# BloodHound Community

# Install BloodHound Community edition

sudo curl -L https://ghst.ly/getbhce | sudo docker compose -f - up

Sometimes (and I can't remember why) the command is docker-compose instead of docker compose.

# Parse list of machine names from a cypher query

This used to work on the old (non-Community) edition when you needed to grep a list of endpoints affected by a specific query to create a nice, clean list of machines (one per line). I need to test against Community:

grep -o '"label":"[^"]*"' machine-names.json | cut -d':' -f2 | tr -d '"' | sort | uniq

Or it might be this one:

cat comps.json | jq '.data[].Properties.name' | sed 's/"//g' | sort -f > allmachines.txt

# This script pulls computer names and dates and converts from Unix timestamp with newest date at the top

jq -r '.data | sort_by(.Properties.whencreated) | reverse[] | "\(.Properties.name) \(.Properties.whencreated | todate)"' 20240918113133_computers.json

# Get a list of all users that have a non-empty description (h/t BusyR)

cat *_users.json | jq -r ' .data[].Properties | select ( .enabled == true) | select (.description != null) .name + ":" + .description' | tee users_with_description.txt

# Create a txt file with all enabled users (h/t BusyR)

cat *_users.json | jq -r ' .data[].Properties | select ( .enabled == true) | .samaccountname' | tee users.txt

# Reset BloodHound password

See this BloodHound Slack advice. You could also go "nuclear" with the next section:

# Delete all BloodHound containers and images and start over

Sometimes my BloodHound doesn't seem to start smoothly and/or hangs weirdly so I do the following when my body is filled with rage:

DANGER

I'm ok with this "nuclear" option because my BH VM has nothing but BH on it. So uhh...maybe don't run this stuff if you have docker-y things on your system you care about.

docker rm desktop_app-db_1
docker rm desktop_bloodhound_1
docker rm desktop_graph-db_1
docker rmi neo4j:4.4
docker rmi postgres:16
docker rmi specterops/bloodhound
docker system prune --volumes --force

# Admin session enumeration explained

Sometimes I get confused about how local admin sessions are enumerated. A fine friend from the BloodHound Slack clarified:

Assuming you collected with SharpHound collection method All, SharpHound will attempt to collect local groups directly from the hosts in scope. That requires admin rights by default however. It will fallback to creating AdminTo edges based on GPO settings. I believe there is an edge property that reveals if the edge is based on GPO. These edges may be false positives as BloodHound does not take GPO filtering into account, for example

# Queries

The BloodHound Query Library is the place to go for good BH queries, but here's a few I like.

# Find all computers without SMB signing

MATCH (n:Computer)
WHERE n.smbsigning = False
RETURN n

# Find computers with WebClient

MATCH (c:Computer)
WHERE c.webclientrunning = True
RETURN c LIMIT 1000

# Find computers with WebClient AND with live sessions

match p=(U:User)<-[:HasSession]-(C:Computer)
where C.webclientrunning = True
return p limit 1000