AD Attack Path Discovery
How to find exploitable active directory paths.
BloodHound
BloodHound can be used to map the relationships within Active Directory environments. It works by collecting data from any associated domain controllers and domain-joined Windows systems, and then plots the relationships within a queryable Neo4j graph. Attack paths can then be visualised.
BloodHound works by using a data collector and an analysis tool.
SharpHound Collector
To compile the Active Directory objects and relationships, a BloodHound collector needs to be used within the target Active Directory environment. Typically, SharpHound, a C# data collector is used.
SharpHound will create several JSON files to use with the BloodHound analysis tool. The following command will execute SharpHound and collect all types of data:
SharpHound.exe --collectionmethods All
Python Collector (Python)
RustHound (Rust)
Analysis
Following collection and now having compiled the Active Directory data, this can now be uploaded into the BloodHound analysis tool. Once uploaded, BloodHound will do the following things:
Map out the paths between Active Directory objects
Execute in-built queries to find common attack paths
To ensure the best use of BloodHound, the following should be conducted:
Execute custom queries to find other attack paths
Mark nodes as "high value" or "owned" for best attack path finding
For more information on using the analysis tooling, as well as SharpHound, do see the official docs:
Last updated