ADBloodHound-AI

AI-Powered Active Directory Attack Path Analysis

Analyse de chemins d'attaque Active Directory avec Intelligence Artificielle

English | Francais

---

Architecture

                    +---------------------------+
                    |   BloodHound JSON Export   |
                    |   (users, groups, ACLs)    |
                    +-------------+-------------+
                                  |
                                  v
                    +-------------+-------------+
                    |     Graph Analyzer         |
                    |  - Parse BH v3/v4 format   |
                    |  - Build NetworkX DiGraph   |
                    |  - Detect attack paths      |
                    |  - Identify Tier 0/1/2      |
                    +-------------+-------------+
                                  |
                    +------+------+------+
                    |      |             |
                    v      v             v
            +-------+  +--+------+  +---+--------+
            | Risk   |  | LLM    |  | Report     |
            | Scorer |  | Advisor|  | Generator  |
            +---+----+  +---+----+  +---+--------+
                |            |          |
                v            v          v
            [Scores]   [MITRE Map]  [HTML/JSON]
                |            |          |
                +------+-----+-----+---+
                       |
                       v
              +--------+---------+
              |   CLI Interface   |
              |  analyze | paths  |
              |  score   | report |
              +------------------+

---

English

What is ADBloodHound-AI?

ADBloodHound-AI parses BloodHound JSON exports and uses graph analysis combined with AI (OpenAI GPT) to:

• Detect attack paths from any user/computer to Domain Admin
• Score risk using a multi-factor weighted algorithm (distance, ACE type, password age, exposure, privilege level)
• Identify dangerous accounts: Kerberoastable, AS-REP Roastable, DCSync principals
• Map to MITRE ATT&CK: T1558 (Kerberos), T1003 (Credential Dumping), T1078 (Valid Accounts)
• Generate reports: HTML dashboards and JSON exports with remediation priorities
• AI-powered advice: LLM analysis of attack paths with executive summaries

Installation

git clone https://github.com/ayinedjimi/ADBloodHound-AI.git
cd ADBloodHound-AI
pip install -e ".[dev]"

# Optional: Set OpenAI API key for AI features
export OPENAI_API_KEY="sk-..."

Usage

# Full analysis with HTML report
adbloodhound-ai analyze bloodhound_export.json -d CORP.LOCAL -o report.html

# Find paths from specific user
adbloodhound-ai paths bloodhound_export.json -s "JDOE@CORP.LOCAL"

# Score all nodes and get top 20 risks
adbloodhound-ai score bloodhound_export.json -n 20

# Generate full report with LLM analysis
adbloodhound-ai report bloodhound_export.json -d CORP.LOCAL --llm

Example Output

[+] Loaded 15423 objects
[+] Graph: 15423 nodes, 47891 edges
[+] Kerberoastable accounts: 23
[+] AS-REP Roastable accounts: 5
[+] DCSync principals: 3
[+] Found 156 attack paths to Domain Admin
[+] Overall domain risk score: 78.5/100

[!] Top 5 riskiest paths:
    1. [95.2] SVC_BACKUP -> DOMAIN ADMINS (2 hops)
    2. [89.1] HELPDESK1 -> DOMAIN ADMINS (3 hops)
    3. [84.7] SVC_SQL -> DOMAIN ADMINS (2 hops)
    4. [76.3] IT_ADMIN2 -> ENTERPRISE ADMINS (4 hops)
    5. [71.8] WS042.CORP.LOCAL -> DOMAIN ADMINS (5 hops)

Detected Attack Techniques

Technique	MITRE ID	Detection
Kerberoasting	T1558.003	SPNs on user accounts
AS-REP Roasting	T1558.004	Pre-auth disabled
DCSync	T1003.006	GetChangesAll rights
GenericAll abuse	T1078	Full control ACEs
WriteDACL abuse	T1078	DACL modification rights
Shadow Credentials	T1078	KeyCredentialLink access

---

Francais

Qu'est-ce que ADBloodHound-AI ?

ADBloodHound-AI analyse les exports JSON de BloodHound et utilise l'analyse de graphes combinee avec l'IA (OpenAI GPT) pour :

• Detecter les chemins d'attaque de n'importe quel utilisateur/ordinateur vers les Domain Admins
• Scorer le risque avec un algorithme multi-facteurs pondere (distance, type d'ACE, age du mot de passe, exposition)
• Identifier les comptes dangereux : Kerberoastable, AS-REP Roastable, principals DCSync
• Mapper vers MITRE ATT&CK : T1558, T1003, T1078
• Generer des rapports : tableaux de bord HTML et exports JSON avec priorites de remediation
• Conseils par IA : analyse LLM des chemins d'attaque avec resume executif

Installation

git clone https://github.com/ayinedjimi/ADBloodHound-AI.git
cd ADBloodHound-AI
pip install -e ".[dev]"

Utilisation

# Analyse complete avec rapport HTML
adbloodhound-ai analyze export_bloodhound.json -d CORP.LOCAL -o rapport.html

# Trouver les chemins depuis un utilisateur specifique
adbloodhound-ai paths export.json -s "UTILISATEUR@CORP.LOCAL"

# Scorer tous les noeuds
adbloodhound-ai score export.json -n 20

# Rapport complet avec analyse LLM
adbloodhound-ai report export.json -d CORP.LOCAL --llm

Tests

pytest tests/ -v --cov=adbloodhound_ai

---

Related Projects

• KVortex - VRAM to RAM Offloader for LLM
• YaraGen-AI - AI-powered YARA rule generator
• KQLHunter - KQL query generator for Azure Sentinel

Author

Ayi NEDJIMI - Cybersecurity & AI Consultant

• Website: ayinedjimi-consultants.fr
• HuggingFace: AYI-NEDJIMI
• GitHub: ayinedjimi

License

MIT License - see LICENSE