Beyond ACLs Mapping Windows Privilege Escalation Paths with ...

src/windows-hardening/active-directory-methodology/bloodhound.md

@@ -65,29 +65,40 @@ SharpHound.exe --Stealth --LDAP                      # Low noise LDAP only
 
 The collectors generate JSON which is ingested via the BloodHound GUI.
 
----
+### Privilege & logon-right collection
 
-## Prioritising Kerberoasting with BloodHound
+Windows **token privileges** (e.g., `SeBackupPrivilege`, `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeAssignPrimaryTokenPrivilege`) can bypass DACL checks, so mapping them domain-wide exposes local LPE edges that ACL-only graphs miss. **Logon rights** (`SeInteractiveLogonRight`, `SeRemoteInteractiveLogonRight`, `SeNetworkLogonRight`, `SeServiceLogonRight`, `SeBatchLogonRight` and their `SeDeny*` counterparts) are enforced by LSA before a token even exists, and denies take precedence, so they materially gate lateral movement (RDP/SMB/scheduled task/service logon).
 
-Graph context is vital to avoid noisy, indiscriminate roasting. A lightweight workflow:
+**Run collectors elevated** when possible: UAC creates a filtered token for interactive admins (via `NtFilterToken`), stripping sensitive privileges and marking admin SIDs as deny-only. If you enumerate privileges from a non-elevated shell, high-value privileges will be invisible and BloodHound won’t ingest the edges.
 
-1. **Collect everything once** using an ADWS-compatible collector (e.g. RustHound-CE) so you can work offline and rehearse paths without touching the DC again:
+Two complementary SharpHound collection strategies now exist:
 
-```bash
-rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z
-```
+- **GPO/SYSVOL parsing (stealthy, low-privilege):**
+  1. Enumerate GPOs over LDAP (`(objectCategory=groupPolicyContainer)`) and read each `gPCFileSysPath`.
+  2. Fetch `MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf` from SYSVOL and parse the `[Privilege Rights]` section that maps privilege/logon-right names to SIDs.
+  3. Resolve GPO links via `gPLink` on OUs/sites/domains, list computers in the linked containers, and attribute the rights to those machines.
+  4. Upside: works with a normal user and is quiet; downside: only sees rights pushed via GPO (local tweaks are missed).
 
-2. **Import the ZIP, mark the compromised principal as owned**, then run built-in queries such as *Kerberoastable Users* and *Shortest Paths to Domain Admins*. This instantly highlights SPN-bearing accounts with useful group memberships (Exchange, IT, tier0 service accounts, etc.).
-3. **Prioritise by blast radius** – focus on SPNs that control shared infrastructure or have admin rights, and check `pwdLastSet`, `lastLogon`, and allowed encryption types before spending cracking cycles.
-4. **Request only the tickets you care about**. Tools like NetExec can target selected `sAMAccountName`s so that each LDAP ROAST request has a clear justification:
+- **LSA RPC enumeration (noisy, accurate):**
+  - From a context with local admin on the target, open the Local Security Policy and call `LsaEnumerateAccountsWithUserRight` for each privilege/logon right to enumerate assigned principals over RPC.
+  - Upside: captures rights set locally or outside GPO; downside: noisy network traffic and admin requirement on every host.
 
-```bash
-netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql
-```
+**Example abuse path surfaced by these edges:** `CanRDP` ➜ host where your user also has `SeBackupPrivilege` ➜ start an elevated shell to avoid filtered tokens ➜ use backup semantics to read `SAM` and `SYSTEM` hives despite restrictive DACLs ➜ exfiltrate and run `secretsdump.py` offline to recover the local Administrator NT hash for lateral movement/privilege escalation.
+
+### Prioritising Kerberoasting with BloodHound
 
-5. **Crack offline**, then immediately re-query BloodHound to plan post-exploitation with the new privileges.
+Use graph context to keep roasting targeted:
 
-This approach keeps the signal-to-noise ratio high, reduces detectable volume (no mass SPN requests), and ensures that every cracked ticket translates to meaningful privilege escalation steps.
+1. Collect once with an ADWS-compatible collector and work offline:
+   ```bash
+   rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z
+   ```
+2. Import the ZIP, mark the compromised principal as owned, and run built-in queries (*Kerberoastable Users*, *Shortest Paths to Domain Admins*) to surface SPN accounts with admin/infra rights.
+3. Prioritise SPNs by blast radius; review `pwdLastSet`, `lastLogon`, and allowed encryption types before cracking.
+4. Request only selected tickets, crack offline, then re-query BloodHound with the new access:
+   ```bash
+   netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql
+   ```
 
 ## Group3r
 
@@ -112,5 +123,6 @@ PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd
 
 - [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html)
 - [RustHound-CE](https://github.com/g0h4n/RustHound-CE)
+- [Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound](https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html)
 
 {{#include ../../banners/hacktricks-training.md}}