ShadowHound - Stealthy Active Directory Enumeration with PowerShell
Share
ShadowHound is a set of PowerShell scripts designed for Active Directory (AD) enumeration, offering a stealthier alternative to tools like SharpHound.
By leveraging native PowerShell capabilities, ShadowHound minimizes detection risks and avoids introducing known-malicious binaries. This guide explores its features, usage, and how to process collected data for BloodHound.
Overview of ShadowHound Scripts
ShadowHound includes two primary scripts for AD enumeration:
1. ShadowHound-ADM.ps1
-
Method: Uses the Active Directory module (Get-ADObject) via AD Web Services (ADWS).
-
Best Use Case: When the AD module is available and ADWS is accessible.
-
Features:
-
Handles large domains with options like -SplitSearch, -Recurse, and -LetterSplitSearch.
-
Enumerates certificate-related objects using the -Certificates flag.
2. ShadowHound-DS.ps1
-
Method: Performs direct LDAP queries using DirectorySearcher.
-
Best Use Case: When the AD module is unavailable or LDAP is preferred.
-
Features:
-
Enumerates certificates with the -Certificates flag.
-
Supports alternate credentials via the -Credential parameter.
Usage Examples
Basic Enumeration
Using ShadowHound-ADM.ps1
# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"
Using ShadowHound-DS.ps1
# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"
Enumerating Certificates
Both scripts can enumerate certificate-related objects for AD Certificate Services (ADCS) vectors:
# Using ShadowHound-ADM.ps1
ShadowHound-ADM -OutputFilePath "C:\Results\cert_output.txt" -Certificates# Using ShadowHound-DS.ps1
ShadowHound-DS -OutputFile "C:\Results\cert_output.txt" -Certificates
Handling Large Domains with ShadowHound-ADM
For large domains, use these advanced options:
# Split search across top-level containers with letter splitting
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -SplitSearch -LetterSplitSearch# Option Descriptions:
# -SplitSearch: Splits the search across top-level containers.
# -Recurse: Recurses into containers that fail to return results.
# -LetterSplitSearch: Further splits searches by the first letter of CN.
Converting Data for BloodHound
After collecting data with ShadowHound, you can convert it into BloodHound-compatible JSON files using BofHound or other tools.
Splitting Large Output Files
If the output file is too large for processing:
python3 split_output.py -i ldap_output.txt -o pyldapsearch_ldap -n 100
This splits the file into chunks named pyldapsearch_ldap_1.txt, pyldapsearch_ldap_2.txt, etc.
Converting for BloodHound
Use BofHound to generate JSON files:
python3 bofhound.py -i ldap_output.txt -p All --parser ldapsearch
For large JSON files (>100MB), split them using tools like ShredHound before importing into BloodHound.
Key Advantages of ShadowHound
-
Stealthy Enumeration: Avoids triggering antivirus alerts by relying on native PowerShell capabilities instead of binaries like SharpHound.
-
Flexibility: Offers two distinct methods (ADWS and LDAP) to adapt to different environments.
-
Scalability: Handles large domains efficiently with advanced search options.
By using ShadowHound, security professionals can perform detailed AD enumeration while minimizing detection risks. You can learn more and Download ShadowHound in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here