AD Explorer is an Active Directory Viewer and editor which is provided by Microsoft. The tool can be downloaded from Microsoft’s website here; https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
AD Explorer has the ability to take snapshots of Active Directory configuration database to be analysed offline.
To analyse Active Directory attack paths, a Bloodhound ingester such as SharpHound is normally used. However, this is commonly detected by Anti-Virus Products. Based on the Bloodhound documentation, this is a known issue;
If you are on the red team side, you can employ some av-bypass strategies to avoid getting caught by AV. One of the best things you can do is stay completely off-disk when running SharpHound. Many command-and-control tools have in-memory .net assembly execution capabilities, such as Cobalt Strike’s execute-assembly and Covenant’s assembly commands. Using these commands will keep SharpHound totally off-disk when run on your target, which will go a very long way toward evading basic AV signatures.
Being a Microsoft signed executable, that is designed for AD administration rather than nefarious purposes AD Explorer is not commonly detected by Anti-Virus products.
Taking a Snapshot with AD Explorer
To take a snapshot, just open the application and select File > Create Snapshot. There is unfortunately no progress bar to show how long it will take to complete. The snapshot will be stored in a .dat file.
ADExplorerSnapShot.py
This is a Python script that can convert AD Explorer snapshots to data that can be imported into Bloodhound. It can be downloaded here; https://github.com/c3c/ADExplorerSnapshot.py
Running the script with the snapshot file as it’s argument it should produce BloodHound compatible JSON files;
python3 ADExplorerSnapshot.py snapshot.dat -o /tmp/OUTPUT
[*] Server: CHDC01.cloudhopper.co.uk
[*] Time of snapshot: 2023-12-03T14:35:45
[*] Mapping offset: 0x2c0df4
[*] Object count: 3738
[+] Parsing properties: 1499
[+] Parsing classes: 269
[+] Parsing object offsets: 3738
[+] Restored pre-processed information from data cache
[+] Collecting data: 12 users, 53 groups, 7 computers, 33 certtemplates, 1 CAs, 0 trusts
[+] Output written to CHDC01.cloudhopper.co.uk_1701614145_*.json files
ls /tmp/OUTPUT
CHDC01.cloudhopper.co.uk_1701614145_cert_bh.json CHDC01.cloudhopper.co.uk_1701614145_domains.json
CHDC01.cloudhopper.co.uk_1701614145_cert_ly4k_cas.json CHDC01.cloudhopper.co.uk_1701614145_groups.json
CHDC01.cloudhopper.co.uk_1701614145_cert_ly4k_tpls.json CHDC01.cloudhopper.co.uk_1701614145_users.json
CHDC01.cloudhopper.co.uk_1701614145_computers.json
Adalanche
Adalanche is a tool similar to Bloodhound that can import AD Explorer snapshots. It can be downloaded from here; https://github.com/lkarlslund/Adalanche. We can import our AD Explorer snapshot, using the following command. The program will attempt to enumerate GPO information, which in this case is not reachable.
./adalanche collect activedirectory --adexplorerfile=./snapshot.dat
14:47:12.947 INFORMA Adalanche Open Source v2023.5.3 (commit aa4c038), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
14:47:12.948 INFORMA Collecting objects from AD Explorer snapshot ./snapshot.dat ...
14:47:12.948 INFORMA Loading raw AD Explorer snapshot into memory
14:47:12.972 INFORMA Reading header (takes a while) ...
14:47:13.290 INFORMA Collecting group policy files from \\cloudhopper.co.uk\sysvol\cloudhopper.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} ...
14:47:13.290 WARNING Can't access path, aborting this GPO ...
14:47:13.290 INFORMA Collecting group policy files from \\cloudhopper.co.uk\sysvol\cloudhopper.co.uk\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} ...
14:47:13.290 WARNING Can't access path, aborting this GPO ...
14:47:13.290 INFORMA Terminating successfully
Next, run the tool in analyse mode to start viewing the results;
./adalanche analyze --datapath /home/kali/Tools/data
14:47:57.356 INFORMA Adalanche Open Source v2023.5.3 (commit aa4c038), (c) 2020-2022 Lars Karlslund, This program comes with ABSOLUTELY NO WARRANTY
14:47:57.357 INFORMA Scanning for data files from /home/kali/Tools/data ...
14:47:57.357 INFORMA Will process 1 files
14:47:57.428 INFORMA Loaded 1 files, skipped 0 files
14:47:57.609 INFORMA Loader Active Directory produced 3698 objects in 1 collections
14:47:57.609 INFORMA Loader Group Policy produced 0 objects in 0 collections
14:47:57.609 INFORMA Loader LocalMachine JSON file produced 1 objects in 1 collections
14:47:57.609 INFORMA We produced a total of 3699 objects from /home/kali/Tools/data
14:47:57.847 INFORMA Initiating merge with a total of 3729 objects
14:47:57.847 INFORMA Merging 3729 objects into the object metaverse
14:47:57.929 INFORMA After merge we have 3730 objects in the metaverse (merge eliminated -1 objects)
14:47:57.946 INFORMA We freed 0 objects
14:47:57.947 WARNING Detected 23 orphan objects in final results
14:47:57.947 INFORMA Time to UI done in 590.680663ms
14:47:57.947 INFORMA Listening - navigate to 127.0.0.1:8080 ... (ctrl-c or similar to quit)
14:47:57.948 WARNING Possible hardening? CN=Administrator,CN=Users,DC=cloudhopper,DC=co,DC=uk is a member of CN=Administrators,CN=Builtin,DC=cloudhopper,DC=co,DC=uk, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.
14:47:57.948 WARNING Possible hardening? CN=CHDC01,OU=Domain Controllers,DC=cloudhopper,DC=co,DC=uk is a member of CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=cloudhopper,DC=co,DC=uk, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.
14:47:57.949 WARNING Possible hardening? CN=Guest,CN=Users,DC=cloudhopper,DC=co,DC=uk is a member of CN=Guests,CN=Builtin,DC=cloudhopper,DC=co,DC=uk, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.
14:47:57.957 WARNING Possible hardening? CN=Domain Users,CN=Users,DC=cloudhopper,DC=co,DC=uk is a member of CN=Users,CN=Builtin,DC=cloudhopper,DC=co,DC=uk, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.
14:47:57.963 INFORMA Time to analysis completed done in 606.424401ms
14:47:57.963 INFORMA Other: 1392, DomainDNS: 1, DNSNode: 14, DNSZone: 1, User: 12, Group: 80, ForeignSecurityPrincipal: 33, OrganizationalUnit: 2, BuiltinDomain: 1, Container: 300, Computer: 7, GroupPolicyContainer: 2, AttributeSchema: 1499, ClassSchema: 269, ControlAccessRight: 81, CertificateTemplate: 33, PKIEnrollmentService: 1, CertificationAuthority: 3, Machine: 7
14:48:05.352 INFORMA Graph query resulted in 9 nodes
Adalanche will load a web browser with a view similar view to Bloodhound;
Right click on a node, and select “Set as route target”, then right click on a compromised node and select “Route to target”. A pop up window will appear in the top left showing potential attack paths. In this instance, the David account which is a domain admin has an SPN set, so could be Kerberoasted by Charles.
In Conclusion
It’s worth noting that AD Explorer will not collect some information that Sharphound normally collects, such as logged in user locations. I’ve had ADExplorerSnapShot.py fail to parse the output correctly for some domains, so having Adalanche as a backup is a good idea. Although Adalanche is currently not as fully featured as Bloodhound yet, it is in active development.