Files
Anthropic-Cybersecurity-Skills/skills/exploiting-active-directory-with-bloodhound/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

5.0 KiB

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf, mitre_attack
name description domain subdomain tags version author license d3fend_techniques nist_csf mitre_attack
exploiting-active-directory-with-bloodhound BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attac cybersecurity red-teaming
red-team
adversary-simulation
mitre-attack
exploitation
post-exploitation
active-directory
bloodhound
1.0 mahipal Apache-2.0
Restore Access
Password Authentication
Biometric Authentication
Strong Password Policy
Restore User Account Access
ID.RA-01
GV.OV-02
DE.AE-07
T1595
T1190
T1059
T1078
T1592

Exploiting Active Directory with BloodHound

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.

When to Use

  • When performing authorized security testing that involves exploiting active directory with bloodhound
  • When analyzing malware samples or attack artifacts in a controlled environment
  • When conducting red team exercises or penetration testing engagements
  • When building detection capabilities based on offensive technique understanding

Prerequisites

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Collect Active Directory relationship data using SharpHound or BloodHound.py
  • Visualize attack paths from compromised accounts to Domain Admin
  • Identify misconfigured ACLs, group memberships, and delegation settings
  • Discover shortest attack paths to high-value targets
  • Map Kerberos delegation configurations for abuse
  • Document all identified privilege escalation chains

MITRE ATT&CK Mapping

  • T1087.002 - Account Discovery: Domain Account
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1482 - Domain Trust Discovery
  • T1615 - Group Policy Discovery
  • T1018 - Remote System Discovery
  • T1033 - System Owner/User Discovery
  • T1016 - System Network Configuration Discovery

Workflow

Phase 1: Data Collection with SharpHound

  1. Transfer SharpHound collector to compromised host
  2. Execute collection with appropriate method (All, DCOnly, Session, LoggedOn)
  3. Collect from all reachable domains if multi-domain environment
  4. Exfiltrate ZIP data files to analysis workstation
  5. Import data into BloodHound CE or Legacy

Phase 2: Attack Path Analysis

  1. Mark owned principals (compromised accounts)
  2. Query shortest path to Domain Admins
  3. Identify Kerberoastable accounts with admin privileges
  4. Find AS-REP Roastable accounts
  5. Analyze ACL-based attack paths (GenericAll, GenericWrite, WriteDACL, ForceChangePassword)
  6. Review GPO abuse opportunities

Phase 3: Exploitation Planning

  1. Prioritize attack paths by complexity and stealth
  2. Identify required tools for each step in the chain
  3. Plan OPSEC considerations for each technique
  4. Execute identified attack chain
  5. Document evidence at each step

Tools and Resources

Tool Purpose Platform
BloodHound CE Graph visualization and analysis Web-based
SharpHound AD data collection (.NET) Windows
BloodHound.py AD data collection (Python) Linux/Windows
Cypher queries Custom graph queries Neo4j/BloodHound
PlumHound Automated BloodHound reporting Python
Max (BloodHound) BloodHound automation Python

Key BloodHound Queries

Query Purpose
Shortest Path to Domain Admins Find fastest route to DA
Find Kerberoastable Users with Path to DA SPN accounts leading to DA
Find AS-REP Roastable Users Accounts without pre-auth
Shortest Path from Owned Principals Paths from compromised accounts
Find Computers with Unsupported OS Legacy systems for exploitation
Find Users with DCSync Rights Accounts that can replicate AD
Find GPOs that Modify Local Group Membership GPO-based privilege escalation

Validation Criteria

  • SharpHound data collected from all domains
  • Attack paths identified from owned accounts to DA
  • ACL-based attack paths documented
  • Kerberoastable and AS-REP roastable accounts identified
  • Exploitation plan created with prioritized paths
  • Evidence screenshots captured for report