ADPathFinder: OpenGraph Attack Path Mapping in BloodHound CE

ADPathFinder: OpenGraph Attack Path Mapping in BloodHound CE
ADPathFinder maps privilege escalation and attack paths across BloodHound, ADCS, MSSQL, and SCCM data, while also auditing cracked passwords with BloodHound context. It combines SharpHound with OpenGraph collectors like MSSQLHound and ConfigManBearPig to surface cross-dataset findings, then generates HTML, TXT, and JSON reports. #ADPathFinder #BloodHound #SharpHound #MSSQLHound #ConfigManBearPig

Keypoints

  • ADPathFinder maps escalation paths across AD, ADCS, MSSQL, and SCCM using BloodHound graph data.
  • It merges SharpHound with OpenGraph collectors such as MSSQLHound and ConfigManBearPig so multi-dataset paths appear as one finding.
  • Attack path mapping groups users and computers that share the same escalation chain, reducing duplicate findings in large environments.
  • It identifies standalone issues including SMB signing disabled, delegation misconfigurations, WebClient on servers, and multiple ADCS, SCCM, and MSSQL weaknesses.
  • Password auditing uses NTDS dumps and hashcat potfiles to flag blank passwords, reuse, weak patterns, LM hash use, and roastable accounts with cracked passwords.
  • Report output includes HTML, TXT, and JSON, with graphs, PowerShell validation commands, severity grouping, and password analysis charts.
  • The tool is designed to work with partial data and can be layered with additional collectors as they become available.

MITRE Techniques

  • [T1069 ] Permission Groups Discovery – Uses BloodHound context to tie cracked accounts back to group membership and identify privileged users (‘group membership’).
  • [T1078 ] Valid Accounts – Flags cracked enabled accounts and shows how compromised credentials can be used in escalation paths (‘cracked passwords’ and ‘enabled accounts’).
  • [T1003 ] OS Credential Dumping – Accepts NTDS dumps for password auditing and cracked credential analysis (‘If an NTDS dump and hashcat potfile are provided’).
  • [T1110 ] Brute Force – Notes password spraying across the estate and password reuse/weak password auditing (‘I spray it across the estate’ and ‘password reuse’).
  • [T1210 ] Exploitation of Remote Services – Follows paths through MSSQL, linked servers, and SCCM to reach higher privileges (‘MSSQL_Connect’, ‘MSSQL_LinkedAsAdmin’, and ‘SCCM_AssignAllPermissions’).
  • [T1484.001 ] Domain Policy Modification: Group Policy Modification – References SCCM policy access and privilege paths through management infrastructure (‘anonymous policy access’ and SCCM site permissions).
  • [T1558.003 ] Steal or Forge Kerberos Tickets: Kerberoasting – Identifies Kerberoastable accounts during password auditing (‘Kerberoastable’).
  • [T1558.004 ] Steal or Forge Kerberos Tickets: AS-REP Roasting – Identifies AS-REP roastable accounts during password auditing (‘AS-REP roastable’).
  • [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Highlights SMB signing disabled as a standalone issue on escalation paths (‘SMB signing disabled’).
  • [T1556.004 ] Modify Authentication Process: Network Device Authentication – Mentions NTLM relay-vulnerable servers in MSSQL checks (‘servers vulnerable to NTLM relay’).

Indicators of Compromise

  • [Tool names] collection and reporting tooling used in the assessment – ADPathFinder, BloodHound CE, SharpHound, MSSQLHound, ConfigManBearPig
  • [Hostnames/FQDNs] example path and infrastructure targets in the report – lab-sql01.training.local, sccmdb.training.local
  • [Usernames/Accounts] example principals and service accounts involved in the path – J.REPORTER, j.reporter, ReportSvc, [email protected]
  • [File names] local artifacts referenced for import and password auditing – SharpHound.zip, MSSQLHound.zip, ConfigManBearPig.zip, ntds.txt, hashcat.potfile
  • [URLs/Paths] repository and output locations mentioned in the article – https://github.com/NetSPI/AD-PathFinder.git, report_/


Read more: https://www.netspi.com/blog/technical-blog/network-pentesting/adpathfinder-opengraph-attack-path-mapping-in-bloodhound-ce/