Post

Bloodhound Bulk Mark as Owned


In this post we’ll look at how to bulk mark users are owned when using Bloodhound.

An example scenario would be you have done a password spray (or password audit) and found the password to a large amount of accounts. From here you want to see what access you have, and perhaps even privilege escalation in the domain. However, you don’t want to mark 100+ accounts as owned in the Bloodhound GUI.

Bloodhound Raw Query

You can use the below Bloodhound raw queries to bulk mark users as owned. You can use either query. The second query might be more useful if you have a list of usernames.

  • Make sure the provided Array has a comma after each element EXCEPT for the last one (as done below).

After running the query you should see a message saying NO DATA RETURNED FROM QUERY. This is normal.

You’ll also need to navigate away from the current view to see the results. For some reason even reloading the current view can not show the updated users.

User - Name

1
2
3
4
MATCH (u:User) WHERE (u.name IN [
	"[email protected]",
	"[email protected]"
]) SET u.owned = true

User - SamAccountName

1
2
3
4
MATCH (u:User) WHERE (u.samaccountname IN [
	"jsmith",
	"jdoe"
]) SET u.owned = true
This post is licensed under CC BY 4.0 by the author.