FalconHound: blue team multi-tool

FalconHound

FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with an SIEM or other log aggregation tool.

One of the challenging aspects of BloodHound is that it is a snapshot in time. FalconHound includes functionality that can be used to keep a graph of your environment up-to-date. This allows you to see your environment as it is NOW. This is especially useful for environments that are constantly changing.

One of the hardest relationships to gather for BloodHound is the local group memberships and the session information. As blue teamers, we have this information readily available in our logs. FalconHound can be used to gather this information and add it to the graph, allowing it to be used by BloodHound.

This is just an example of how FalconHound can be used. It can be used to gather any information that you have in your logs or security tools and add it to the BloodHound graph.

Additionally, the graph can be used to trigger alerts or generate enrichment lists. For example, if a user is added to a certain group, FalconHound can be used to query the graph database for the shortest path to a sensitive or high-privilege group. If there is a path, this can be logged to the SIEM or used to trigger an alert.

Other examples where FalconHound can be used:

• Adding, removing or timing out sessions in the graph, based on logon and logoff events.
• Marking users and computers as compromised in the graph when they have an incident in Sentinel or MDE.
• Adding CVE information and whether there is a public exploit available to the graph.
• All kinds of Azure activities.
• Recalculating the shortest path to sensitive groups when a user is added to a group or has a new role.
• Adding new users, groups and computers to the graph.
• Generating enrichment lists for Sentinel and Splunk of, for example, Kerberoastable users or users with ownerships of certain entities.

Supported data sources and targets

FalconHound is designed to be used with BloodHound. It is not a replacement for BloodHound. It is designed to leverage the power of BloodHound and all other data platforms it supports in an automated fashion.

Currently, FalconHound supports the following data sources and or targets:

• Azure Sentinel
• Azure Sentinel Watchlists
• Splunk
• Microsoft Defender for Endpoint
• Neo4j
• MS Graph API (early stage)
• CSV files

Additional data sources and targets are planned for the future.

At this moment, FalconHound only supports the Neo4j database for BloodHound. Support for the API of BH CE and BHE is under active development.

Install & Use

Copyright (c) 2023, FalconForce