Most AD enumeration tools share the same mental model:
connect to hosts, probe ports, collect responses, build a picture.
BloodHound, ADRecon, PowerView - different implementations,
same fundamental approach. Active collection.
That's why they get detected.
There is a different model. And it's been sitting in plain
sight since Windows 2000.
Active Directory is not just an authentication database.
It is a continuously maintained, authoritative inventory
of everything in your network - built and updated by Windows
itself, stored in a structured directory, queryable by any
authenticated domain user.
Consider what AD already knows without you touching a single host:
Service topology - every machine publishes its services
via Service Principal Names. MSSQLSvc, WSMAN, TERMSRV, HTTP.
One LDAP query to a DC returns the complete service map
of your entire domain. No port scanning. No packet to any host.
The data is already there.
Trust relationships, delegation configuration tells you
exactly which services can act on behalf of which users,
and to which targets. Unconstrained delegation, constrained
delegation, S4U2Self (protocol transition), all stored as
attributes. Not inferred from traffic. Explicitly declared.
Privileged access paths - every object in AD carries
a security descriptor. DACLs encode who can do what to whom.
GenericAll, WriteDACL, WriteOwner, ExtendedRight - these are
stored on the objects themselves. The attack paths exist in
the directory before any attacker touches the network.
Administrative coverage, LAPS deployment status per machine.
Which computers have managed local admin passwords,
which don't. No agent needed. No host contact.
The attributes are either present or they're not.
Stale assets, lastLogonTimestamp replicates across all DCs.
The directory knows which machines haven't authenticated
in 90 days. Your asset inventory does too, now.
Group membership, transitively, AD supports a matching
rule (OID 1.2.840.113556.1.4.1941) that lets you ask a DC:
"who are all the transitive members of this group,
at any depth of nesting?" One query. The DC walks the entire
chain server-side. No client-side recursion required.
The shift in mental model
Traditional scanning reconstructs a picture of the network
by probing it. The reconstruction is imperfect -
you see what responds, not what exists.
And the probing is visible.
Reading from AD is different. You are not reconstructing
a picture. You are reading the authoritative record
that Windows maintains for its own operational purposes.
Group Policy reads it. Authentication reads it.
The MMC snap-ins read it.
The traffic is identical. Because it is the same traffic.
What this means in practice
A passive AD reader using native Windows interfaces:
Produces no anomalous network traffic
Requires no elevated privileges
(DACL information is readable by any authenticated user,
the security model requires this so clients can determine
their own access rights)
Covers the entire domain in a handful of LDAP queries
Returns data that is accurate by definition,
it is the source of truth, not an approximation
Compare this to a port scanner's output.
A port scanner tells you port 1433 is open on a host.
AD tells you that host has an MSSQLSvc SPN,
is configured for unconstrained Kerberos delegation,
hasn't authenticated in 47 days,
and its local admin password is not managed by LAPS.
Same host. Incomparably more useful picture.
Zero packets sent to that host.
The attack path problem
When you combine ACL edges with transitive group membership, you can answer questions like:
Is there any path from a service account to Domain Admins through ACL relationships?
This is exactly what BloodHound visualizes, except BloodHound collects this data by running a .NET assembly that generates LDAP traffic
patterns no legitimate workstation produces. EDR catches it. Not because it exploits anything. Because the behavioral signature is unmistakable.
The data BloodHound needs is already in AD. It doesn't need to be collected with a detectable collector. It needs to be read with the same interfaces & Windows uses to read it every day.
The implication for defenders is direct:
if this data is readable passively, it is also readable by an attacker
who has any foothold in your domain.
The attack paths exist in your directory right now.
The question is whether you've looked at them before someone else did.
Top comments (0)