AD Attack Path Discovery

How to find exploitable active directory paths.

BloodHound

https://github.com/BloodHoundAD/BloodHound

BloodHound can be used to map the relationships within Active Directory environments. It works by collecting data from any associated domain controllers and domain-joined Windows systems, and then plots the relationships within a queryable Neo4j graph. Attack paths can then be visualised.

BloodHound works by using a data collector and an analysis tool.

SharpHound Collector

To compile the Active Directory objects and relationships, a BloodHound collector needs to be used within the target Active Directory environment. Typically, SharpHound, a C# data collector is used.

https://github.com/BloodHoundAD/SharpHound

SharpHound will create several JSON files to use with the BloodHound analysis tool. The following command will execute SharpHound and collect all types of data:

SharpHound.exe --collectionmethods All

Python Collector (Python)
- https://github.com/dirkjanm/BloodHound.py
RustHound (Rust)
- https://github.com/NH-RED-TEAM/RustHound

Analysis

Following collection and now having compiled the Active Directory data, this can now be uploaded into the BloodHound analysis tool. Once uploaded, BloodHound will do the following things:

Map out the paths between Active Directory objects
Execute in-built queries to find common attack paths

To ensure the best use of BloodHound, the following should be conducted:

Execute custom queries to find other attack paths
Mark nodes as "high value" or "owned" for best attack path finding

For more information on using the analysis tooling, as well as SharpHound, do see the official docs:

https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html

PreviousGeneral Discovery NextPort & Service Discovery

Last updated 4 months ago