exploiting-active-directory-with-bloodhound - SKILL.md Agent Skill

name: exploiting-active-directory-with-bloodhound description: BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attac domain: cybersecurity subdomain: red-teaming tags:

red-team
adversary-simulation
mitre-attack
exploitation
post-exploitation
active-directory
bloodhound version: '1.0' author: mahipal license: Apache-2.0 d3fend_techniques:
Restore Access
Password Authentication
Biometric Authentication
Strong Password Policy
Restore User Account Access nist_csf:
ID.RA-01
GV.OV-02
DE.AE-07

Exploiting Active Directory with BloodHound

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.

When to Use

When performing authorized security testing that involves exploiting active directory with bloodhound
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Most Often Missed & How to Confirm

Stale or missing session data. HasSession edges decay fast. Without -c Session (ideally looped), the token-theft path that actually reaches DA never appears in the graph.
Not marking owned principals. "Shortest Path from Owned Principals" returns nothing useful until compromised accounts are flagged Owned.
Trusting the path without checking edge primitives. A GenericAll/WriteDACL/AddKeyCredentialLink edge each needs a different exploit; the graph shows the relationship, not whether you can execute it right now.
Ignoring cross-domain/trust edges by collecting only the current domain.
Overlooking AddKeyCredentialLink / ReadGMSAPassword / ReadLAPSPassword edges that built-in queries don't surface — write custom Cypher.
How to confirm a path is real: ingest succeeds (object counts increase) and a shortestPath query from an Owned node to DOMAIN ADMINS@... returns a path. But a BloodHound edge is a hypothesis — confirm by executing the first hop (e.g. ForceChangePassword actually resets the target, or GenericAll lets you add yourself to the group). Don't conclude there's no route to DA until you've run looped Session collection and custom ACL/delegation/DCSync Cypher, not just the canned queries.

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Collect Active Directory relationship data using SharpHound or BloodHound.py
Visualize attack paths from compromised accounts to Domain Admin
Identify misconfigured ACLs, group memberships, and delegation settings
Discover shortest attack paths to high-value targets
Map Kerberos delegation configurations for abuse
Document all identified privilege escalation chains

MITRE ATT&CK Mapping

T1087.002 - Account Discovery: Domain Account
T1069.002 - Permission Groups Discovery: Domain Groups
T1482 - Domain Trust Discovery
T1615 - Group Policy Discovery
T1018 - Remote System Discovery
T1033 - System Owner/User Discovery
T1016 - System Network Configuration Discovery

Workflow

Phase 1: Data Collection with SharpHound

Transfer SharpHound collector to compromised host
Execute collection with appropriate method (All, DCOnly, Session, LoggedOn)
Collect from all reachable domains if multi-domain environment
Exfiltrate ZIP data files to analysis workstation
Import data into BloodHound CE or Legacy

Phase 2: Attack Path Analysis

Mark owned principals (compromised accounts)
Query shortest path to Domain Admins
Identify Kerberoastable accounts with admin privileges
Find AS-REP Roastable accounts
Analyze ACL-based attack paths (GenericAll, GenericWrite, WriteDACL, ForceChangePassword)
Review GPO abuse opportunities

Phase 3: Exploitation Planning

Prioritize attack paths by complexity and stealth
Identify required tools for each step in the chain
Plan OPSEC considerations for each technique
Execute identified attack chain
Document evidence at each step

Tools and Resources

Tool	Purpose	Platform
BloodHound CE	Graph visualization and analysis	Web-based
SharpHound	AD data collection (.NET)	Windows
BloodHound.py	AD data collection (Python)	Linux/Windows
Cypher queries	Custom graph queries	Neo4j/BloodHound
PlumHound	Automated BloodHound reporting	Python
Max (BloodHound)	BloodHound automation	Python

Key BloodHound Queries

Query	Purpose
Shortest Path to Domain Admins	Find fastest route to DA
Find Kerberoastable Users with Path to DA	SPN accounts leading to DA
Find AS-REP Roastable Users	Accounts without pre-auth
Shortest Path from Owned Principals	Paths from compromised accounts
Find Computers with Unsupported OS	Legacy systems for exploitation
Find Users with DCSync Rights	Accounts that can replicate AD
Find GPOs that Modify Local Group Membership	GPO-based privilege escalation

Validation Criteria

SharpHound data collected from all domains
Attack paths identified from owned accounts to DA
ACL-based attack paths documented
Kerberoastable and AS-REP roastable accounts identified
Exploitation plan created with prioritized paths
Evidence screenshots captured for report