Recently watched a talk about a tool I’ve known about for a while, and just haven’t gotten to in my to-do list. I used the output of the tool briefly on a HackTheBox.eu target to much success. And after watching the talk at SecDSM, I’ve gotten excited again about employing this at work someday.

Bloodhound by researchers at SpectreOps is a tool that exposes Active Directory permissions and relationships with the goal to achieve Domain Admin (DA) or High-Value access into AD to pwn the domain entirely and win the game. This might sound unexciting if you only think about accounts and groups and group memberships. But Bloodhound goes deeper and wider by looking at actual underlying AD object permissions and how those objects relate to various computers in the domain.

During the talk linked above, one of the best parts is near the end when they talk about metrics, and I really loved these metrics which effectively measure how much exposure the domain has and how much effort an attacker will have to exert to pwn the environment with regards to AD permissions. It also illustrates opportunities to detect the attackers.

• Users with Path to DA (target: 5%) – The lower, the better, as you really don’t want to think that every user that could be compromised could lead to the end of the domain.
• Computers with path to DA (target: 5%) – Same story here, you don’t want to think most systems are just a few hops away from DA. Even a single malware/phishing success is dire!
• Average Path to DA Length (target: 5) – The longer the better, as you want attackers to go through as many steps as possible to get DA.