BloodHound / SharpHound Enumeration
Collect AD objects, sessions, and ACLs to discover attack paths to high-value targets.
§ Where this technique fits
AD-BLOODHOUND is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 12 approved dossiers in the registry, typically at step 3.8 on average.
§ Dossiers chaining this technique
- step 1 / 5
LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
- step 1 / 7
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- step 2 / 5
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.
- step 2 / 6
WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
- step 2 / 5
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
- step 4 / 6
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- step 5 / 5
Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.
- step 5 / 5
SCCM Network Access Account disclosure → privileged creds
Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.
- step 6 / 6
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
- step 6 / 6
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- step 6 / 8
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
- step 6 / 6
RODC compromise → cracked NT hashes of revealed accounts
A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users.
§ What commonly comes next
- 01Valid Accountsseen 2×T1078 · Initial Access
- 02WriteDACLseen 2×AD-DACL-WRITEDACL · Privilege Escalation
- 03AddMember (WriteProperty on member)seen 1×AD-DACL-ADDMEMBER · Privilege Escalation
- 04GPO Immediate Scheduled Taskseen 1×AD-GPO-IMMEDIATE · Privilege Escalation
- 05Pass the Hashseen 1×T1550.002 · Lateral Movement