Enumerating AD infrastructure with BloodHound

March9, 2020 | By Michael Wainshtain, Technical Team Leader

Across industries, Active Directory (AD) is one of the most critical “crown jewels” for any organization. An attack vector targeted by the perpetrators towards an organization, tend to target primarily AD, via multiple avenues for lateral movements.

For any organization with a Microsoft ecosystem, attackers predominantly emphasize on getting privileged access, especially on the directory services as a Domain Admin. With the privilege of a domain admin, owning the entire infrastructure becomes relentless, as it allows an attacker to control all the organizational systems and services that are running of the domain.

One of the major tools which help scrutinize Active Directory environments and a must-have in a security tool arsenal is BloodHound.It is an open source tool developed by @_wald0, @CptJesus, and @harmj0y, which utilizes graph theory to identify, correlate, explore and define visually the underlying relationships within an AD infrastructure.

One of the major takeaways with this tool is the potential to identify the most optimum and shortest way to become a domain administrator. This would thus enable a red team (as well as blue teams) to identify potential attack paths and remediate, which, in an ideal scenario is a quite complicated task, generally achieved with a lot of hit and trial methods.

A potential use case of the tool’s ability is to let the user explore the profound relationship (intended and unintended) in an Active Directory environment, across users\machines\ACL’s\Domain group memberships\Active sessions.

So how can this be feasible?

  1. The tool collects relevant data from provided AD infrastructure using c# or PowerShell script (also referred to as “Ingestor”). At this point, for data collection, one doesn’t require to have any special privileges, outside that of a domain user.
  2. Once the data is fetched, the data can be placed into Neo4j database. Neo4j is a graph-based database management system, popularly used to illustrate complex relationships into graphs.
  3. Once the data is placed into the database, queries can be executed to identify the relationships.

Once the graph is created as per the query, a user should be able to identify multitude of correlations, including the following:

  1. Users in the organization with elevated privileges (outside the users within the domain admin group)
  2. Users within identified normal business groups, having privileges than required on a privileged entity (user/computer). For example:
    1. a member within an accounting group having the privilege to “change password” for another privileged user
    2. CEO’s secretary having the privileges to RDP into a domain controller
  3. With the current privileges, the shortest path to a domain admin.

As you can see, the primary advantage of using this tool will be to gain in-depth insights into the complex potential attack paths, across an organization’s massive AD infrastructure.

In our next post, we would emphasize how we can identify (detect) and prevent potential threats using this tool across our environment. As some of the highlights illustrated below, the queries are multifaceted, but we would try to simplify the logic, to have an effective approach to detect threats.

Simple path (1):

More complex one (2):

OMG (3):