Content Harvesters - Captures authentication attempts and NTLM hashes using pixel images embedded in pages.

Host Enumeration - Provides capabilities for discovering and retrieving metadata about target hosts to identify security weaknesses.

Credential Extraction Utilities - Retrieves secrets from vaults, browser stores, certificates, and configuration files.

Phishing Capturers - Captures interaction data and credentials via deceptive web interfaces to generate audit metrics.

In-Memory Payload Execution - Executes specialized assemblies and binary modules directly in process memory to evade disk-based detection.

Infrastructure Enumeration - Identifies site servers, management points, and managed devices using LDAP and local configuration.

Collaboration Platform Reconnaissance - Enumerates spaces and searches for secrets within collaboration platforms.

Automated Kerberos Attacks - Automates the request, extraction, and forgery of Kerberos tickets to manipulate network identity.

Kerberos Ticket Cache Manipulators - Modifies Kerberos tickets in the local cache to perform roasting and delegation abuse.

Database Key Extractions - Retrieves encryption key material and master keys from KeePass databases and memory.

Misconfiguration Scanning - Evaluates environment configurations against security benchmarks to uncover potential attack paths.

Active 2FA Bypass Proxies - Uses a reverse proxy to capture real-time session data and hijack cookies to bypass multi-factor authentication.

Authentication Coercion - Forces servers or clients to authenticate via NTLM to facilitate credential relay attacks.

Infrastructure Auditing - Analyzes certificate services configurations to find vulnerabilities and compliance issues.

Module Execution Controllers - Runs assemblies across agents to extend functional capabilities using pre-configured armories.

Privilege Escalation Techniques - Scans services and registries for misconfigurations that permit the elevation of system privileges.

SCCM Infrastructure Attacks - Gains unauthorized access by exploiting SCCM enrollment abuses and relay attacks.

SCCM Infrastructure Manipulation - Modifies applications, collection memberships, and deployments within SCCM infrastructure.

Session Token Replays - Allows the injection of captured session data into a local browser to resume authenticated sessions.

Social Engineering Frameworks - Impersonates legitimate workflows by creating issues and comments to deliver payloads through social engineering.

Captured Session Managers - Extracts cookies, local storage, and keystrokes from authenticated users via a proxied session.

Browser Credential Extractions - Retrieves secrets from the Windows Data Protection API, including browser passwords and vaults.

Browser Session Token Reuse - Uses hijacked browser cookies to perform actions on behalf of a user.

Asynchronous Processing Pipelines - Implements an asynchronous pipeline to extract credentials and metadata from uploaded files in the background.

Phishing Session Monitors - Provides live browser thumbnails and keylogging for monitoring active phishing sessions.

Email Blueprint Management - Provides tools to create and organize email content used as blueprints for phishing simulation campaigns.

SpecterOpsBloodHound

Features

Star history