Everything Is Just Dandy!

Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers

IppSec
IppSec
2022-05-01
https://www.youtube.com/watch?v=o3W4H0UfDmQ
00:00 – Intro talking about why we want to parse Bloodhound Data with JQ to create lists
00:43 – Just examining the data in Bloodhound
01:28 – Writing a Cipher Query to show all enabled users in Bloodhound
02:35 – Showing Bloodhound Debug Mode which will show Cipher Queries when you run them
03:28 – Start of looking at Bloodhound Data
04:25 – Digging through the JSON Structure with JQ to get to the Properties of a User
06:30 – Showing all the names, if we wanted to remove the quotes, we could use the -r flag for raw
06:50 – Using the Select Query in JQ to show only enabled/disabled users
07:45 – Outputting multiple fields in JQ so we can show usernames + descriptions
08:20 – Using JQ to filter out descriptions with null to only show AD Accounts with a description
09:30 – Talking about LastLogon and LastLogonTimeStamp
10:45 – Converting integers to string in JQ so we can output them
12:00 – Outputting all accounts where a PwdLastSet is Greater than the users last logon
14:10 – Using JQ to filter out empty array’s which lets use find all accounts that are kerberoastable
14:50 – Using JQ to parse the computers and showing operating systems
15:50 – Filtering out Operating Systems which may help us find end of life OS’s
16:30 – Using JQ to show each computers last logon which will let us view all active computers