Listen to this Post

Introduction:
The age-old challenge for defenders has been connecting asset inventory data with active directory attack paths. runZeroHound, a new open-source toolkit, bridges this critical gap by seamlessly importing runZero’s comprehensive asset data into BloodHound’s powerful attack graph engine. This fusion enables security teams to perform Cypher-based analysis on real, up-to-date network data, visualizing exactly how an attacker could pivot from a single compromised asset to domain dominance.
Learning Objectives:
- Understand the core functionality and architecture of the runZeroHound integration tool.
- Learn how to execute runZeroHound to generate and import OpenGraph data into BloodHound.
- Master creating and running custom Cypher queries in BloodHound to identify critical attack paths based on live asset data.
You Should Know:
1. Installing runZeroHound from Source
The first step is to acquire the tool. Being open-source, it’s hosted on a public repository. You can clone it directly using Git.
git clone https://github.com/runzero-inc/runZeroHound.git cd runZeroHound
This `git clone` command creates a local copy of the entire runZeroHound project on your machine. Navigating into the directory with `cd` is essential for the subsequent steps, as all configuration and execution will happen from within this folder.
2. Configuring runZero API Credentials
runZeroHound needs programmatic access to your runZero inventory. This is achieved via an API key. The tool uses a configuration file where you must place your credentials.
cp config.example.toml config.toml Edit the config.toml file with your text editor of choice nano config.toml Add the following lines, replacing with your actual data: runzero_url = "https://console.runzero.com" runzero_oid = "your_organization_id" runzero_api_key = "your_api_key_here"
The `cp` command creates your personal configuration file from a template. The `nano` command is a simple text editor to modify the file. The `runzero_api_key` is the most critical element; it authenticates all requests to the runZero API to pull asset data. Keep this key secure.
3. Generating the OpenGraph Data File
With configuration complete, you can now generate the data file that BloodHound will consume. This is done by running the main Python script.
python3 runzerohound.py -o bloodhound_data.json
This command executes the Python script. The `-o bloodhound_data.json` flag specifies the output file. The script will call the runZero API, process the asset inventory, and convert it into a JSON file formatted according to the BloodHound OpenGraph specification, containing computers, users, and relationships.
4. Importing Data into BloodHound Community Edition
BloodHound Community Edition (CE) has a dedicated UI for importing custom data sets. After generating your `bloodhound_data.json` file, open BloodHound.
1. In the BloodHound UI, click on the "Import" button in the top menu. 2. Select "Upload a .json file" from the dropdown. 3. Click "Browse" and navigate to your `bloodhound_data.json` file. 4. Click "Upload" and wait for the import to complete.
This graphical process ingests the runZero-derived data into your BloodHound database. You will see a confirmation message, and the asset nodes will now appear in your graph.
5. Querying for High-Value Attack Paths
The ultimate goal is to query this enriched graph. BloodHound’s power lies in its pre-built and custom Cypher queries. Start with a fundamental query to find shortest paths to Domain Admins from owned systems.
MATCH (c:Computer), (g:Group {name: "DOMAIN [email protected]"}), p=shortestPath((c)-[1..]->(g)) RETURN p
This Cypher query, executed in the BloodHound “Query” tab, does the following: `MATCH` finds all `Computer` nodes and the specific `Group` for Domain Admins. The `p=shortestPath((c)-[1..]->(g))` function finds the shortest possible chain of relationships (e.g., MemberOf, AdminTo) connecting any computer to the high-value group. `RETURN p` visualizes that path.
6. Identifying Domain-Computers with RunZero Data
You can also create more specific queries leveraging the asset context from runZero. For instance, find all computers that are part of the “Domain Computers” group.
MATCH (c:Computer) WHERE c.objectid ENDS WITH "-515" RETURN c
This query filters computers based on their `objectid` property. The code `-515` is the well-known Relative Identifier (RID) for the “Domain Computers” group in Active Directory. This helps you quickly visualize the entire domain computer landscape as imported from runZero.
7. Analyzing Administrative Access
A critical attack path involves understanding which users have local administrative rights on which computers. Use this query to map out those relationships.
MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p
This simple yet powerful query matches all paths (p) where a `User` node has an `AdminTo` relationship directed at a `Computer` node. Visualizing this can reveal overly permissive administrative accounts, a common finding that significantly increases an organization’s attack surface.
8. Leveraging BloodHound’s Built-In Analysis
Beyond custom Cypher, use BloodHound’s “Analysis” tab to run standardized queries on your runZero data.
1. Click the "Analysis" tab in BloodHound. 2. Run the "Find All Domain Admins" query. 3. Run the "Find Shortest Paths to Domain Admins" query. 4. Run the "Find Principals with DCSync Rights" query.
These one-click analyses provide immediate, high-impact insights without writing any code. They process the imported runZeroHound data to highlight the most critical security issues in your Active Directory environment.
What Undercode Say:
- The integration of asset inventory with attack path mapping is no longer a luxury but a necessity for modern defense. runZeroHound provides a pragmatic, automated bridge between these two worlds.
- This tool fundamentally shifts the value proposition of BloodHound from a theoretical exercise to a live, data-driven exposure management system, grounded in the reality of what assets actually exist on the network.
The launch of runZeroHound signifies a maturation in the cybersecurity tooling ecosystem, moving from siloed point solutions to integrated platforms. By leveraging the new OpenGraph standard, HD Moore’s team has not only built a useful tool but has also championed an interoperable future. This approach forces defenders to think like attackers, using the same graph-based reasoning to preemptively find and fix critical paths. The enthusiastic response from the professional community, including seasoned red teamers and security architects, underscores the tool’s immediate practical utility. It effectively turns a defensive asset inventory into an offensive hunting map, allowing organizations to proactively dismantle attack paths before they can be exploited.
Prediction:
The success of runZeroHound will catalyze a wave of similar integrations, with other asset management and vulnerability scanning vendors rapidly adopting the BloodHound OpenGraph standard. Within two years, graph-based attack path analysis fed by live, automated data sources will become a baseline capability for any mature security operations program, fundamentally changing how enterprises measure and manage their internal risk posture.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hdmoore Uncovering – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


