BloodHound Narrator
Turn BloodHound attack paths into boardroom-ready security reports — entirely offline.
Built for pentesters, blue teams, and AD security consultants who need to translate BloodHound graph output into actionable deliverables without spending hours writing prose.
BloodHound Narrator ingests Cypher export JSON, scores each attack path on a weighted severity model, and produces a dual-layer Markdown report:
- 1. CISO / Executive Layer — severity summary table, per-path business risk narrative, impact statements written in non-technical language that management and board members can act on.
- Technical Remediation Appendix — step-by-step hardening playbook with PowerShell commands, Event IDs to monitor, and remediation guidance per finding.
Detected attack patterns: DCSync, Kerberoasting, unconstrained delegation, GenericAll / WriteDacl / WriteOwner ACL abuse, GPO takeover, lateral movement chains (AdminTo + HasSession), Tier 0 boundary violations, stale service account passwords, and sensitive data exposure paths.
No API keys. No network calls. No data exfiltration risk. Air-gap compatible. Works in regulated, classified, and OT environments.
Setup
Install PowerShell (if not already present):
CODEBLOCK0
No environment variables or credentials required.
Usage
CODEBLOCK1
Run the test suite
CODEBLOCK2
A synthetic BloodHound export with 5 attack paths (3 Critical, 2 High) is included at {baseDir}/tests/synthetic-bloodhound.json for validation.
Severity Scoring Model
| Factor | Points | Example |
|---|
| Tier 0 target (DA, EA, DC) | +40 | Path ends at Domain Admins |
| DCSync edge |
+30 | Replication rights on DC |
| GenericAll/WriteDacl/Owns on Tier 0 | +30 | GenericAll on Domain Admins group |
| Unconstrained delegation in path | +20 | TGT cached on delegation host |
| GenericAll/WriteDacl/Owns (non-Tier 0) | +15 | WriteDacl on OU |
| Sensitive data keywords in path | +15 | Target description contains "PII" or "financial" |
| Kerberoastable source | +10 | Source account has SPN set |
| Short path (1-2 hops) | +10 | Direct GenericAll to DA |
| Lateral movement chain | +10 | AdminTo + HasSession combo |
| Medium path (3 hops) | +5 | Three-hop escalation |
| Stale password (>365 days) | +5 | Service account never rotated |
Thresholds: Critical >= 50 | High >= 30 | Medium >= 15 | Low < 15
Report Output
The generated Markdown report includes:
- - Header with domain name, collection date, BloodHound version
- Executive summary with severity distribution table
- Per-path findings with attack chain, business risk bullets, and impact statement
- Technical remediation appendix with numbered steps per finding (DCSync removal, gMSA migration, delegation hardening, tier isolation, GPO lockdown, etc.)
Who Is This For
- - Pentesters delivering AD audit reports to clients — skip the manual write-up, generate the narrative from your BloodHound data
- Blue team / SOC analysts triaging BloodHound findings after a security assessment
- Security consultants who need client-ready deliverables fast
- CISOs and security managers who want attack path reports they can actually read without a graph database
- Purple teams documenting offensive findings for defensive remediation
Use Cases
- - Post-pentest AD audit reporting
- Quarterly Active Directory security health checks
- Incident response — rapid attack path analysis after a compromise
- Compliance reporting (ISO 27001, NIS2, LPM, SOC2) requiring documented AD risk assessments
- Training and awareness — show management what "3 hops to Domain Admin" actually means
BloodHound Narrator
将BloodHound攻击路径转化为董事会级别的安全报告——完全离线运行。
专为渗透测试人员、蓝队和AD安全顾问设计,帮助他们将BloodHound图形输出转化为可交付的、可操作的成果,无需花费数小时撰写文字。
BloodHound Narrator 读取 Cypher 导出 JSON,根据加权严重性模型对每条攻击路径进行评分,并生成双层 Markdown 报告:
- 1. CISO / 管理层层 — 严重性汇总表、每条路径的业务风险描述、以非技术语言编写的影响陈述,供管理层和董事会成员采取行动。
- 技术修复附录 — 逐步加固手册,包含 PowerShell 命令、需监控的事件 ID 以及每条发现的修复指导。
检测到的攻击模式: DCSync、Kerberoasting、无约束委派、GenericAll / WriteDacl / WriteOwner ACL 滥用、GPO 接管、横向移动链(AdminTo + HasSession)、第 0 层边界违规、过时服务账户密码以及敏感数据暴露路径。
无需 API 密钥。无需网络调用。无数据泄露风险。支持气隙环境。可在受监管、涉密和 OT 环境中运行。
设置
安装 PowerShell(如果尚未安装):
bash
macOS
brew install powershell/tap/powershell
Linux (Ubuntu/Debian)
sudo apt-get install -y powershell
Windows — 已包含
无需环境变量或凭据。
使用
bash
生成完整报告(所有严重级别)
bash {baseDir}/scripts/bh-narrator.sh -InputFile path/to/bloodhound-export.json
仅包含严重和高危发现
bash {baseDir}/scripts/bh-narrator.sh -InputFile path/to/export.json -MinSeverity High
指定输出路径
bash {baseDir}/scripts/bh-narrator.sh -InputFile path/to/export.json -OutputFile report.md
通过管道传递分类对象以供进一步处理
bash {baseDir}/scripts/bh-narrator.sh -InputFile path/to/export.json -PassThru
运行测试套件
bash
bash {baseDir}/tests/run-tests.sh
包含一个包含 5 条攻击路径(3 条严重,2 条高危)的合成 BloodHound 导出文件 {baseDir}/tests/synthetic-bloodhound.json,用于验证。
严重性评分模型
| 因素 | 分值 | 示例 |
|---|
| 第 0 层目标(DA、EA、DC) | +40 | 路径终点为域管理员 |
| DCSync 边 |
+30 | 对 DC 的复制权限 |
| 对第 0 层目标的 GenericAll/WriteDacl/Owns | +30 | 对域管理员组的 GenericAll |
| 路径中的无约束委派 | +20 | 委派主机上缓存的 TGT |
| GenericAll/WriteDacl/Owns(非第 0 层) | +15 | 对 OU 的 WriteDacl |
| 路径中的敏感数据关键词 | +15 | 目标描述包含“PII”或“财务” |
| 可 Kerberoast 的源 | +10 | 源账户设置了 SPN |
| 短路径(1-2 跳) | +10 | 直接对 DA 的 GenericAll |
| 横向移动链 | +10 | AdminTo + HasSession 组合 |
| 中路径(3 跳) | +5 | 三跳提权 |
| 过时密码(>365 天) | +5 | 服务账户从未轮换 |
阈值: 严重 >= 50 | 高危 >= 30 | 中危 >= 15 | 低危 < 15
报告输出
生成的 Markdown 报告包含:
- - 标题(域名、收集日期、BloodHound 版本)
- 执行摘要(严重性分布表)
- 每条路径的发现(攻击链、业务风险要点和影响陈述)
- 技术修复附录(每条发现对应编号步骤:DCSync 移除、gMSA 迁移、委派加固、层级隔离、GPO 锁定等)
适用人群
- - 渗透测试人员 — 向客户交付 AD 审计报告,跳过手动撰写,从 BloodHound 数据生成叙述
- 蓝队 / SOC 分析师 — 在安全评估后对 BloodHound 发现进行分级处理
- 安全顾问 — 需要快速生成客户可交付成果
- CISO 和安全经理 — 希望获得无需图形数据库即可阅读的攻击路径报告
- 紫队 — 记录进攻性发现以进行防御性修复
使用场景
- - 渗透测试后的 AD 审计报告
- 季度 Active Directory 安全健康检查
- 事件响应 — 入侵后的快速攻击路径分析
- 合规报告(ISO 27001、NIS2、LPM、SOC2)需要记录在案的 AD 风险评估
- 培训与意识提升 — 向管理层展示“3 跳到域管理员”的实际含义
