Howto Setup BlueHound
TL;DR howto setup BlueHound, useful as a blue team version of BloodHound, provides AD info as well as vulnerability & other info. Overall a very versatile tool.
Part I: Howto Setup BloodHound
Part II: Howto Setup BlueHound
This isn’t new, but it was new to me. I didn’t see a setup guide for BlueHound on Google so I figured I’d write one. I used the instructions on BlueHound’s Github, tweaked things a bit for my environment, and added some dependencies.
BlueHound is a free, open source, blue team version of BloodHound. It can take output from SharpHound as well as ShotHound, various vulnerability scanners, and various other sources. It takes the resulting data and shows likely attack paths, what should be a priority for mitigation, etc. Additionally it can be set to run on a schedule once setup, for example if weekly reports are required.
Much like setting up BloodHound, the first requirement is to install the free Neo4j desktop. Once it is installed just add a DB. I named mine BlueHound with neo4j/password as the login. Use whatever makes sense to you.
Grab a copy of the latest SharpHound release from here. Please note that this file will get flagged & deleted by Microsoft Defender. I made an exemption for C:\Temp and put it there:
Set-MpPreference -ExclusionPath “C:\Temp”
Download BlueHound itself from here. Once it’s unzipped simply pin BlueHound.exe to the taskbar, run it, and log in to Neo4j.
Import the data
Navigate to ‘Data Import Tools’ and configure the collectors for BlueHound. SharpHound is shown as an example.
Once a collector is configured it can be run to import data.
I tried out ShotHound and the Vulnerabilities Data Import tools, however they did not find anything in my lab to include in BlueHound’s output. Both are included in the BloodHound tools located here. Both are *.py, so grab a copy of Python here. Once it’s installed you will need to exempt the Python folder in Defender and then add cornershot, neo4j, and pandas. Cornershot will trip Defender when you add it if you don’t exempt the folder.
Set-MpPreference -ExclusionPath "<path to Python install>"
Set-MpPreference -DisableRealTimeMonitoring $true
pip install cornershot
pip install neo4j
pip install pandas
Once these modules are added you can run ShotHound:
C:\Temp\BloodHound-Tools-main\BloodHound-Tools-main\ShotHound\shothound.py — dbuser neo4j — dbpass password — dburl bolt://localhost:7687 -ud <domain username> <domain password> test.local
The Vulnerabilities Data Import can take output from nmap, Nessus, and other scanners and import it into BlueHound. I tried it out with nmap in the lab. Simply run a nmap scan of your IP range, save the results as an XML, and then use the below command syntax:
python main.py - dbuser neo4j - dbpass password - dburl bolt://localhost:7687 -d test.local -nm scan.xml
Putting it all together with BlueHound
Once you have input the data just let BlueHound know what the HVTs are:
It will then show you what paths an attacker is likely to take.
It also shows you some stuff to be aware of like ASREPRoastable users, Kerberoastable users, users with the most paths to hosts, etc. Many of these don’t return any results in my lab, for example I don’t have any ASREPRoastable users. Queries like ‘users with the most paths to hosts’ is rather handy. If you see a non-Domain Admin in that list then something is probably wrong.
Obviously in a production environment you would see different numbers. My lab only has a few Domain Users, only one of which is enabled. There’s currently only one Win10 workstation, the rest are all member servers for stuff like Azure AD Connect and Azure AD Cloud Sync or DCs.
BlueHound vs BloodHound
Personally I like the paths in BloodHound better, however BlueHound is still new. It’s free and open source, so I’d expect it to make progress. BlueHound has better reporting overall already and can give defenders an idea of where they should focus first.
Overall I really like BlueHound. It’s free, was pretty straightforward to setup, and has some nice reporting features ‘out of the box’. It can be scheduled to run on a regular basis and hence can automatically spit out reports of how defenders are making progess on everything from patching to host hardening to locking down privileges. Custom collectors can be added as well, so BlueHound is a rather versatile tool. The only part that really took me any tweaking was setting up some collectors.