Security Ripcord

Cutaway Security Blog and Projects

Sniffing Out Trusts With BloodHound

BloodHound (BH) returns a lot of useful information. Like any tool there are different methods for extending the amount of information that it collects. The default configuration for BH is to search the local Domain for Users, Computers, Groups, Trusts, Sessions, and other information. While this information may be enough to demonstrate specific issues it is also limited in the amount of data collected for other Domains. For RED teams this means critical attack path information may not gathered and displayed. For BLUE teams the data collected does not provide all of the information necessary to assess risk across Domains.

The following information is intended to help users understand how to leverage BH’s options to gather information across Domain Trusts. Live examples are hard to come by. Therefore I will be leveraging examples to help explain these concepts without running the actual queries against a production environment. Users should still be able to leverage this guidance during their own trial-and-error process.

Normal Run

A normal BH run to gather information from the current Domain, as outlined in the BH Wiki PowerShell Ingestor page, is performed using the Get-BloodHoundData command. The information collected by this command is piped to the Export-BloodHoundData or Export-BloodHoundCSV commands to save the data. The following is an example of a typical initial run that will output data directly into a BH database.

Get-BloodHoundData | Export-BloodHoundData -URI http://SERVER:7474/ -UserPass "neo4j:BloodHound"

Reviewing Domain Trusts

Understanding the Domains available from a user’s current Domain is as easy as checking BH’s Prebuild Queries. Selecting the “Map Domain Trusts” query will generate a graph of all of the Domains available. The Domain Trusts graph will display the one and two way trusts between each Domains that were detected during the BH run. The following image shows an example of the Domain Trusts that may be experienced within an organization.

BH Domain Trusts

This image shows that the “INTERNAL.AD” Domain (which we will consider as the user’s current Domain). This Domain has a two-way trust with “DEV.AD”, “LEGAL.AD”, “HR.AD”, and “EXTERNAL.AD” It also has a one way trust to “MERGER.AD” meaning that users within “INTERNAL.AD” are able to interact with resources In this Domain. Users in the “MERGER.AD” Domain are not able to interact with resources on the “INTERNAL.AD” Domain. The “SECRET.AD” Domain has a two-way trust with the “DEV.AD” Domain. This means that the “SECRET.AD” Domain cannot be queried directly from the “INTERNAL.AD” Domain. Gathering information about this Domain will require running BH from a system within the “DEV.AD” Domain.

Get-BloodHoundData Parameters

Running BH from the “INTERNAL.AD” Domain will gather information about the resources on this Domain but will not automatically gather information from the “EXTERNAL.AD” or other Domains. This action is left up to the user to ensure all of the data is imported correctly. Understanding how to accomplish querying other Domains can be learned by reviewing the Get-Help information for the Get-BloodHoundData command. (Some users might want to pipe the Get-BloodHoundData command to Get-Member command to list all of the available methods and properties, but this feature does not display property or method information as it does with other PowerShell commands.) Running the Get-Help command with the -Full option will provide the user with all of the details about this command and how it can be configured to run using several examples. The following command will output this information.

 Get-Help Get-BloodHoundData -Full

Reading the full help is an exercise for the reader. This post is specifically related to querying additional Domains to gather User, Computer, and Session information. For collecting User and Computer information the -Domain parameter is used:

 -Domain <String>
    Domain to query for machines, defaults to the current domain.

    Required?                    false
    Position?                    named
    Default value
    Accept pipeline input?       false
    Accept wildcard characters?  false

Gathering Trusted Domain Information

The -Domain <String> parameter will gather information about the specified Domain. The following command is an example of using this command to gather information about the “LEGAL.ADรข” and push it directly into the Neo4j database. If pointed to the same database that contains the information for the “INTERNAL.AD” Domain, the “LEGAL.AD” Domain information will augement the existing data.

 Get-BloodHoundData -Domain LEGAL.AD | Export-BloodHoundData -URI http://SERVER:7474/ -UserPass "neo4j:BloodHound"

Once collected the information can be reviewed using BH queries. While the search functionality is helpful the Raw Query command can be used to run specific queries. For example, all User to Computer session relationships can be displayed using the following command:

 MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE =~ "(?i).*" RETURN n,r,m

If the INTERNAL.AD and LEGAL.AD Domains were gathered using BH then the data contained in database should generate a BH graph similar to the following image. As more Domain information is gathered the more complex the relationships and graphs become.

BH User Sessions

Collecting Distant Domains

Trust relationships do not extend automatically extend through Domains. For example, users on the “INTERNAL.AD” Domain can query information from the “DEV.AD” Domain. They cannot, however, query information from the “SECRET.AD” Domain. Attempting to do so will result in the following error messages.

 PS C:\Users\cutaway\Tools\BloodHound\PowerShell> Get-BloodHoundData -Domain SECRET.AD | Export-BloodHoundData -URI http://SERVER:7474/ -UserPass "neo4j:BloodHound"
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
At C:\Users\cutaway\Tools\BloodHound\PowerShell\BloodHound.ps1:5232 char:17
+                 $Results = $GroupSearcher.FindAll()
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

You cannot call a method on a null-valued expression.
At C:\Users\cutaway\Tools\BloodHound\PowerShell\BloodHound.ps1:5246 char:17
+                 $Results.dispose()
+                 ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

WARNING: Error: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
At C:\Users\cutaway\Tools\BloodHound\PowerShell\BloodHound.ps1:13415 char:40
+                 ForEach($UserResult in $UserSearcher.FindAll()) {
+                                        ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

Error connecting to Neo4j rest REST server at 'http://server:7474/'
At C:\Users\cutaway\Tools\BloodHound\PowerShell\BloodHound.ps1:13849 char:13
+             throw "Error connecting to Neo4j rest REST server at '$($ ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Error connectin...//server:7474/':String) [], RuntimeException
    + FullyQualifiedErrorId : Error connecting to Neo4j rest REST server at 'http://server:7474/'

Queries across Domains may be possible depending on the user running the command. But, if those permissions are not available it will be necessary to move to a resource within the “DEV.AD” Domain to gather information from the “SECRET.AD” The good news is that this data can be stored in the same database as the rest of the information. Storing the information in the same database will help expose any relationships between these Domains and could help build a path that will allow a user to move from one Domain to another.


Updated on 20161005

I asked the BloodHound team about gathering data from Domains that are not directly connected by Trusts but have an intermediate Domain with two-way Trusts. harmj0y provided the following guidance when referring to gathering information in this situation. I have pulled his response into a paragraph (any mistakes are mine).

[It] depends on the exact nature of the trust and if any network segmentation is implemented. Since the trusts work with a system of referrals that typically point you to the primary DC of the foreign domain. [It all depends on] whether the trusts are domain, intra-forest, inter-forest, transitive/non-transitive, etc. [It] all plays into the situation.

Thus, while it may be necessary to move to the intermediate network other Domain configurations could permit the information gathering.


BH is an excellent tool for understanding relationships between Users, Computers, and across Domains. Running the tool without understanding the extent of the data it is collecting could limit the importance of these relationships. Users need to review the data as it is collected to determine if additional information gathering is necessary to get the full picture and understand the risk to the Active Directory environment.


Thank you to: apu, brandeezy, cptjesus, _wald0, and harmj0y

Go forth and do good things,
Don C. Weber