Exploiting Active Directory with BloodHound
Overview
BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.
Objectives
- Collect Active Directory relationship data using SharpHound or BloodHound.py
- Visualize attack paths from compromised accounts to Domain Admin
- Identify misconfigured ACLs, group memberships, and delegation settings
- Discover shortest attack paths to high-value targets
- Map Kerberos delegation configurations for abuse
- Document all identified privilege escalation chains
MITRE ATT&CK Mapping
- T1087.002 - Account Discovery: Domain Account
- T1069.002 - Permission Groups Discovery: Domain Groups
- T1482 - Domain Trust Discovery
- T1615 - Group Policy Discovery
- T1018 - Remote System Discovery
- T1033 - System Owner/User Discovery
- T1016 - System Network Configuration Discovery
Implementation Steps
Phase 1: Data Collection with SharpHound
- Transfer SharpHound collector to compromised host
- Execute collection with appropriate method (All, DCOnly, Session, LoggedOn)
- Collect from all reachable domains if multi-domain environment
- Exfiltrate ZIP data files to analysis workstation
- Import data into BloodHound CE or Legacy
Phase 2: Attack Path Analysis
- Mark owned principals (compromised accounts)
- Query shortest path to Domain Admins
- Identify Kerberoastable accounts with admin privileges
- Find AS-REP Roastable accounts
- Analyze ACL-based attack paths (GenericAll, GenericWrite, WriteDACL, ForceChangePassword)
- Review GPO abuse opportunities
Phase 3: Exploitation Planning
- Prioritize attack paths by complexity and stealth
- Identify required tools for each step in the chain
- Plan OPSEC considerations for each technique
- Execute identified attack chain
- Document evidence at each step
Tools and Resources
| Tool | Purpose | Platform |
|---|---|---|
| BloodHound CE | Graph visualization and analysis | Web-based |
| SharpHound | AD data collection (.NET) | Windows |
| BloodHound.py | AD data collection (Python) | Linux/Windows |
| Cypher queries | Custom graph queries | Neo4j/BloodHound |
| PlumHound | Automated BloodHound reporting | Python |
| Max (BloodHound) | BloodHound automation | Python |
Key BloodHound Queries
| Query | Purpose |
|---|---|
| Shortest Path to Domain Admins | Find fastest route to DA |
| Find Kerberoastable Users with Path to DA | SPN accounts leading to DA |
| Find AS-REP Roastable Users | Accounts without pre-auth |
| Shortest Path from Owned Principals | Paths from compromised accounts |
| Find Computers with Unsupported OS | Legacy systems for exploitation |
| Find Users with DCSync Rights | Accounts that can replicate AD |
| Find GPOs that Modify Local Group Membership | GPO-based privilege escalation |
Validation Criteria
- [ ] SharpHound data collected from all domains
- [ ] Attack paths identified from owned accounts to DA
- [ ] ACL-based attack paths documented
- [ ] Kerberoastable and AS-REP roastable accounts identified
- [ ] Exploitation plan created with prioritized paths
- [ ] Evidence screenshots captured for report
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add exploiting-active-directory-with-bloodhound
# Or load dynamically via MCP
grc.load_skill("exploiting-active-directory-with-bloodhound")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.