exploiting-active-directory-with-bloodhound

$npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/exploiting-active-directory-with-bloodhound

Map hidden AD attack paths using graph theory.

  • Reveals privilege escalation chains from compromised accounts to Domain Admins.
  • Integrates with SharpHound to collect AD objects, ACLs, and group memberships.
  • Analyzes relationships to identify near-impossible manual discovery attack vectors.
  • Outputs visualized graphs of unintended connections within the environment.

SKILL.md

.github/skills/exploiting-active-directory-with-bloodhoundView on GitHub ↗
---
name: exploiting-active-directory-with-bloodhound
description: BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attac
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, active-directory, bloodhound]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Exploiting Active Directory with BloodHound


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Overview

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.


## When to Use

- When performing authorized security testing that involves exploiting active directory with bloodhound
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding

## Prerequisites

- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Objectives

- Collect Active Directory relationship data using SharpHound or BloodHound.py
- Visualize attack paths from compromised accounts to Domain Admin
- Identify misconfigured ACLs, group memberships, and delegation settings
- Discover shortest attack paths to high-value targets
- Map Kerberos delegation configurations for abuse
- Document all identified privilege escalation chains

## MITRE ATT&CK Mapping

- **T1087.002** - Account Discovery: Domain Account
- **T1069.002** - Permission Groups Discovery: Domain Groups
- **T1482** - Domain Trust Discovery
- **T1615** - Group Policy Discovery
- **T1018** - Remote System Discovery
- **T1033** - System Owner/User Discovery
- **T1016** - System Network Configuration Discovery

## Workflow

### Phase 1: Data Collection with SharpHound
1. Transfer SharpHound collector to compromised host
2. Execute collection with appropriate method (All, DCOnly, Session, LoggedOn)
3. Collect from all reachable domains if multi-domain environment
4. Exfiltrate ZIP data files to analysis workstation
5. Import data into BloodHound CE or Legacy

### Phase 2: Attack Path Analysis
1. Mark owned principals (compromised accounts)
2. Query shortest path to Domain Admins
3. Identify Kerberoastable accounts with admin privileges
4. Find AS-REP Roastable accounts
5. Analyze ACL-based attack paths (GenericAll, GenericWrite, WriteDACL, ForceChangePassword)
6. Review GPO abuse opportunities

### Phase 3: Exploitation Planning
1. Prioritize attack paths by complexity and stealth
2. Identify required tools for each step in the chain
3. Plan OPSEC considerations for each technique
4. Execute identified attack chain
5. Document evidence at each step

## Tools and Resources

| Tool | Purpose | Platform |
|------|---------|----------|
| BloodHound CE | Graph visualization and analysis | Web-based |
| SharpHound | AD data collection (.NET) | Windows |
| BloodHound.py | AD data collection (Python) | Linux/Windows |
| Cypher queries | Custom graph queries | Neo4j/BloodHound |
| PlumHound | Automated BloodHound reporting | Python |
| Max (BloodHound) | BloodHound automation | Python |

## Key BloodHound Queries

| Query | Purpose |
|-------|---------|
| Shortest Path to Domain Admins | Find fastest route to DA |
| Find Kerberoastable Users with Path to DA | SPN accounts leading to DA |
| Find AS-REP Roastable Users | Accounts without pre-auth |
| Shortest Path from Owned Principals | Paths from compromised accounts |
| Find Computers with Unsupported OS | Legacy systems for exploitation |
| Find Users with DCSync Rights | Accounts that can replicate AD |
| Find GPOs that Modify Local Group Membership | GPO-based privilege escalation |

## Validation Criteria

- [ ] SharpHound data collected from all domains
- [ ] Attack paths identified from owned accounts to DA
- [ ] ACL-based attack paths documented
- [ ] Kerberoastable and AS-REP roastable accounts identified
- [ ] Exploitation plan created with prioritized paths
- [ ] Evidence screenshots captured for report

More from mukul975/Anthropic-Cybersecurity-Skills

SkillDescription
acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
analyzing-api-gateway-access-logs>
analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
analyzing-azure-activity-logs-for-threats>
analyzing-bootkit-and-rootkit-samples>
analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.