Vampire is an aggressor script which integrates with BloodHound to mark nodes as owned.
Vampire is an aggressor script which adds a "Mark Owned" right click option to beacons. This allows you to select either the Computer or User (or Default, which will choose based on your user), along with the domain they belong to. There is an additional optional cna script for marking new credentials as owned. Vampire will communicate with your neo4j REST API on localhost:7474 to mark the node as owned.
vampire.cna
, vampire_creds.cna
, and owned_utils.py
in the root of your cobaltstrike folderchmod u+x owned_utils.py
vampire.cna
and vampire_creds.cna
into Cobalt Strike through the Script Managerneo4j:BloodHound
(you can change the base64 in owned_utils.py
otherwise)echo -n 'neo4j:yourpassword' | base64
and then replace the auth in owned_utils.pyowned_utils.py
to query the list of domains from neo4j@
+ the specified domain to the user/computer nameDefault
, it will choose based on whether you're a local adminowned_utils.py
to query the neo4j REST API
'MATCH (n:*) WHERE lower(n.name) = "' + nodelabel.lower() + '" SET n.owned = TRUE'
on credentials
callbackThe cna script handles the Cobalt Strike GUI, while the Python script handles Bloodhound/neo4j interaction. The reason I did it this way is because I couldn't get the HTTP request working nicely through Sleep sockets. The plus side is, you can call/import the Python code into your own project which doesn't use Cobalt Strike. The code in the functions is pretty much ripped from the neo4j syntax examples in the Bloodhound Github wiki.
Patrick Hurd