Skip to content

Parameters

idna edited this page Mar 10, 2022 · 3 revisions

Below is an explanation of all of the available parameters that can be used with GoodHound.

Database settings

-s can be used to point GoodHound to a server other than the default localhost installation (bolt://localhost:7687)
-u can be used to set the neo4j username
-p can be used to set the neo4j password

Output formats

-o can be used to select from:

  • stdout -displays the output on screen
  • csv saves a comma separated values file for use with reporting or MI
  • md or markdown to display a markdown formatted output

-d an optional filepathdirectory path for the csv output option
By default the output is csv and these are created in the current working directory.

-q supresses all output
-v enables verbose output
--debug enables debug output

Number of results

-r can be used to select the amount of results to show. By default the top 5 busiest paths are displayed.
-sort can be used to sort by:

  • number of users with the path (descending)
  • hop count (ascending)
  • risk score (descending)

Schema

-sch select a file containing cypher queries to set a custom schema to alter the default Bloodhound schema.
This can be useful if you want to set the 'highvalue' label on AD objects that are not covered as standard, helping to provide internal context.
For example, you want to add the highvalue label to 'dbserver01' because it contains all of your customer records. The schema file to load in could contain the following cypher query:

match (c:Computer {name:'[email protected]'}) set c.highvalue=TRUE

The schema can contain multiple queries, each on a separate line.

SQLite Database

By default GoodHound stores all attack paths in a SQLite database called goodhound.db stored in the current working directory. This gives the opportunity to query attack paths over time.
--db-skip will skip logging anything to a local database
--sql-path can be used to point GoodHound to the location of the database file. If a directory is provided a database named goodhound.db will be created in that directory. If an existing db file is provided this db will be updated with any new findings.

Bloodhound 4.1 Patch

With the latest release of Bloodhound 4.1 there is a minor bug where nodes that do not have the highvalue attribute set to true do not end up with the attribute at all.
This causes an issue with GoodHound as it uses this parameter to ascertain paths from non-highvalue nodes to highvalue nodes.

When running GoodHound on a set of data that has been gathered using SharpHound 4.1 add the parameter
--patch41

goodhound -p "neo4jpassword" --patch41

This goes through the neo4j database and assigned the highvalue attribute to false anywhere that it isn't already set to true.