Listen to this Post
Happy #BloodHoundBasics Day! Today, we’re diving into a useful BloodHound query that helps you identify computers, users, and certificate templates created in the last X days. This is particularly valuable for forensic investigations and incident response. Here’s the query:
[cypher]
WITH 365 AS DAYS_AFTER
MATCH p=(n:Base)
WHERE (n:User OR n:Computer OR n:CertTemplate)
AND n.whencreated > (datetime().epochseconds – (DAYS_AFTER * 86400))
RETURN p
LIMIT 100
[/cypher]
This query searches for objects created in the last 365 days. You can adjust the `DAYS_AFTER` variable to match your specific needs. Removing the limit will return all matching objects.
You Should Know:
1. BloodHound Installation:
To get started with BloodHound, install it using the following commands:
<h1>Install BloodHound on Linux</h1> sudo apt-get update sudo apt-get install bloodhound
2. Neo4j Database Setup:
BloodHound relies on Neo4j for data storage. Install Neo4j with:
<h1>Install Neo4j on Linux</h1> sudo apt-get install neo4j sudo systemctl enable neo4j sudo systemctl start neo4j
3. Ingesting Data into BloodHound:
Use SharpHound to collect data from your Active Directory environment:
<h1>Run SharpHound collector</h1> .\SharpHound.exe -c All
4. Querying Active Directory with PowerShell:
If you prefer PowerShell, you can query recently created objects directly:
<h1>Find users created in the last 365 days</h1>
Get-ADUser -Filter {whenCreated -gt (Get-Date).AddDays(-365)} -Properties whenCreated
5. Linux Command for Timestamp Conversion:
Convert timestamps for analysis using:
<h1>Convert epoch to human-readable date</h1> date -d @1633072800
6. Windows Command for Object Creation Date:
Use `dsquery` to find objects created within a specific timeframe:
dsquery * domainroot -limit 100 -attr whencreated -filter "(&(objectcategory=user)(whencreated>=20220101000000))"
What Undercode Say:
BloodHound is an indispensable tool for Active Directory reconnaissance and security analysis. The ability to query recently created objects can help identify potential threats or misconfigurations in your environment. By combining BloodHound with PowerShell and Linux commands, you can streamline your forensic investigations and incident response processes. Always ensure your tools are up-to-date and practice these commands in a lab environment before deploying them in production.
For further reading, check out the official BloodHound documentation:
BloodHound GitHub
Neo4j Documentation
Stay sharp and keep exploring! 🔍
References:
Reported By: Specterops Bloodhoundbasics – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
