# Collectors ```powershell # SharpHound.exe # --CollectionMethods All: all data collection methods should be used. # --ExcludeDCs: Exclude DCs from collection process to reduce detction risks .\SharpHound.exe --CollectionMethods All --Domain <domain> --ExcludeDCs # BloodHound.py - Linux # -ns 태그는 일반적으로 안넣어줘도 작동한다. # /etc/resolv.conf에 Nameserver 등록해주기 bloodhound-python -u <user>@domain -p <password> -d <domain> -c DCOnly --zip bloodhound-python -u <user> -p <password> -d <domain> -ns <dns_ip> -c DCOnly --zip bloodhound-python -u <user> -p <password> -d <domain> -ns <dns_ip> -c All --zip ``` # Bloodhound CE ```bash cd ~/.config/bloodhound docker compose stop # 정지하고 싶을 때 docker compose up -d # 다시 실행하고 싶을 때 docker compose down # 정리하고 싶을 때 ``` ### The Two-Stage Attack Model 1. Enumeration 2. Targeted Attack ### Enumeration - Attackers deploy data collectors (SharpHound or BloodHound-python) to gather information about the AD structure, including user sessions, group memberships, access control lists, and delegation settings. Even if detected early by the blue team, attackers now possess enough offline data to build a compete attack graph. ### Targeted Attack - Using BloodHound offline, attackers identify efficient paths to their goals. When they re-enter the environment, they can move laterally and escalate privileges within minutes. This ability to plan attacks offline based on detailed relationship mapping made BloodHound an indispensable tool for offence and proactive defense. ### SharpHound - the official BloodHound data collector, written in C#. It enumerates key AD elements: - Group memberships - Session data - ACLs - Domain trusts - Privileged relationships ### Types of SharpHound Collectors - SharpHound.exe - AzureHound.ps1 - SharpHound.ps1 (deprecated) ### BloodHound.py (Python Collector) - Ideal for Linux-based systems or environments where Python is preferred. - enumerate AD domains without requiring Windows-specific