A pair of scripts to import session and local group information that has been collected from alternate data sources into BloodHound's Neo4j database.
SharpHound's privileged session collection requires an account with elevated permissions to operate. When using BloodHound as a Blue tool to locate and resolve misconfigurations and identify dangerous behaviors, detailed and accurate session information is highly beneficial. An account that has local administrative rights on all endpoints is a security risk.
Session information can be obtained from alternate sources. This information can be obtained by collecting the information from centrally logged local Windows Security Events or from other tools that can poll information about logged on users from live endpoints. It can be collected into a spreadsheet and added to the BloodHound database via Cypher queries.
git clone https://github.com/xenoscr/SessionHound.git SessionHound
cd SessionHound
pip install -r requirements.txt
usage: SessionHound.py [-h] [--neo4j-uri NEO4J_URI] [-u USERNAME]
[--password PASSWORD] [--debug] [--dry-run]
csv
Import computer session data from a CSV file into BloodHound's Neo4j database.
The CSV should have two colums matching the following header structure:
['username', 'hostname']
positional arguments:
csv The path to the CSV file containing the session data
to import.
optional arguments:
-h, --help show this help message and exit
--neo4j-uri NEO4J_URI
Neo4j connection string (Default:
bolt://localhost:7687 )
-u USERNAME, --username USERNAME
Neo4j username (Default: neo4j)
--password PASSWORD Neo4j password. If not provided on the command line,
you will be prompted to enter it.
--debug Print debug information.
--dry-run Verify connectivity to neo4j and check for CSV parsing
issues, but don't actually import data
The CSV file needs to have two columns:
- username: The User Principal Name (UPN). i.e. [email protected]
- hostname: The Host's FQDN. i.e. HOSTNAME.EXAMPLE.COM
username,hostname
[email protected],host01.example.com
[email protected],host01.example.com
[email protected],host02.example.com
usage: GroupHound.py [-h] [--neo4j-uri NEO4J_URI] [-u USERNAME]
[--password PASSWORD] [--debug] [--dry-run]
csv {adminto,canrdp,canpsremote,executedcom}
Import computer local group data from a CSV file into BloodHound's Neo4j
database. The CSV should have three colums matching the following header
structure: ['username', 'hostname', 'type']
positional arguments:
csv The path to the CSV file containing the session data
to import.
{adminto,canrdp,canpsremote,executedcom}
The access type: AdminTo, CanRDP, CanPSRemote, or
ExecuteDCOM.
optional arguments:
-h, --help show this help message and exit
--neo4j-uri NEO4J_URI
Neo4j connection string (Default:
bolt://localhost:7687 )
-u USERNAME, --username USERNAME
Neo4j username (Default: neo4j)
--password PASSWORD Neo4j password. If not provided on the command line,
you will be prompted to enter it.
--debug Print debug information.
--dry-run Verify connectivity to neo4j and check for CSV parsing
issues, but don't actually import data
The CSV file needs to have three columns:
- username: The User Principal Name (UPN). i.e. [email protected]
- hostname: The Host's FQDN. i.e. HOSTNAME.EXAMPLE.COM
- type: The object type. Group or User
username,hostname,type
[email protected],host01.example.com,User
[email protected],host01.example.com,User
[email protected],host02.example.com,Group
[email protected],host02.example.com,Group
NOTE: If using Excel to prepare your CSV, saving the CSV in Unicode/UTF-8 format will cause some errors. To avoid these issues use the CSV (Comma delimited) option and not CSV UTF-8 (Comma delimited).