Active Directory (AD) is the backbone of many enterprise networks, and its complexity often leads to hidden security risks. BloodHound is an essential tool for red teamers to visualize these risks by mapping out attack paths using graph theory.
The first step in any BloodHound analysis is data collection. SharpHound, the data ingestor, gathers information about users, groups, computers, and permissions within the AD environment.
Once the data is imported into BloodHound, we can run queries to find shortest paths to high-value targets like "Domain Admins". These paths often involve a combination of:
We recently discovered a path where a standard user had 'GenericWrite' permissions over a group that was a member of another group with local admin rights on a critical server. By adding themselves to the intermediate group, they were able to gain control over the server and eventually the domain.
Defenders can use BloodHound to proactively identify and close these attack paths. Key strategies include implementing the Tiered Administration Model and enforcing the Principle of Least Privilege.