BloodHound Analysis: Analyzing Active Directory Vulnerabilities from a Hacker's Perspective

To master BloodHound, one must understand how it gathers data from the target environment and how it translates the complex reality of Active Directory permissions into a mathematical graph.

The Ingestors (SharpHound)

BloodHound is a visualization tool; it requires data to function. This data is collected by an "ingestor," the most common being SharpHound.

• The Collection Process: SharpHound is a C# executable (or PowerShell script) run from a domain-joined machine. Crucially, it does not require Domain Admin privileges. Any standard, authenticated domain user has the inherent right to query Active Directory via LDAP (Lightweight Directory Access Protocol) to find other users, groups, and computers.
• What it Collects: SharpHound queries AD to map group memberships (who belongs to the 'Domain Admins' group?), active user sessions (who is currently logged into 'Server-01'?), local administrative rights (is the 'Helpdesk' group a local admin on 'Workstation-A'?), and Access Control Lists (ACLs) governing object permissions.
• Stealth vs. Speed: SharpHound can be configured to run stealthily, slowly gathering data to avoid triggering security alerts (like excessive LDAP queries or suspicious SMB connections used for session enumeration), or it can run aggressively for a rapid "smash-and-grab" data collection during a time-boxed penetration test.

Graph Theory and Active Directory

Once SharpHound collects the raw data (saving it as JSON files), it is imported into the BloodHound GUI, which relies on a Neo4j graph database backend.

• Nodes (Vertices): In the BloodHound graph, nodes represent the entities within Active Directory. Common nodes include Users (e.g., [email protected]), Computers (SRV-SQL-01.DOMAIN.LOCAL), Groups (Domain Admins), and Domains (DOMAIN.LOCAL).
• Edges (Relationships): Edges represent the privileges, permissions, or logical connections between the nodes. This is where the true power of BloodHound lies. Common edges include:
  • MemberOf: User JDOE is a member of the Helpdesk Group.
  • AdminTo: The Helpdesk Group has local administrator rights on Computer SRV-SQL-01.
  • HasSession: User JDOE is currently logged into Computer SRV-SQL-01.
  • GenericAll / ForceChangePassword: Complex ACL permissions indicating one user has total control over another user object.

The Attack Path (Derivative Local Admin)

By connecting these nodes and edges, BloodHound automatically calculates attack paths. The most classic path is the "Derivative Local Admin." Imagine User A is a standard user but has local admin rights on Machine 1. User B is a Domain Admin who happens to be logged into Machine 1 to perform maintenance. BloodHound will visualize this path: If an attacker compromises User A, they can take over Machine 1. Because User B (the Domain Admin) has an active session on Machine 1, the attacker can use tools like Mimikatz to dump User B's credentials from the machine's memory (LSASS). The attacker has now escalated from a standard user to a Domain Admin in two steps. BloodHound makes this complex, multi-hop relationship instantly visible.

BloodHound has become the de facto standard for identifying Active Directory vulnerabilities. It routinely uncovers highly complex attack paths that traditional auditing tools miss entirely.

The Unintended Nested Group Compromise

During a Red Team engagement for a large financial institution, the security team achieved initial access by compromising a low-level customer service representative's workstation. Traditional Active Directory auditing tools showed that this user belonged to only a few basic, low-privileged groups.

However, after running SharpHound and importing the data, BloodHound revealed a catastrophic, hidden attack path. The customer service user was in a group called "CS-Users". Unbeknownst to the current IT staff, years prior, "CS-Users" had been nested inside a deprecated legacy group called "Old-App-Support". Furthermore, a misconfigured ACL granted "Old-App-Support" the ForceChangePassword right over an IT service account. Finally, that service account was a member of the elite "Domain Admins" group.

BloodHound instantly visualized this four-hop path: Customer Service User -> MemberOf (CS-Users) -> MemberOf (Old-App-Support) -> ForceChangePassword (IT Service Account) -> MemberOf (Domain Admins). The Red Team easily followed this path, changed the password of the service account, and achieved total domain compromise within hours. Without BloodHound mapping the complex nesting and obscure ACLs, this path would have remained invisible to both the attackers and the defenders.

Exploiting LAPS Misconfigurations

Microsoft's Local Administrator Password Solution (LAPS) is a critical security tool designed to randomize the local Administrator password on every computer in a domain, preventing attackers from using a single stolen local admin password to move laterally across all machines.

In one real-world scenario, an organization diligently deployed LAPS across their entire environment. They believed they were secure against lateral movement. However, BloodHound analysis revealed a critical flaw in their implementation.

LAPS stores the randomized passwords in plain text within a specific attribute (ms-Mcs-AdmPwd) on the computer object within Active Directory. The security of LAPS relies on strictly configuring the ACLs so that only highly privileged users (like Domain Admins) can read this attribute. BloodHound revealed that due to a copy-paste error during a script deployment, a massive group—the "All Employees" group—had been granted the ReadLAPSPassword permission on all workstation objects. BloodHound visually demonstrated that any compromised standard user account could simply query Active Directory, read the local admin password for any workstation, and instantly compromise the entire fleet.

The "HasSession" Chaining for Ransomware Deployment

Modern ransomware operators (like the Conti or LockBit affiliates) heavily utilize BloodHound to maximize their impact. Their goal is not just to compromise a few machines, but to deploy the ransomware across the entire enterprise simultaneously. To do this, they need highly privileged credentials.

After breaching the perimeter (e.g., via a phishing email), the attackers run SharpHound stealthily. They use BloodHound's pre-built queries to map the shortest path to Domain Admin. They specifically look for HasSession edges. If a highly privileged IT administrator uses their Domain Admin credentials to log into a lower-tier server (perhaps to fix a printer issue), they leave an active session and a credential artifact behind in memory.

The attackers use BloodHound to find the path to that specific server. They move laterally, compromise the server, dump the Domain Admin credentials from the active session, and then use those credentials to deploy their ransomware via Group Policy (GPO) to every machine in the domain, causing massive, unrecoverable damage.

The true power of BloodHound is realized when it is adopted by Blue Teams. By proactively running BloodHound in their own environments, defenders can identify and eliminate attack paths before malicious actors exploit them.

Proactive Continuous Analysis

Defenders must use BloodHound as a continuous monitoring and auditing tool, not just a one-time exercise.

• Regular Ingestion: Schedule SharpHound to run on a regular basis (e.g., weekly or monthly) and import the data into a dedicated Blue Team BloodHound instance.
• Track Changes Over Time: Use BloodHound to monitor how the attack surface evolves. Did a recent software deployment accidentally grant a service account excessive permissions? BloodHound will instantly visualize this new attack path, allowing the security team to investigate and remediate the issue rapidly.
• Identify and Protect Tier 0 Assets: In Active Directory tiering, Tier 0 represents the most critical assets (Domain Controllers, Domain Admins, PKI infrastructure). Defenders must use BloodHound to identify every single path that leads to Tier 0 and ruthlessly eliminate any path originating from lower tiers (workstations or standard users).

Implement Tiered Administration

BloodHound frequently highlights the dangers of credential exposure via active sessions. The most effective mitigation is implementing Microsoft's Tiered Administrative Model.

• Strict Separation: Divide the IT infrastructure into strict tiers (Tier 0 for Domain Controllers, Tier 1 for Servers, Tier 2 for Workstations).
• Enforce Logon Restrictions: A Tier 0 administrator (Domain Admin) must never be allowed to log into a Tier 1 or Tier 2 machine. If a Domain Admin logs into a standard workstation, their credentials are now vulnerable to being dumped by an attacker who compromises that workstation. By strictly enforcing these logon boundaries (via Authentication Policies or GPO), you eliminate the HasSession edges that attackers rely on for lateral movement and privilege escalation.

Eradicate Misconfigured ACLs and Nested Groups

Active Directory ACLs are notoriously complex and easy to misconfigure.

• Audit GenericAll and WriteDacl: Use BloodHound to specifically search for edges like GenericAll (total control), WriteDacl (ability to change permissions), or ForceChangePassword originating from non-privileged groups and pointing towards privileged users or groups. These represent immediate, high-severity vulnerabilities that must be remediated by fixing the ACLs in Active Directory Users and Computers (ADUC).
• Flatten Group Structures: Complex, deeply nested groups are impossible to audit manually and frequently obscure excessive privileges (as seen in the "Old-App-Support" example). Organizations should strive to flatten their group structures, making permission assignments explicit and easily understandable without the need for a graph database.

Secure Local Administrator Privileges

The "Derivative Local Admin" path is the most common route to domain compromise.

• Eliminate Broad Local Admin Rights: Standard users should never have local administrator rights on their workstations. Furthermore, Helpdesk or support groups should not have blanket local admin rights across the entire domain.
• Implement LAPS Correctly: Utilize Microsoft LAPS to randomize local administrator passwords, but crucially, use BloodHound to verify that the ACLs governing the LAPS passwords are strictly controlled, ensuring that only authorized IT staff can read them.