Bsides Cymru 2024

Dr. Strangequeries or: How I Learned to Stop Worrying and Write Better BloodHound Queries
04-27, 14:05–14:35 (Europe/London), Sophia Room - Track 2

This talk will take a closer look at BloodHound's Cypher queries, delving into how complex queries can be built in order to build and extract better datasets for use in offensive and defensive AD security. The basics of the language, its syntax, potential use cases and advantages over BloodHound GUI alone will be discussed in detail. Examples will be drawn from the field and pros and cons of utilising raw queries will be illustrated.

This topic was chosen out of a frustration for the sometimes slow process of enumerating targets in BloodHound using prebuilt queries, or the worry of missing key targets and paths due to an incorrect query.

BloodHound is one of the most well-known tools in the hacker's arsenal when it comes to Active Directory exploitation. It offers the user a convenient way of visualising relationships within AD in order to find interesting attack paths. BloodHound even comes with pre-made queries that you can use to find quick-wins throughout the chosen domain. Unfortunately, these pre-made queries do not offer the full scope of paths you may wish to try in AD and may not do exactly what you want them to.

Since BloodHound relies on Cypher queries against a neo4j database, one can simply write raw queries for use in the BloodHound GUI and neo4j web console in order to better query the AD datasets...if they can figure out the syntax that is...

This talk will (attempt to) demystify Cypher without assuming any prior knowledge of either it or BloodHound. The following will be covered:

  • A very brief introduction into BloodHound, how it works and how it is used, aimed at those new to the tool
  • Limitations of only using the pre-made scripts in BloodHound and how these can be solved with custom queries and the neo4j web console
  • A more detailed look at Cypher syntax and how to write queries (with examples), alongside some common pitfalls
  • Some example custom queries that I have found useful, including those I have used in engagements
  • How to save custom queries and import them into BloodHound for later use

The need to cannibalise Cypher queries and build better queries came from the sometimes lax number of appropriate pre-built queries in stock BloodHound. Indeed, without the ability to restructure and write one's own, the risk of missing the next novel attack path is more apparent. Sometimes it's not that 'BloodHound did not find anything', it's that you, the user, failed to ask BloodHound the correct question.

Harry graduated from the University of Warwick in 2019 with a history degree, before working for PwC in the Ethical Hacking team from March 2020 until November 2023. He now works as a Cyber Security Consultant for Stripe OLT.