Active Directory · Learn

AD enumeration and BloodHound.

Before any attack on Active Directory comes enumeration: collecting every user, group, permission, and trust, then turning that pile of data into a map of attack paths. BloodHound is the tool that draws the map. Here is what it sees and why defenders should run it too.

Active Directory · LearnAll services
TL;DR

Enumeration is the reconnaissance phase of an Active Directory attack: reading the directory to list users, groups, computers, sessions, and permissions, most of which any authenticated user can query over LDAP. BloodHound ingests that data and renders it as a graph, then finds the shortest path from an account you control to Domain Admin by following abusable rights like GenericAll, WriteDACL, and group membership. Because the same query that helps an attacker helps a defender, mapping your own graph is one of the highest-value AD security exercises.

By John Dill, Red Team Lead, SecureLayer7Updated

What enumeration collects

Active Directory is, by design, readable. Any authenticated account can query the directory over LDAP and pull back a large amount of structure:

  • Users and groups, including who belongs to privileged groups like Domain Admins.
  • Computers, operating systems, and which ones are Domain Controllers.
  • Sessions: which users are currently logged in to which machines, which reveals where privileged credentials are exposed.
  • Permissions (ACLs): who can reset whose password, modify whose group membership, or edit which object.
  • Trusts between domains and forests.

Tooling like the PowerShell module PowerView and the SharpHound collector automate this gathering.

What BloodHound does with it

BloodHound takes the collected data and stores it as a graph: nodes are users, groups, and computers; edges are relationships like "is a member of," "can reset the password of," or "has a session on."

The power is the query "shortest path to Domain Admins." Instead of a human eyeballing thousands of permissions, BloodHound highlights the exact chain: *your user* can write to *this group*, which can reset *this admin account*, which is a member of *Domain Admins*. What looked like noise becomes a three-hop route to total control.

The abusable rights to recognise

A handful of permission edges turn up again and again as the rungs of the ladder:

  • GenericAll / GenericWrite: full or broad control over an object, often enough to reset its password or grab its credentials.
  • WriteDACL: the right to rewrite an object’s permissions, so you grant yourself whatever access you need.
  • AddMember: the right to add accounts to a group, including privileged groups.
  • ForceChangePassword: reset another user’s password without knowing the old one.

Individually these are normal delegated-admin features. Strung together by BloodHound, they are an attack path.

Why defenders run it first

The same map an attacker builds after breaking in, a defender can build any time. Running BloodHound against your own directory surfaces the unintended paths: the helpdesk group that can reset a domain admin, the stale service account everyone forgot had WriteDACL on a sensitive OU.

Fixing the graph means cutting edges, removing a needless permission, emptying an over-privileged group, so the shortest path to Domain Admin gets longer or disappears. That is far more effective than hardening individual machines.

References

  1. [1]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.