Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

BloodHound – Tracking Down Vulnerabilities in Active Directory
Philipp Löw
Philipp Löw
|
12.05.2022
(updated on: 09.09.2024)

A modern Active Directory environment consists of many different components. There are clients, servers, databases, users, applications and much more. It is easy to lose track of everything (especially as a Red Team). The BloodHound tool can help here.

What Is “BloodHound”?

As the name suggests, BloodHound searches within the Active Directory environment, identifies users and uncovers relationships between the various components.

BloodHound then displays the results in a graph database so that the user can see at a glance what they are dealing with. Moreover, BloodHound can provide additional information about various components, such as group affiliations, lateral movement assistance or hints on how to fix a vulnerability. Another useful feature is the display of the shortest path between two targets.

Representation of Relationships to an AD Domain Admin in BloodHound
Representation of Relationships to an AD Domain Admin in BloodHound

How Does “BloodHound” Work?

Technically, an application called SharpHound is run on an already compromised host, which collects the required information in the Active Directory environment and stores it in files. BloodHound itself uses these files as input data and imports them into a Neo4J graph database.

The tool provides some predefined queries, which help to quickly find your way through. However, it is also possible to write your own (sometimes very complex) queries in order to get precise results.

Furthermore, it is possible to mark individual components as compromised or as a so-called high value target, for example.

BloodHound is also able to provide the user with useful information about the connections between the data points. This includes general information about the relationships of the component as well as possible attack vectors.

About a Connection Between Two Data Points
About a Connection Between Two Data Points

Where Is “BloodHound” Used?

The tool is not only used for red teaming, but network administrators can also use BloodHound to find and fix vulnerabilities in their Active Directory environment.

Conclusion

In summary, it is worth noting that the tool is indispensable for any red team operation. Information can be gathered quickly and the “attacker” always knows where they are in the network and can carefully plan their next steps.

If you need advice or support in securing your Active Directory environment, please do not hesitate to contact the Oneconsult team.

Categories

All Categories
Active Directory / Entra ID
Attack Simulation / Red Teaming
Cybersecurity
Cybersecurity Awareness
Digital Forensics
Incident Response
IoT/OT-Security
News & Advisories
Penetration Testing

Vulnerability Management

This might also be of interest to you:

Philipp Löw

Autor

Philipp Löw graduated with a BSc. BIT degree in Business Information Systems from the Munich University of Applied Sciences in February 2021. Since March 2021, he has been enrolled in the master’s program in IT security, also at the Munich University of Applied Sciences. During his bachelor studies, Philipp Löw worked for a Munich-based software service provider and in research, where he focused on the detection of Indicators of Compromise. Since October 2021, Philipp Löw has been employed as a working student at Oneconsult Deutschland AG.

Never want to miss anything again?

Subscribe to our news feed on LinkedIn and register to receive our newsletter.

Sign up for our Newsletter
Privacy Statement

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

  • What and who is affected?
  • Who discovered and reported the incident?
  • How and when was the incident noticed?
  • What did you observe?
  • What are you concerned about in connection with the incident?
  • What actions have already been taken?

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts