FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion.
It is designed to be used in conjunction with a SIEM or other log aggregation tool. One of the challenging aspects of BloodHound is that it is a snapshot in time.
FalconHound includes functionality that can be used to keep a graph of your environment up-to-date. This allows you to see your environment as it is NOW. This is especially useful for environments that are constantly changing.
One of the hardest releationships to gather for BloodHound is the local group memberships and the session information.
As blue teamers we have this information readily available in our logs. FalconHound can be used to gather this information and add it to the graph, allowing it to be used by BloodHound.
This is just an example of how FalconHound can be used. It can be used to gather any information that you have in your logs or security tools and add it to the BloodHound graph.
Additionally, the graph can be used to trigger alerts or generate enrichment lists. For example, if a user is added to a certain group, FalconHound can be used to query the graph database for the shortest path to a sensitive or high-privilege group.
If there is a path, this can be logged to the SIEM or used to trigger an alert.
Other examples where FalconHound can be used:
- Adding, removing or timing out sessions in the graph, based on logon and logoff events.
- Marking users and computers as compromised in the graph when they have an incident in Sentinel or MDE.
- Adding CVE information and whether there is a public exploit available to the graph.
- All kinds of Azure activities.
- Recalculating the shortest path to sensitive groups when a user is added to a group or has a new role.
- Adding new users, groups and computers to the graph.
- Generating enrichment lists for Sentinel and Splunk of, for example, Kerberoastable users or users with ownerships of certain entities.
The possibilities are endless here. Please add more ideas to the issue tracker or submit a PR.
A blog detailing more on why we developed it and some use case examples can be found here
Index:
- Supported data sources and targets
- Installation
- Usage
- Actions
- Extensions to the graph
- Credential Management
- Deployment
- License
Supported Data Sources And Targets
FalconHound is designed to be used with BloodHound. It is not a replacement for BloodHound. It is designed to leverage the power of BloodHound and all other data platforms it supports in an automated fashion.
Currently, FalconHound supports the following data sources and or targets:
- Azure Sentinel
- Azure Sentinel Watchlists
- Splunk
- Microsoft Defender for Endpoint
- Neo4j
- MS Graph API (early stage)
- CSV files
Additional data sources and targets are planned for the future.
At this moment, FalconHound only supports the Neo4j database for BloodHound. Support for the API of BH CE and BHE is under active development.
Installation
Since FalconHound is written in Go, there is no installation required. Just download the binary from the release section and run it. There are compiled binaries available for Windows, Linux and MacOS. You can find them in the releases section.
Before you can run it, you need to create a config file. You can find an example config file in the root folder. Instructions on how to creat all crededentials can be found here.
The recommened way to run FalconHound is to run it as a scheduled task or cron job. This will allow you to run it on a regular basis and keep your graph, alerts and enrichments up-to-date.
Requirements
- BloodHound, or at least the Neo4j database for now.
- A SIEM or other log aggregation tool. Currently, Azure Sentinel and Splunk are supported.
- Credentials for each endpoint you want to talk to, with the required permissions.
Configuration
FalconHound is configured using a YAML file. You can find an example config file in the root folder. Each section of the config file is explained below.
Usage
Default Run
To run FalconHound, just run the binary and add the -go
parameter to have it run all queries in the actions folder.
./falconhound -go
For more information click here