search
BlogMemesGitHubAbout

Reconnaissance

hashtag
BOFHound

BOFHound requires minimally the samAccountType, distinguishedName and objectSid attributes from LDAPSearch to parse the data correctly, or else you'll encounter the Parsed XX Unknown Objects message.

circle-info

Additionally, ntsecuritydescriptor is required to parse and ingest ACL relationships.

If an object's SID isn't resolved to a proper name, it means that no data exists for that object. We then need to query the specific object with: (objectsid=[SID]) --attributes *,ntsecuritydescriptor

BOFHound can also parse logged on sessions and local group objects from the following BOFs:

  • netsession2

  • regsession

  • netloggedon2

  • netLocalGroupListMembers2

PreviousInitial AccessNextLateral Movement

Last updated