ShadowHound: Enhancing Active Directory Reconnaissance with a Stealthy and Efficient Ingestor
Abstract
In the realm of offensive security assessments, the need for discreet and effective Active Directory (AD) reconnaissance is paramount. Traditional methods often rely on introducing external binaries, increasing the risk of detection by advanced Endpoint Detection and Response (EDR) systems. ShadowHound emerges as a solution, leveraging native PowerShell functionality and legitimate tools to acquire AD data for BloodHound analysis while minimizing its footprint and evading detection.
Introduction
BloodHound, a widely adopted tool for visualizing AD relationships and identifying potential attack paths, relies on comprehensive data about users, groups, computers, and their intricate connections. Historically, this data has been collected using tools like SharpHound. However, the evolving sophistication of EDR solutions necessitates alternative approaches that prioritize stealth.
ShadowHound addresses this challenge by harnessing the inherent capabilities of PowerShell and legitimate AD tools to gather the necessary data. This approach significantly reduces the risk of detection by avoiding the introduction of suspicious external binaries into the target environment.
Methodology
ShadowHound offers two distinct methods for data acquisition:
-
Active Directory Web Services (ADWS): This method leverages the
Get-ADObject
cmdlet from the Active Directory module, facilitating communication with AD via ADWS over port 9389. This approach capitalizes on the built-in functionality of PowerShell and the AD module, blending seamlessly into the environment. -
Lightweight Directory Access Protocol (LDAP): This method employs the
DirectorySearcher
class to execute direct LDAP queries against the AD domain controller. By utilizing this native functionality, ShadowHound avoids relying on external tools, minimizing its footprint and reducing the likelihood of triggering alerts.
Advantages of ShadowHound
-
Evasion of EDR Detection: By utilizing native PowerShell and legitimate tools, ShadowHound effectively minimizes its footprint and avoids triggering alerts from EDR solutions that commonly flag known malicious binaries.
-
Scalability for Large Domains: ShadowHound exhibits robust performance in large AD environments, overcoming connectivity challenges that can hinder alternative tools like ADExplorer. This ensures efficient and reliable data collection even in complex network topologies.
-
Circumventing Defender for Identity: ShadowHound employs carefully selected LDAP filters, such as
(objectGuid=*)
, which are less prone to triggering alerts in Microsoft Defender for Identity, a security solution specifically designed to monitor AD activity. -
Integration with pyLdapSearch: ShadowHound functions as a post-processing script, converting its output to a format compatible with
pyLdapSearch
, a versatile tool for LDAP reconnaissance. This integration empowers security professionals with advanced analysis capabilities without requiring Python to be installed on the target system.
Conclusion
ShadowHound represents a significant advancement in AD reconnaissance, providing a stealthy and efficient solution for gathering critical data for BloodHound analysis. By leveraging native PowerShell functionality and carefully crafted LDAP queries, ShadowHound empowers security professionals to conduct comprehensive assessments while minimizing the risk of detection. This tool proves invaluable in modern environments where evading advanced security measures is essential for successful offensive security engagements.
ShadowHound is open source on Github.