Bloodhound is a super great tool and now with OpenGraph you can pull in identity data from other sources like Okta and GitHub.
But it can be slightly cumbersome to setup and use, so here’s an alternative.
Ethical Threat Insight: Find AD Attack Paths Without Bloodhound
There’s an easier way to find attack paths in Active Directory than using Bloodhound.
It requires no installation and no docker.
How?
By using ADeleg/ADeleginator + PingCastle. All of which are free and open source.
ADeleg allows you to view all non-default delegations in Active Directory. It’s a simple binary, you just download it and run it.
ADeleginator is a wrapper I wrote for ADeleg that finds many common insecure delegations. Like when Everyone has FullControl over the root of the domain.
PingCastle has a Control Paths section that’s similar to a Bloodhound graph. This is a lesser known but really awesome feature.
Between ADeleg/ADeleginator + PingCastle you can get similar data as Bloodhound in a fraction of the time and with less headaches.
It’s not going to find everything Bloodhound does, but it will help you identify low hanging fruit.
Which makes doing a first pass of eliminating insecure permissions a huge win for you.
I highly recommend doing this on a regular basis if you’re not already.
My teammate Tyler and I talked more about ADeleg in a recent podcast, check it out.
All the best
Spencer Alessi
PS - if you’d like a second pair of eyes on your Active Directory, reply to this email and we can setup a call. I’m beginning to book into Q3/Q4 as we speak. I’d love the opportunity to work with you! 🙏