PlumHound – BloodHoundAD Report Engine for Security Teams
Released as Proof of Concept for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies, and legacy service operations.
PlumHound operates by wrapping BloodHoundAD’s powerhouse graphical Neo4J backend cipher queries into operations-consumable reports. Analyzing the output of PlumHound can steer security teams in identifying and hardening common Active Directory configuration vulnerabilities and oversights.
Background
A client of ours working on hardening their Active Directory infrastructure asked us about vulnerabilities that can be found by using BloodHound. They had heard of the effectiveness of BloodHoundAD in Red-Team’s hands and was told that BloodHound would identify all types of security mis-alignments and mis-configurations in their Active Directory environment. We helped them through analysis of their BloodHound dataset and it became quickly evident that BloodHoundAD’s pathfinding graphical database was not designed for the fast-passed analytical security team accustom to reading reports and action items.
In fact, one of our cipher queries determined that 96% of their 3000 users had a path to Domain Admin with an average of just 4 steps. However, that graphical query rendered over 10,000 paths to Domain Admin. Finding the actual cause of the short-paths to DA wasn’t as easy as just loading data into BloodHound or putting Cobalt Strike on Auto-Pilot with BloodHound Navigation.
Hence, PlumHound was created out of a need to retrieve consumable data from BloodHoundAD’s pathfinding engine. Data that could yield itself to inferring actionable work for security teams to harden their environments.
Sample Reports
The sample reports are from a BadBlood created AD environment that does not include user sessions and massive ACLs that would be typical of a larger environment. That is, the reports a bit bare, but you get the idea. Sample reports are found in the /reports folder. Note that by default, this is the output location for PlumHound and will over-write reports in this location if specified by the tasklist file.
Changelog v1.5.1
- updated presentation links by @Relkci in #39
- task updates by @Relkci in #40
- Correct Typo by @Relkci in #41
- Corrected Outpath by @Relkci in #42
- Updated the driver to the newest version by @en-gato in #44
