BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
All Domain Admins,
Shortest Path to Domain Adminsand similar, that may help us as an attacker to escalate privileges and compromise the entire domains/forest.
Exchange Trusted Subsystemgroup when on the victim network as user spotless:
offense\spotlessis admin to the
DC01$(could use mimikatz to pass the machine account hash to get an elevated shell) where
offense\administratorsession is observed (dump lsass or token impersonation for administrator) and this way assume rights of the Exchange Trusted Subsystem group!
net group "domain admins" spotless /add /domainand it is gamer over: