A Red Teamer’s Guide to GPOs and OUs

  Intro Active Directory is a vast, complicated landscape comprised of users, computers, and groups, and the complex, intertwining permissions and privileges that connect them. The initial release of BloodHound focused on the concept of derivative local admin, then BloodHound…

BloodHound 1.3 – The ACL Attack Path Update

  Intro & Background In 2014, Emmanuel Gras and Lucas Bouillot presented their work titled “Chemins de contrôle en environement Active Directory” (“Active Directory Control Paths”) at the Symposium sur la sécurité des technologies de l’information et des communications (Symposium…

Introducing BloodHound

  Intro & Background In February of this year, I posted a proof-of-concept script called “PowerPath” which combined Will Schroeder’s PowerView, Justin Warner’s concept of derivative local admin, graph theory, and Jim Truher’s (@jwtruher) PowerShell implementation of Dijkstra’s Algorithm to…

Automated Derivative Administrator Search

  Intro Active Directory Domain escalation is an important part of most penetration tests and red team engagements. While gaining domain/enterprise administrator rights is not the end goal of an assessment, it often makes achieving test objectives much easier. A typical domain…