06 ‐ BloodHound (Legacy)
PsMapExec streamlines the generation of custom cipher queries tailored for seamless integration into the BloodHound GUI. These queries are automatically compiled into a single file located at:
$PWD\PME\BloodHound\Query.txt
As PsMapExec is used, the query file grows incrementally, incorporating insights gathered during operations. It automatically includes:
- Compromised (Owned) Users
- Compromised (Owned) Computers
- Extracted Credential Types (RC4, AES256, Cleartext Passwords)
-
AdminTorelationships -
CanRDPaccess paths
The query file updates dynamically based on the method or module invoked within PsMapExec:
-
Spray:- Marks targeted users as owned
- Updates user nodes with discovered credentials
-
RDP:- Constructs a
CanRDPpath between user and target system
- Constructs a
-
WMI/WinRM/SMB:- Marks the target system as owned
- Creates an
AdminTorelationship from user to host
-
eKeys/LogonPasswords:- Dumps credentials from memory
- Marks both the host and any discovered users as owned
- Updates node properties with retrieved credentials
If you successfully extract credentials using memory dumping modules, such as eKeys or LogonPasswords, for a user like Yap-Yap, the updated query file reflects:
-
Yap-Yapmarked as owned - Node properties enhanced with credential details
By leveraging discovered credentials for Yap-Yap, an AdminTo path is revealed showing Yap-Yap has administrative access to [email protected]. The query file is updated to:
- Mark
MDTSRVas owned - Create an
AdminToedge fromYap-YaptoMDTSRV
Using Yap-Yap's credentials to probe RDP access results in CanRDP relationships being visualized, such as access to SRV2012. Since RDP access does not imply full administrative control, SRV2012 is not flagged as owned.
