Finding Our Path: How We're Trying to Improve Active Directory Security

Conference:  BlackHat USA 2019



Bloodhound is a tool that helps organizations identify and mitigate security risks in their Active Directory environments by analyzing shortest attack paths and providing insights into Kerberos misconfigurations.
  • Bloodhound is a tool that helps organizations identify and mitigate security risks in their Active Directory environments
  • It analyzes shortest attack paths to provide insights into potential vulnerabilities
  • It can also identify Kerberos misconfigurations that could be exploited by attackers
  • Bloodhound can significantly reduce the time and effort required to identify and address security risks in large and complex environments
Bloodhound was created to address the challenge of getting domain admin in a massive organization with thousands of endpoints. Using Bloodhound, the organization was able to identify a path that went through seven different domains to compromise the forest route in just 48 hours, compared to one week to get domain admin in a single domain. This illustrates the power of Bloodhound in identifying and mitigating security risks in complex environments.


As the dominant directory service solution, Active Directory persists as the crucial backbone of identity, authentication, and security for organizations of all sizes. Over time, nearly every Active Directory environment becomes an unwieldy, complex, and dynamic web of operating systems, user behaviors, and configurations. Historically, understanding the implications of any one user logon or configuration has taken hours -- understanding the implications of millions of user logons and configurations was almost impossible.In this talk, we will share our success stories, lessons learned, and methodologies for enumerating, understanding, and mitigating the risks posed by disparate user behaviors and configurations. Whether your network has 50, 5,000, or 500,000 computers joined to Active Directory, you’ll walk away from this talk knowing how to greatly enhance your organization’s Active Directory security posture in days or weeks, not years. We will also demonstrate several attack primitives that are newly tracked by BloodHound, including Resource-Based Constrained Delegation.



Post a comment

Related work

Conference:  Defcon 31
Authors: Andréanne Bergeron Cybersecurity Researcher, GoSecure, Olivier Bilodeau Cybersecurity Research Director at GoSecure