Using ICON to "BloodHound" Your Network

I am using these ldap queries to find weak AD accounts since Bloodhound can be noisy.

Anyone have some to add to these?

check for “do not require kerberos pre auth” enabled


check for “store password with reversible encryption” enabled on user accounts


check for user accounts with SPN set


check for accounts in domain admins/enterprise admins groups



These are great. Thanks for sharing these queries!

one more
check for accounts with unconstrained delegation (kerberos only)


1 Like

You may want to check out some of the great stuff that harmj0y and the powershell mafia came up with for more ideas.

1 Like

yea Im currently looking into how to use ICON and PowerView and or the AD module for PowerShell.

got one more

look for computers with unconstrained delegation


and to exclude DCs