ProfileHound emerges as a specialized post-exploitation instrument for offensive security professionals seeking to identify high-value targets within Active Directory environments.
The tool addresses a critical gap in red-team reconnaissance by enumerating domain user profiles stored on compromised machines, enabling operators to make data-driven decisions about which systems warrant focused exploitation.
The fundamental innovation behind ProfileHound is the creation of a new BloodHound graph edge, HasUserProfile, that establishes relationships between domain users and machines that host their profile directories.
Unlike BloodHound’s traditional HasSession edge, which identifies only actively logged-in users, ProfileHound reveals dormant user profiles that persist on systems even when a user is not currently logged in.
This distinction proves invaluable during post-exploitation phases, when attackers need to identify machines likely to contain cached credentials, DPAPI-encrypted secrets, SSH keys, or cloud authentication materials.
The tool’s operational mechanics require administrative access to target machines’ C$ administrative share, from which ProfileHound enumerates the Users directory structure.
It extracts critical metadata, including user Security Identifiers (SIDs), profile creation timestamps, and last modification dates, from the NTUSER.DAT file.
This temporal data provides operators with actionable intelligence about profile age and usage patterns, distinguishing between actively maintained accounts and legacy profiles that may contain years of accumulated secrets.
According to GitHub, ProfileHound integrates seamlessly with BloodHound Community Edition via the OpenGraph format, allowing collected data to be directly imported into the platform via drag-and-drop.
The tool simultaneously generates detailed statistical summaries that identify the most-populated machines, the highest-value users based on profile distribution, and the oldest profiles most likely to contain exploitable data.
Key Features and Capabilities
| Feature | Description |
|---|---|
| HasUserProfile Edge | Creates new graph edge mapping user profiles on domain machines |
| BloodHound Integration | Compatible with BloodHound OpenGraph format for direct import |
| Administrative Access | Requires admin credentials to enumerate C$ share on targets |
| Timestamp Analysis | Tracks profile creation and modification dates for activity assessment |
| DPAPI Integration | Extracts user SIDs from DPAPI directory structures |
| Advanced Queries | Pre-built Cypher queries for targeting active profiles and groups |
| Multiple Deployment | Supports pipx, source installation, and Docker containers |
| Target Selection | Automatic LDAP discovery or manual target specification |
| Profile Statistics | Generates detailed distribution and machine hub reports |
| SID Extraction | Retrieves security identifiers from NTUSER.DAT metadata |
Currently in early development stages, ProfileHound warrants cautious production deployment pending the implementation of additional collection modes.
The project credits Remi Gascou’s ShareHound and bhopengraph libraries for foundational capabilities, while roadmap enhancements include SCCMHunter integration, Azure AD device ownership correlation, and NTUSER.DAT file mining for sensitive historical data.
For red teams targeting cloud-adjacent SaaS applications accessible only from specific machines, or seeking to prioritize machines that harbor multi-year profile artifacts, ProfileHound is a powerful addition to post-exploitation workflows.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.