Active Directory is one of the most critical parts of a Windows-based network. It controls user access, permissions, and trust relationships. Because of its importance, it’s also a major target during internal attacks.
Index
- BloodHound - Enumerating Active Directory
- BloodHound - Attacking Active Directory
- BloodHound - Detection and Mitigation
BloodHound is a tool that helps attackers and defenders understand how privileges and access rights are structured in an AD environment. It builds a graph showing paths from regular users to high-privileged accounts, making it easier to plan attacks or fix weak points.
In this series, we will look at how BloodHound works, how attackers use it, how to collect its data safely, and how defenders can detect and respond to it.
1. BloodHound Enumerating Active Directory
Here we will explore different ways to collect data for BloodHound. We will compare noisy methods like full collection with SharpHound to more stealthy approaches that reduce the chance of detection. This includes using built-in Windows tools and manual collection techniques. You’ll understand which methods are better for different scenarios.
2. BloodHound Attacking Active Directory
This article will focus on how attackers use BloodHound data to find and exploit privilege relationships. We will go through common techniques like abusing GenericAll or AddMember permissions and show how small misconfigurations can lead to full domain compromise. You’ll also see how to shorten attack paths by chaining multiple steps.
3. BloodHound Detection and Mitigation
This part covers how to detect BloodHound activity using EDRs and SIEM tools. We’ll explain how to tune detections, look for behavioral signs, and catch both noisy and quiet enumeration attempts. It also includes tips for reducing attack surface by changing how permissions are assigned and how to harden your AD setup.
Note: The notes are still being prepared and will be updated here soon for all three resources.