Bloodhound and Active Directory fortifying mechanism

Akshay Jain
8 min readJun 19, 2020

Numerous flow has been noted in identifying vulnerable attack paths on a system utilizing Active Directory with many different methods and techniques. During this assessment, we’ll analyze a couple of Tools and Techniques, which are remodelled strategy for Active Directory assessment. We’ll analyze various methodologies to Find and exploiting/patching attack paths in your Active Directory environment. It finds relationships and connections within the targeted Active Directory (AD) domain to discover attack paths vectors.

It accomplished these tasks by utilizing the graph theory to locate the shortest path vector for an attacker or malicious user to traverse and access the internal directory system to elevate their privileges/rights within the domain. Bloodhound is a Web application that is accumulated with Electron so it runs as a Desktop application. Its actual force exists in the Neo4j database that it utilizes. Neo4j is an uncommon sort of database — it’s a diagram database that can without much of a stretch find connections and ascertain the briefest way between objects by utilizing its connections.

Bloodhound gathers information by utilizing an ingestor also known as SharpHound. It comes as a standard order line .exe or PowerShell content containing a similar get together as the .exe. As it runs, SharpHound gathers all the data it can about AD and its clients, Personal computer, and gatherings. It even gathers data about dynamic meetings, AD authorizations, and parts more by just utilizing the consents of a normal client. SharpHound provides a JSON file which is processed and is then pushed into the Neo4j database and is then visualized by the GUI. This can also be used by an attacker who can upload the files and then try to analyse these with Bloodhound. The application usage and its feature will be revealed in detail. A detailed description of methods and techniques will be described which can be used to aid in Active Directory assessment.


According to Dr Shwetav et al. An Active directory is a service utilized by Microsoft which is used as a directory tool, a directory is a tool which is used to hold the record of windows domain network, it is also used to store information related to network resource throughout the domain, it is marked as a tool and utilized by windows server operating system. Once the attacker has gained a shell inside your domain, the attacker will primarily aim to compromise their objective as soon as possible without getting noted. Whether the asset is sensitive data hosted on a directory server or allegedly exploiting the Domain Administrative account, the malicious user will first formulate a strategy to attack. This defines and involves the strategic movement of keys throughout the network, slowly increasing privileges at each stop. When an attacker has set up a solid footing inside the domain, their main objective is to understand their objective as fast as conceivable without recognition. Regardless of whether the objective is sensitive information put away on a file server or putt-off a Domain Admin account, the malicious agent should initially define an attack or technique. These frequent key movements are carried throughout the network, gradually expanding benefits at each stop by raising the privileges.

Bloodhound is a web-based application tool that is used to discover and anticipate paths within and Active Directory environment. It can locate the shortest path of attack from any account or an end system within the domain to a suitable target. This can act as a defensive tool that ensures there will be no suable paths to compromise condemning accounts and systems within an Active Directory environment. Bloodhound was developed with one purpose which is to find a relationship within an Active Directory (AD) domains to discover attack paths. It utilizes graph theory to find the shorted path for an attacker to Travers and escalate the privileges within the domain bounded by active directory. Bloodhound is compiled with Electron so that it runs as a desktop app without any restriction and loads. It is strengthened by the Neo4j database that it uses. Neo4j is a special kind of database it’s a NoSQL graph base database that can easily discover relationships and calculate the shortest path between objects by using its links. It displays outputs using JSON files that are then pushed into the Neo4j database and later visualized by the GUI unit. This also provides a means to upload these files and analyze them with Bloodhound elsewhere.

  1. 1 purpose In Active Directory exploitation, a basic step is the analysis of Group Policy Objects (GPOs). A key stage is the examination of Group Policy Objects (GPOs). For the most part, this movement is planned for recognizing the following:
  • Local group membership.
  • Misconfigurations that could allow further compromise, such as lack of SMB signing.
  • Password policies
  • Opportunities for lateral movement via misconfigurations of remote access policies and UAC
  • Privilege Assignment

The above-mentioned factors are crucial for an active directory placement and utilization within an account domain, the way toward parsing group policy objects is frequently monotonous and very tedious. Instruments like Grouper2 can radically diminish the necessary time, however, the volume of the yield is still very considerable. What is required was something that could be effortlessly incorporated with the current tooling that would help us understand the present condition rapidly while the attack surface manager adds a supportive capability for path identification, connection visibility, and threat control. It also provides the ability to analyze every possible and vulnerable path that can be critical and apply risk notation to identify vicious paths to eliminate the details that will be discussed further in detail in the article. There are five useful factors of information that can be extracted from Bloodhound

  • Local Administrators
  • Sessions
  • ACL’s
  • Unconstrained delegation
  • Shorten paths to domain admins


The data set/collection utilizes a PowerShell command utility to gather all the important and property objects and data which will be written into CSV files as output dietary. The PowerShell provides a powerful utility known as cmdlet called Get-DomainPolicyData that does all the heavy lifting for us. In a nutshell, what the aforementioned cmdlet does is parsing all the setting specified by GPOs and return PowerShell objects that represent them, Command notation of Bloodhound is mentioned below Get-DomainPolicyData -Policy all -Server dc01.hacker.lab -Domain zip grip -Credential $cred. Following Compromised Users and Computers: Bloodhound caches one property for each node by characterizing them as Name. Depending on the type of object it is, this can be classified as one of the following:

  • User’s name
  • Computer’s name
  • Group’s name
  • Domain’s name

To count the held/inherited Users and Computers, two factors can be defined for objects which are mentioned below:

  • Owned — This node can be compromised using LLMNR, Mimi Katz, and Password reuse.
  • Wave — The number speaking to the request where this hub was possessed (ex: 1, 2, 3, etc.)

These properties can be included in a predefined node utilizing Cipher. The two most straightforward alternatives for giving specially appointed Cipher questions are Bloodhound’s Raw Query highlight (at the base of the application), and Neo4j’s internet browser, it prescribes utilizing Neo4j’s internet browser to tinker.

Fig-1: Representation of connection to nodes.

The best feature of Bloodhound is its potential power to identify attack paths. This ability is astoundingly powerful and can be trusted to escalate privileges in an active directory domain. By predefining the analysis required to exploit.

Fig-2: Representation of the shortest attack path defined using Bloodhound.
Fig-3: Vulnerable system path identification

User to Exchange Trusted Subsystem: The above figure showcases that offense \spotless is admin to the DC01$ and could use Mimi Katz to take over the machine account hash to get an elevated shell where offense\administrator session is observed.

User to Domain Admin via AdminTo and member of spotless is an admin of the DC01$ whereas the admin session is established. If that defined session gets compromised, it makes the user spotless as a Domain.

Fig-4: Admin and Member vulnerable path.

User to Domain Admin via Weak ACEs: The client flawless can turn into a Domain Admin by manhandling powerless ACEs of the said gathering. Right now, the client flawless can add themselves to space administrators bunch with net gathering “area administrators” unblemished/include/area and it is game over

In bloodhound v1.2 a special feature is added to perform custom queries. This has the same working mechanism and works similar to adding a pre-developed query, but the configuration file has been decoupled from the project’s source code. Bloodhound can also be used to define a single/Isolated wave of node and define its intensity in the form of vales.

Fig-5: Custom query tab
  • Locate all possessed Domain Admins: Same as the “Discover all Domain Admins” inquiry, yet rather just show Users with the claimed property.
  • Find Shortest Paths from claimed hub to Domain Admins: Same as the “Find Shortest Paths to domain Admins” inquiry, yet rather just show ways starting from a possessed hub.
  • Show wave: Show just the hubs traded off in a chose wave. Valuable for concentrating in on recently undermined hubs.
  • Show delta for wave: Show all undermined hubs up to a chose wave, and will feature the hubs picked up in that wave. Valuable for picturing benefit gains as access extends.

3. Protective measure: Despite being vulnerable to many exploits and attack active directory can be fortified using simple measures. Reduce information exposure — Through privilege management, an active directory users and groups, GPOs, and other domain objects that hold the actual credentials placed in or around the directory can be safeguarded where in built-in security features like Credentialprotection and Remote Credential protection in Win10 Pro & Enterprise/2016 can be utilized to safeguard the active directory. Monitor- The active directory and domain accounts should be actively monitored by utilizing an active directory auditing tool. The logs generated by the auditing tool can be accessed to check any violation and abusing of any service running on board.

Harden privileged groups: privileges in a group can be hardened and should be avoided by accessing by all, the appointment of full-control or compose of the gathering’s part credit ought to be limited to other advantaged clients at the equivalent or higher benefit level. Harden privileged users: The user-related setting and operations like reset password, take ownership or full control permissions and should be firmly controlled to different clients at a similar benefit level. Harden Group policies: Group policies that manage and grant privileges to access should be handled with care and need to avoid any world-readable access and the policies that contain security settings should be restricted on reads by any account should be handled only by the domain controlling privileged account.


In this paper, several prospects about the Bloodhound tool and defensive mechanism to protect Active directory and some basic techniques can be used to identify vulnerable nodes and exploitable active directory paths. And by using some vulnerable Active directory we collect basic information about vulnerable paths. Also, we can use these tools in cybersecurity and penetration testing to safeguard Active directory.

Wanna connect:



you can also visit my GitHub account: