# Bloodhound

Bloodhound contain two parts of interest. One is Bloodhound itself including
the Neo4j database. The other are data collectors named `SharpHound.exe`,
`SharpHound.ps1`, `AzureHound.ps1` and `Bloodhound.py`.

## Data Collection

Sharphound is a portable executable which can be executed in the following way.
The runas command uses the user from the commandline parameter to respond to
network requests. So, runas is called as a cover up measurement.

```
runas /netonly /user:OnTheINTERNET\NobodyKnowsYoureADOG cmd.exe
SharpHound.exe --CollectionMethods All --Domain $TARGET_DOMAIN --ExcludeDCs
```

If there is no issue getting detected `--ExcludeDCs` can be ommited, so
information is gathered for DCs as well.

Alternativly, Bloodhound can be directly from the attacker or any other
machine. It connects to the the target network to collect information.

```sh
bloodhound-python -u $USER -p $PASSWORD -d $TARGET_DOMAIN -ns $DNS_NAMESERVER -c All --zip
```

## Data Exploration

Once the data has been collected and has been uploaded to the BloodHound
database, insights can be gained through the `Explore` option. Further, there
is `Pathfinding` and `Cypher`. The former shows connection between users and
objects, the latter contains predefined queries, e.g. `All Domain Admins` ,
`Map OU Structure` or `Map domain trusts` and multiple others.