The shift that finally made Active Directory click: in AD, the vulnerabilities aren't bugs, they're relationships. No single object is "broken." The whole domain is one enormous pile of trust, and somewhere in that pile is a path from a nobody account to Domain Admin.
BloodHound makes the pile legible. You collect the data (users, groups, sessions, ACLs, who-can-do-what-to-whom), feed it in, and it draws the graph. Then you ask the only question that matters: what is the shortest path from what I have to what I want?
MATCH p = shortestPath(
(n {owned:true})-[*1..]->(m:Group {name:'DOMAIN [email protected]'})
)
RETURN p
What the graph teaches you:
- Privilege is transitive. This user can be impersonated by that service; that service runs as an account that can reset a third user's password; that user is in a group with rights nobody remembers granting. Each hop is mundane. The chain is fatal.
- The path is shorter than anyone wants it to be. On GOAD the route to DA is rarely more than a few hops.
- Defenders see nodes; attackers see edges. The org has an org chart. You have a directed graph of who can compromise whom.
Once you see the edges instead of the boxes, a haunted house turns into a map.