Using BloodHound as a Defender: Tips from the Red Team

[Music] today we're going to be doing talking about using Blood Hound as a Defender kind of taking tips from the red team um been doing red team and penetration tests for the last uh 10 plus years and going to kind of try to share my experience on sort of how I do that um and uh hopefully you can go back as a Defender and uh find this stuff on your own um because I think there's a lot of interesting cool things you can do um a little bit about me I'm the CTO breakpoint labs for the past nine years um and like I said I hack stuff for a variety of customers it's DOD federal

government commercial customers all over the place I come from a background in systems and administration incident Response and malare Analysis um um and you know what drives me is really finding like high impact complex vulnerabilities I should issue a warning here too that the journey we're about to go on uh with active directory here you might find yourself after this talk a few months go go down where it's Friday and Saturday night in you're auditing ad controls and liking it um I think I'm going to show you guys some some stuff here that's pretty fun so the first question this is one we're going to come back to throughout the talk quite a bit is who in my domain has a lot of access

and uh when I go on networks this is the question you know I often ask myself and the answer changes and most people don't have the full picture here of course the domain admins have a lot of access your IT staff has a lot of access but answering that question in in in in a total form here involves a lot more analysis so I'm going to show you guys how to do that if you take nothing else from this talk being able to answer this question for your network will help Drive security so the problem you know when I after a pentest red team I'm I'm speaking to the Defenders and uh and they're basically running down and

chasing vulnerability report data and it's usually kind of surprising to them they don't even I don't use a vulnerability scanner at all in the pen testing and the red teaming space so it comes down to I think that the you're often looking at the wrong thing of course that is still good data and still good to do um but the way I'm taking over networks I'm not really even looking at it in the pentest report it's kind of like in an Easter basket it's kind of like the the fake grass it's good filler data but it's not the chocolate bunny or the big toys that you want um but I'm going to show you how to

extract that from AC directory um and everything we do here we're going to kind of be going through Blood Hound we Al also releasing a tool called ad0 Recon which I'll talk about here in a second but in terms of Blood Hound if you've never used it I'm sure um people probably have but if you've never used it Blood Hound really changed the game um I can't think of too many tools out there that have changed the game maybe like burp site professional for web but Blood Hound really changed the game for you know pentesting red teaming and active directory analysis um the challenge with it though is that it's uh complex relationship data looking at

active directory as you can see here you know that is a pretty crazy map and if you're new you're like I don't even know where to start um so that was that it it can be challenging to go through the data um but it is extremely powerful tool and hopefully you know at the end of this talk you'll have some ideas on what to do um for the most part you're going to use Blood Hound in the guey but there is also a neo4j interface for the database and Cipher shell which is a Java base neo4j command line tool you can use and um you you know as you get stronger with your skills and Analysis

you'll probably find yourself doing a lot of custom queries in neo4j um what I like about this tool for Defenders though when I was a Defender I was quite frustrated because I wanted to I saw these cool hacks and I wanted to go do it it was kind of like I felt limited because you can't always go hack stuff as a Defender right usually you're tied into what you're allowed to do and the nice thing about blood hound is it's mostly passive analysis so you can like really dig in and find a lot of cool vulnerabilities and you're not really uh doing anything on the network you do have to gather the data initially on the

network with like Shar pound but you can add that into your monthly vulnerability management process it takes like 15 minutes to run and you'll have the data pulled back and then you can do a lot of cool stuff so that's why I think blood hounds are really cool because as an defender or even like somebody new your training you can't really Break Stuff right you're doing it on a local Cali VM you can bang on it all day long and it's a great place to sort of find a lot of good vulnerabilities this is the interface if you've never seen it it's a strong you know graphical View and that node info tab there towards the bottom the

outbound object control and inbound control rights are some of the most important component of it if you look at if if you're looking at Blood Hound those are the most important areas to focus on and I'll explain why as we get through the slides so ad0 Recon this was a tool that a colleague and uh Luke Hudson and I wrote over uh mostly the Christmas break it automates our analysis everything I show you today is going to be extractable with 80 Recons you going to run it and it's going to give you that data that you can you know dig into it and figure out if it's a vulnerability in your in your environment um we

released it this morning for this talk right so it's it's it's uh r on GitHub and you can you know pip install the requirements pull it down and good to go it was built based on everything from like basically Cali so you know I think there's like one dependency you have to add for the neo4j python driver um and it's built with The Blood Hound that's in the Cal repos as well so if you pseudo app get install Blood Hound um it's it's that version and we did give you sample data in the GitHub as well from the go uh framework so uh game of active directory so if you don't have sample data you can actually it comes with the

tool as well so you can pull it down import it into your Bloodhound and start playing around um before you have real network data this is what it looks like we're going to we'll demo it towards the end of here I'm not going to go through every line here but essentially it's printing you out actual information and making a lot of different data files um that are extracting a ton of interesting viewpoints into the network um I when I wrote this tool I was on an engagement and uh I went back and ran it and it found every way I got da on that vet Network and I was like awesome and then we went back and looked at like the past

year of data from other networks and it found most of every way we got da so pretty pretty cool um I think it's doing a lot of actual stuff uh if you it also has a dash dash dump feature so what this will do is print out the raw queries with the description so if you want to modify the query for your liking you can do that D- dump and you take these to the Neo for J interface or The Blood Hound guey and you can you know modify them you maybe need to give like one other data attribute that you might need um you want to change something that's why I put that in there I find myself doing

that quite a lot um and then we just added this feature called-- moreel because you're giving this a lot of this data and sometimes you don't know well why is that interesting like if you've never done this before you might not understand why unconstrained delegation is interesting and what do you do with that so what I tried to do is put in some an so Das more help will tell you why that's interesting and sort of what to look for in the data so you don't just see like oh this person and I don't know what to do with them it can give you some more context as you're learning your SE legs into the offensive space of

active directory so um okay so shifting gears this is how I do my analysis um when I'm coming on a network this is this is what I'll do the first thing I do is try to understand the environment and I'm going to walk you through how and why and then I run down my quick winds and then I look at the environment from the bottom up think about like standard user how can I go up and then I look from top down and this is this is the part I think most people skip in even in the pentesting red teaming space defining who's interesting in the network and then who can reach those interesting points um and and looking from that

perspective so I'll explain how how I do that understanding the environment um so this is just getting an idea of lay of the land how many users how many computers how many you know the groups and the different attributes within um you can get an idea of the password hygiene for the environment by taking a look at how quick how how frequently passwords are changed and rotated it's been my experience I've never really walked in a place that's had good password hygiene and active directory um so you as a Defender could take a look at this and say hey you know what our these all these accounts aren't meaning our password policy what's going on um

and why is this person have password never expire in HR or it like they they need to meet the password policy so you could drive some change there and that is a huge area for reducing risk in active directory um but again getting a good lay of the land as you're going to see when we go forward it helps make sense and all the pieces come together U when you understand the environment a little bit here's the quick winds area that I I would say and again ad Recon is going to give you all this data so it's going to get who can who can you CB roast are there certificate templates that can be

abused because if there are you can masquerade as other users in the environment um and that's just like a common thing I see that permissions are set up wrong on certificate templates um do users have excessive permission with admin count false so in Microsoft active directory has a concept of admin count being true or false and additional controls are applied to the true uh and if there is somebody that has a ton of permissions with and that's false there's usually easier to get to that person so I always like Target those there's generally um you most commonly see that with the from in 2017 ad connect uh Microsoft was making the surface account for ad connect wrong and

they never tagged that correctly is TR and but the problem is they patched it but if if the Network's been around since then they probably had that surface account still on the network right now no one's no one knows it even happened I bring it up to the admins they're like What's this mscore account I'm like yeah well that's that's a problem they don't even know it happened it's been they've got like eight of them they don't even know what every time they installed it again it made a new one um so you're going to see that um I'm not going to go through every single one of these but another one that I like

to do when I'm when I'm getting on a network is take a look at the enabled accounts that have never authenticated to the network but they're enabled so they could but they just haven't yet and I always see that and that's the accounts that have the welcome one right that's the accounts that have some weak trivial password you know you can usually find that you you probably know your environment so you can probably take that and be like why is this account two years old never been logged into we should clean this up right that can be some a change you can drive the attacker is going to probably find the setup guide on the share find the

default password by calling the help desk if it's within the Roe and just get that and then log in with these accounts and expand their access um who has DC sync rights that's a question right like do do you know that in your environment like people have DC sync rights that you'd be surprised um and again these are the kind of things that uh the tool print out because these are all actionable things that you can do to to either hack or defend active directory so when I talk to people about active directory privilege escalation attacking and defending this is generally the con they think of in their head right you have this standard user

lowlevel user they get they get popped from malware they're trying to get to Da right that's the cookie cutter you know approach to privilege escalation but what's interesting about this is that as a as an attacker I'm often I often don't want to get domain ad in which is interesting a lot of people don't realize that can um anybody think of a reason why an attacker would not want to be domain admin or not would not want to that wouldn't be their end goal alerting exactly right perfect that's exactly right so alerting and again the attacker isn't there necessarily just to get DA they have some Mission objective right the or if you're a red team you have some Mission

objective maybe get expander access maybe to get access to sensitive data whatever the mission is and domain admin is a means to an end right it's a great way to do it and certainly evaluate that path don't don't turn a blind eye here but if you're just looking at this it's very limiting because the reality is is that might be something I'm not I mean I I will I'll I I may have find that path on a red team but not touch it I'm going to go somewhere else where am I going to go is This Way Carol in HR now that's just an example here of somebody in HR that's been around since the dawn of

time and their permissions have grown with their account in a weird way and I'm going to get Bob from the help desk now the reason why I put up from the help desk here is that you can pretty much if you're a Defender I want you to assume your help desk is popped or they could get popped it's so easy to do because think about it if a user gets compromised they clicked on a link or whatever it is right you just have to get a a help desk user to come fix something on their box if it's if it's within Roe I can't tell you how many times I've you know assuming it's an Roe

I've popped the user broken something on their box to get the help desk to log in and then I'm stealing the help desk token and now I'm the help desk so pivoting to the help desk is like I want you guys to to assume help desk is compromised um when you're looking at active directory and and your blood data and the help desk what's interesting is the help desk generally cannot reach the admin count true or shouldn't be able to so they can't touch your domain admins or should be a they shouldn't be able to reach the domain admin so if you got Bob Bob probably can't do anything to das but Bob can hit Carol and Carol has

effectively the same permissions and again I may not want to touch da I may just want to ride Carol because Carol's super stealthy right no one's thinking you know Carol you know not raising alarm Bells with when with Carol when you touch Carol or modify stuff with her account but you're going to raise all sorts of alarm bels from the domain admin account so that's an interesting concept I'm going to show you guys sort of how I find the carols on the network um and remember I mentioned that before so there's two really key Concepts when you're looking at uh Blood Hound active directory data is the idea of outbound object control that is what

can that uh object do and then inbound control rights that's who can do something to it right so there's these two concepts are very important to sort of conceptualize the permission abuse paths and active directory so just kind of hang on to those in your head we're moving into the bottom up approach so this approach basically I like to you know Mark a user has owned um and use that approach of like working from the bottom up maybe a standard user maybe you've had a compromised user from an incident report and you want to like take a look at their permissions that you know what could they have attack or have done you basically want to try to

look from the lowest level area you can think of and it goes back to understanding your environment knowing what groups and people things people are in um but some good ones are just like the domain users group pretty much everybody's in there everyone the users group and then take a look at what can that person do now what you see on the screen there is the outbound object control for the domain users group on a engagement I did when I was writing this tool and it says 19,000 which is crazy because standard users should probably say like 12 meaning they should probably do a like 12 things the fact that they can do 19,000 is incredible and I already know

off the bat there's a huge problem here if that number is even a 100 there's a problem if that's a th000 huge problem 19,000 that that means they have full domain control that's that's that's that's what that means so it's crazy now it's going to understand you click on that you understand well what is that mean well here's what that means in this environment the domain users for bsides charm of domain was an a nested group down to the pre- Windows 2000 compatible access group that had a generic all to a domain trust breakpoint Labs domain and this is all these examples are pulled from real engagement so I didn't I didn't like make these up these are just

real engagements I just Chang the names of the domains but that's pretty bad that means anybody in the in the B sit's charm domain is effectively a domain admin for the breakpoint labs domain and they can do anything so what I did in this engagement um was I again back to understand the environment I looked at the surface accounts in both the environments because they didn't match the usernames this the the the parent the bides charm domain was doing something stealthy and like I found out they're using their employee ID I didn't know this at the time as the username but the the um breakpoint lab name was using their real name but so I couldn't

match them up yet at this this point in the engagement but I did match up they had a service account in both places that were da same surface account so I use mimic cats I grabbed the password of that surface account from the breakpoint labs domain and I replayed it it didn't work so I was sitting there like man it didn't work that's a bummer right that's a bummer well then I thought myself okay they changed that password 11 months ago let me go ahead and try the the old password so I grabbed the old password from M cats because you get the password history and tried the old password and it worked so I'm banging on the desk I

mean it was like I think it was 11:38 my I told my wife I was going to be done work at 10: and uh that did not happen but that's the moment I live for right that banging on the desk moment where we got da and I'm about to spill active directory guts to my screen and and with DC sync and uh secret stump and basically start cracking hashes this is a pen test so obsc out the window I don't really care about it you know what I'm describing here is not something I would have done on a red team because it would have got me caught on a pen test it's like whatever you can be a cowboy

as long as you're not going to break stuff you're not so worried about detection but ex that's a key example and I that that was literally just from it took a few seconds to find that because of the domain user permission issue and again bottom up this is the cookie cutter way so if you if you've used Blood Hound this is probably what you've done um it's the cookie cut approach right Mark a user an object is owned right it could be a computer whatever and find me shortest path to domain domain admins from owned principles this is good do this continue to do this I want you to go back and mark your help desks as owned Mark some

standard users as owned and check these paths out because there might be some things that you need to fix along the way but we're going to look at what else to do beyond that like right because if my goal is not domain admin then you're never going to see the permission abuse path that would bubble out potentially but that's still important to know how to do the next thing to know how to do is just the pathf finding featur so if you click that little road icon there on the right it's like looks like two roads like almost like a railroad that starts a pretty interesting feature in Blood Hound where you can basically put a starting point

and ending point these can be anything like so I want to see how this user can get to this computer and it can tell you if there's a path that's useful for your analysis um I don't find myself using it a ton but it is useful um so now we're going to move into the top down approach which frankly I find I think is more interesting and it's something that I think most people um what I've talked to don't do um so the top down approach is where you really going to take a look at who has interesting permissions in the network and then who can reach them right and the qu in the first challenge here is

answer that question we asked in the beginning of the talk which was who has the most access in my network right and I find that most people don't really know the full story there that of course yes domain admins it yes but again the example I gave with Carol I probably had no idea so how do you find Carol we're going to we're going to show you how to find Carol um and then once you define who has interesting permissions then you're going to look at the inbound control rights which is who can reach them right because if you mark a user has owned and you're trying to get to das you'd have to know what user to mark

his own to see if there's a path but if you just go to The Domain admins group and look at the inbound control rights you can actually see who who who and anybody can reach it so it's it is really effective to start at the top and then look at who can actually reach the top from that point but the part of the challeng is knowing who's interesting in the network to evaluate so who has the most rights so ad Recon will do has a a command line switch called-- transitive and what it's going to do is it's going to get all of the uh transitive outbound control rights for computers and users this is

going to be a big old list it's going to be basically effectively auditing all the permissions for the objects in ad now you it sounds like a lot and it is you can look at you're pretty much going to look at the top right you're not GNA have to look the whole list because you're going to have a what you're going to find in active directory is that there's a ton of permission overlap so like your domain users might say 13 as their outbound rights and that's going to be like for most the domain users so you can like skip a lot of them GP GP Das Fe 13 right pull pull the 13 out

your out of your data and you may want to look at you know just who's got who's up at the very top and focus on them this does take to run probably five plus so you run this and you go to bed come back the next day but what it gives you is this output file called um users outbound transitive rights and currently it's it's set up to bring your own command line Kung Fu without I've done with the sort command there but we're going to change the code to like sort it based on the top permissions at the top down to the least but right now it's only in the it's in the order of how

they appear in active directory we're going to we're going to switch that but until then you can use this little command line Kung Fu to you know organize the data and what you see here is that Zack Matt and that admin service are all domain admins so their service kind of makes sense right I know they're somebody that's interesting but who doesn't make sense is Carol Carol's got a boatload of permissions it's kind of crazy and uh that's the kind of stuff I hunt for because Carol is a great Target people aren't looking for Carol and I can hide there and effectively getting to Carol is usually easier than getting to the Das so I wanted a quick shout out to M geeki

he was the one that really got me thinking about this uh permission abuse path like the top down approach um and I you know want to just throw it you know give him a quick plug since it was really him that gave me the idea not in person I just saw his GitHub and was like this is cool but they do take these queries do take a long time so this is Carol in active uh in blood hound and uh like I said Carol's got a ton of access she's got up there 19,000 and you got to ask yourself why does Carol have a lot of access well the answer is this carol can DC sync besides charm

that's weird it's pretty weird um no should the user shouldn't be able to do that um I see this now can anybody think of why might Carol in HR who has no it function be able to DC sync in the domain can anybody think of a reason why that might be there's no by the way there's no like right answer here I'm just curious if anybody has like an idea maybe yeah some some some some accounts do do need that for that uh in this in like I think uh no before their service account that needs DC sync for that so there that is a valid reason why you might have a weird account there um

the reason that uh that that I think maybe in this instance since she doesn't have like an IT function might be because so when you're hacking active directory one of the things that ends up being like the post uh exploitation for an exploit is elevating the permission for a certain user so if you think of like uh priv exchange that particular exploit back in the day I don't know that it really works nowadays but you know it did for a bit there you the end of that priv exchange was elevating a user to be able to DC syn or generic all the domain now if you had a pentest or a red team or a

real attacker maybe that's a remnant of that activity right because I I'll tell you this when I when I'm um when I've done the network when I've done the engagement I want to hide one of the things I usually do is if it's a purple team setup is I'll try to bury in some shadow um domain admin so effectively and I'll do this I'll hide I'll make I'll Elevate somebody to have this permission or generic all to the domain or something that isn't adding them to The Domain admins group because they're monitoring that probably automated and it's probably going to revert the change and alert all sorts of gry log and all sorts of stuff um but I will hide in a regular

user and maybe this is the a past thread actor or pass pen test that didn't do proper cleanup um and then that might have been there for like years and nobody knew um that that might have been what the cases here could have been any any number of reasons but that is something I find a lot of people this like light bulb goes off in their head like oh yeah maybe somebody is trying to maintain back door access in the network by elevating somebody in a stealthy way I do it um and then again this is to show that Bob from the help desk can reach Carol because she's admin count false you need your help Des to be able to do

stuff to regular users um so that's not surprising but that's why you also control what regular users can do right that's why you don't give them DC sync unless you know it's by accident or by an attacker um so that's just to show that hey I've marked my help desk is own because I'm assuming they can get popped because I know they can um it's all too easy and they can get to Carol and then Carol can DC sync and at that point it's game over DC sync by the way if you're not familiar is essentially being able to uh replicate active directory database pretending to be a domain controller that's what we you do Secret

stump spill the guts you know your DC syncing generally there's a lot of ways to do it but from a secret stump perspective but that's like one of the most common um wow we're moving fast too by the ways wow okay cool so this is one of the last slides before the demo so uh yeah so this is what i' I've been recently doing smant response with blood hound I find it quite helpful so I wanted to also share this context here um you know like I mentioned a little bit before is that you know if you obviously know the details of the compromise right you might know the some users and computers involved you can

mark them as owned in blood hound and start to take a look at what are the paths for that right so we what we would do is they would become a bottomup approach we would take our compromised user computer group and we' mark them as owned and sort of see look at their outbound permissions to see like what could they do if it if you know somebody gets an account popped and they have nothing no interesting permissions okay but if they can you know modify or they can reach like five different servers you might want to go investigate those servers right they permission to them they can already PN they can their local admin on them whatever it might be and

in this example we have two accounts J Walker and J Walker 2 the top Jer has a pretty boring graph so if you see a 12 that's what a 12 looks like it's pretty boring I know I it's it's a snippet so you can't see everything but trust me when I say it's boring there's not much they can do they're just a part of groups can't do anything but J Walker 2 has it's generic all to beat s sit's charm and again obviously if the if one of these is an incident that that that generic all is a lot more interesting and it might tell you like okay maybe they did that and they're now they've

got the whole domain right at that point they have the whole domain so it could be interesting and helpful context to the data I use that on my customers that like you know uh call me up for an instant response before I involve my instant Response Team I'll say oh let me look at your blood hound data real quick and I kind of help them triage it while we're getting the instant response team in play um if I already have their data um I'm not going to run Blood Hound in the middle of an IR but if I usually have their data and I find that quite helpful so if you add Gathering Blood Hound to your vulnerability management

process and you're already sitting on some blood hound data it could be helpful okay so I'm going to uh show you guys ad80 Recon uh real quick log into okay so it's just a python script you run um and again you can pull it down from get and pip andall the requirements and you run it it's that fast 23 seconds and it gives you all this data um to run through uh it tells you if you know if you do have any um who who you may have marked as owned in the database and who you who you have so this does require you to have blood hound already set up right import data over and this is just doing the analysis

of that blood hound data and it's giving you a ton of different files to look at so you have your some session data which is very interesting sessions are hugely important for prives um you know vulnerable shts uh like I mentioned before um who can who has admin count false but has interesting permissions right like that DC sync like this would have pulled out Carol in this example because she can DC sync and her admin count was false so you can investigate those what you're probably I can almost guarantee you're going to see when you do this at your network is you're going to see your 80 sync accounts if your Network's been around for since 2017 I I i' would be

shocked if it cleaned up unless you pointed it out to them the admins didn't clean it up I'll tell you that um you know you can see who's KB roastable you want to investigate those make sure those are like using man Microsoft's managed service account password and it's not just like a password never you you know never uh never changing password that's that kind of thing um let me see who owns computers who you know RDP rights for comp for servers uncrate delegation tons of stuff so and again if you don't know and you're like I I I see all this cool data I'm not sure what to do um we did just add this

in the other day to like give you some context so you can scroll up and say well here's here's what you know this means for um inbound group policy object I forgot we do some GPO stuff and some of the other and some of the other because it's a d Das pathing which takes about an hour to run um and it's gives you like some GP permissions what can you do with that that if you can modify the GP what could you do it just gives you some context so um and then again if you want to do the queries yourself Das D dump print out the queries for you and then you can take

these to neo4j what you'll probably want to do is like modify it maybe it's returning the object ID but you want to return you know the description or something right some some other attribute for that data you can just you know modify the query slightly you can also reverse engineer the query to teach you how to do your own queries which is really important um as you grow your analysis skills um that's why I find myself doing all the time I'll just do das Das dump grab the query go to neo4j and um go from there for for doing my analysis and uh that's it I talk fast so I think I maybe flew through it um yeah

that's uh thanks for coming to the talk guys and obviously if there's any questions let me know I don't know if I want to open the floor for questions this pretty ballsy but if you want if you want to ask some questions I can try oh God not that's my developer Luke yeah I

have yeah a Defender so what I would do um is it depends on where your organization but what you pretty much need to do is run sharp Hound once a month I would say it takes about 10 to 15 minutes to run I would just get approval to run that during your vulnerability scanning process um and it doesn't need any special permissions you can run that from a standard user um so if you're already vul scanning it's less intrusive than a vul scan um so I would I would work I I would just work that into sort of the monthly vul scanning process if you can and you should have detections for it by the way too so if

you if you don't detect that Shar pound got run you want to fix that as well you should be able to detect you know that happening on your network as well but unless you had a better idea but I was going to say

there are benefits to running from different perspectives like if you have higher privilege level you will get more session data and we didn't really talk about sessions too much but sessions are pretty important for privilege escalating um so you know the idea of sessions remember remember we talked about the help desk how I po the help desk the reason is is the help desk created a session on a computer that I I I compromised so having more session data does enumerate more um Prest paths so yeah if you if you have the ability to run as a higher privilege user you're going to get more session data

yeah yeah you can you you you when you when you run sharp pound you do you can give it a-h D to tell you the um so if you you you you could put the data into both you'd grab the data from all them and dump it into into blood hound and it will it can map the permissions if there's a domain trust and permission abuse like like I show in that one slide how bides charm domain users had a generic all to uh breakpoint Labs that would be that kind of thing where you've had domain trust set up it will map them if you you'll probably have to run Blood Hound DD for bid charm

and then- D for um breakpoint Labs like you you'll run them for each Forest yeah I think you were next at least I saw yeah uh it's in an output directory um so if we scroll up here oh actually I can just show you it's pretty uh in the output directory uh I yeah it is in here it's in there because I was doing some testing I ran the old version the new version does the output in this SL output directory just like this so all the files are rate in SL output we're we're going to play around with maybe making a D- Json uh or- dhtml like some reporting formats right now I'm a big fan of the command line and

just grepping files sort unique a said so for me I usually have to fight me to get off the command line but um so that's why they're like all raw text but I made them like you know uh GP friendly and um analysis friendly right they're all predictable Fields so you can do some summarization and stuff there

yeah I couldn't hear the last part if you're not

pure yeah so there there is azure Hound right so a lot of this stuff now now so you can run Azure hound and often times even if even if uh yeah it's crazy there's a lot of data you can get from Azure hound and this so right now I don't do anything with Azure Hound but that is going to be something I'll add to the tool um probably next uh that's that'd be a really like the most make the most sense but yeah there is azure hound and you can still see all these relationships like what I showed you in here conceptually still applies with Azure Hound it's it's they're different like they're called different

things the relationships but you can still use the same like rates analysis it would all apply in Azure Azure as well right now it would it it doesn't have the data sets in there but I I'll work on getting that it probably be a couple weeks yeah it would work you yeah he's making a point it would work it just doesn't have the queries built to extract the relevant data for you it's not going to error you will see some stuff but it's not going to give you the juice you

want yeah okay well thanks for coming out guys appreciate it [Applause]