BloodHound Analysis Report Template
Engagement Details
| Field |
Value |
| Engagement ID |
[ID] |
| Domain |
[domain.local] |
| Collection Date |
YYYY-MM-DD |
| Collector |
SharpHound v2.x |
| Analyst |
[Name] |
Domain Statistics
| Metric |
Count |
| Users |
XXX |
| Enabled Users |
XXX |
| Computers |
XXX |
| Groups |
XXX |
| Domain Admins |
XX |
| OUs |
XX |
| GPOs |
XX |
| Trusts |
XX |
High-Risk Findings Summary
| # |
Finding |
Severity |
Count |
MITRE |
| 1 |
Kerberoastable Accounts |
Critical |
XX |
T1558.003 |
| 2 |
Unconstrained Delegation (non-DC) |
Critical |
XX |
T1558.001 |
| 3 |
AS-REP Roastable Accounts |
High |
XX |
T1558.004 |
| 4 |
Constrained Delegation Abuse |
High |
XX |
T1550.003 |
| 5 |
Excessive ACL Permissions |
High |
XX |
T1484 |
| 6 |
Domain Users = Local Admin |
High |
XX |
T1078.002 |
| 7 |
Stale Admin Sessions |
Medium |
XX |
T1550.002 |
Attack Paths Identified
Path 1: Kerberoasting to Domain Admin
Feasibility: High - Service account uses weak password
Detection Risk: Low - Kerberoasting generates minimal logs by default
Path 2: ACL Abuse Chain
Feasibility: Medium - Requires interaction with target account
Detection Risk: Medium - Password reset generates Event ID 4724
Path 3: Delegation Abuse
Feasibility: High - Unconstrained delegation on non-DC
Detection Risk: High - PetitPotam coercion may trigger alerts
Kerberoastable Accounts
Unconstrained Delegation
| Computer |
OS |
Domain Controller |
Risk |
| WEB01.CORP.LOCAL |
Server 2019 |
No |
Critical |
| PRINT01.CORP.LOCAL |
Server 2016 |
No |
Critical |
ACL Misconfigurations
Remediation Priorities
Immediate (0-7 days)
- Remove unconstrained delegation from WEB01, PRINT01
- Reset passwords on Kerberoastable privileged accounts (25+ chars)
- Remove GenericAll permission from HELPDESK on IT_ADMINS
Short-Term (7-30 days)
- Migrate service accounts to Group Managed Service Accounts (gMSA)
- Enable AES-only Kerberos encryption for service accounts
- Add privileged accounts to Protected Users group
- Implement LAPS for local administrator passwords
Long-Term (30-90 days)
- Implement Active Directory Tier Model
- Deploy Privileged Access Workstations (PAWs)
- Enable Advanced Audit Policy for Kerberos events
- Conduct quarterly BloodHound assessments