{
	"id": "e9835272-11f0-46ca-9125-d6b6d27bae97",
	"created_at": "2026-04-06T00:17:06.923525Z",
	"updated_at": "2026-04-10T03:21:12.852907Z",
	"deleted_at": null,
	"sha1_hash": "3f87bbbdc94d57cc03dd7648cef29bd77f6e31d9",
	"title": "Hidden Administrative Accounts: BloodHound to the Rescue",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 911884,
	"plain_text": "Hidden Administrative Accounts: BloodHound to the Rescue\r\nBy Red Team Labs\r\nArchived: 2026-04-05 14:37:05 UTC\r\nDefending an organization from today’s sophisticated attacks is no easy task. It often requires security teams to be\r\nready at a moment’s notice to respond to an incident, in addition to managing the day-to-day responsibilities of\r\nsecuring the organization. To be effective, security teams must have well-defined policies and solid detection\r\ncapabilities. This dynamic often drives an ongoing arms race between blue teams and red teams, with both seeking\r\nincreasingly sophisticated tooling and detection capabilities. However, security professionals can often optimize\r\ntheir efforts and gain a strategic advantage by anticipating likely attack paths and taking steps to block attackers\r\nfrom using these paths. This blog focuses on a common security issue frequently observed during red team\r\nengagements: hidden administrator accounts. It also introduces a tool originally designed for red teams that now\r\nprovides blue teams with the ability to detect and remediate this common security issue.\r\nWhat is a Hidden Administrator Account and Why Do I Care?\r\nHidden administrator accounts are domain accounts that provide administrator access to sensitive systems like\r\ndomain controllers, exchange servers or database servers. These accounts may not belong to privileged Active\r\nDirectory (AD) groups (i.e. Domain Admins), but they still have access to the same systems. The permissions for\r\nthese accounts are directly assigned using access control lists (ACL) on AD objects. These hidden administrator\r\naccounts are often service or maintenance accounts that perform automated, routine tasks in the environment. In\r\naddition, hidden administrator accounts often have access to multiple systems in the environment. Of concern is\r\nthat these accounts don’t typically receive the same attention regarding configuration review or password\r\nmanagement and monitoring as administrative accounts belonging to human users. As a result, they present an\r\nattractive target for adversaries, who leverage these service accounts for both lateral movement and gaining access\r\nto multiple systems. Hidden administrator accounts are also often targeted by self-propagating malware, including\r\nthose used in ransomware and cryptomining attacks. Exploitation of these administrator privileges allows malware\r\nto easily spread throughout an organization.\r\nCrowdStrike Red Team Use Case\r\nCrowdStrike recently performed an adversary emulation penetration test for a client organization that had gone\r\nthrough a large effort to make improvements to its AD structure. This organization restricted its administrator\r\naccount privileges and segregated administrator and user roles. As is best practice, the client only allowed domain\r\nadministrator accounts to log onto domain controllers. Additionally, the client implemented logging, monitoring\r\nand session management around the use of the domain administrator accounts. Even server administrators were\r\nrestricted to only accessing the servers for which they had direct responsibility. During the lateral movement and\r\ncredential dumping phase of the test, we came across two different service accounts. One was a service account\r\nthat performed storage area network (SAN) maintenance and also had local administrative access to a large\r\nportion of the environment. The other one was what we call the “golden key.” It was a service account that had\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 1 of 6\n\nbeen created to pull security information from all the domain controllers. It was not in the “Domain\r\nAdministrators” AD group, so it was not monitored and its sessions were not managed. This golden key account\r\nhad local administrator access to every domain controller in the network, essentially making it a hidden domain\r\nadministrator account. In another adversary emulation engagement, we moved between domains throughout the\r\nenvironment to compromise two geographic regions of the company. Each domain contained its own domain\r\naccounts and was managed by separate IT staff. Once we fully compromised one domain, we began looking for\r\nmisconfigured domain trusts and instances of service accounts used in both domains. We discovered a service\r\naccount that was being used for network performance monitoring, which had local administrator access to\r\nmultiple systems. This account was used in both domains and had the same password in each one — a\r\nconfiguration that made it easy for our red team to jump from one domain to another. This dynamic eventually\r\nallowed us to fully compromise a geographically dispersed organization. This is another example of unmonitored\r\n“administrative” accounts that have extremely powerful access to the networked environment.\r\nWhat Can be Done About Hidden Admin Accounts\r\nYou might be asking, “How does one find these hidden relationships, and how can I make sure this doesn’t happen\r\nto my organization?” One option is BloodHound. No, I’m not\r\ntalking about the droopy-eyed scent dog — I’m talking about the very popular internal AD reconnaissance tool\r\nthat many red teams use today. BloodHound is a single page JavaScript web application with a Neo4j database\r\nthat is fed by a PowerShell script. BloodHound uses graph theory to reveal hidden and often unintended\r\nrelationships within an AD environment. It was developed by Will Schroeder (@harmjoy), Andrew Robbins\r\n(@_wald0), and Rohan Vazarkar (@CptJesus). BloodHound can do in minutes what used to take penetration\r\ntesters and analysts weeks to develop. Although the tool is very popular in the penetration testing community, we\r\nstill find some security and IT teams who are not aware of how powerful and beneficial it can be for securing their\r\ninfrastructure. Specifically, BloodHound can uncover hidden relationships and administrative accounts that would\r\notherwise go unnoticed. To use BloodHound, you must set up the Neo4j community edition database. You will\r\nthen need to connect the BloodHound web application to the Neo4j database. For full installation instructions,\r\nvisit the BloodHound Wiki. Once you have set up the database and logged into the BloodHound web application,\r\nyou need to pull AD data from your environment using the BloodHound PowerShell ingestor. Figure 1 shows a\r\nsample command that searches all domains in the forest (-SearchForest) and the folder location used to save the\r\nresulting CSV files.\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 2 of 6\n\nFigure 1: Running BloodHound’s PowerShell Ingestor Once the ingestor completes, you will see three CSV files\r\nthat can be uploaded into BloodHound, as shown in Figure 2:\r\ngroup_membership.csv\r\nlocal_admins.csv\r\nSessions.csv\r\nFigure 2: BloodHound Web Application Upload Data After uploading these files, take advantage of the pre-built\r\nqueries within BloodHound. These queries are a great way to start obtaining important information about your\r\nenvironment. Queries include: viewing all domain administrators; viewing users with the most local administrator\r\nrights; or viewing computers with the most administrative user access. One of these queries gives you the ability\r\nto map domain trusts, as shown in Figure 3.\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 3 of 6\n\nFigure 3: BloodHound Pre-Built Analytics Queries When looking for hidden administrator accounts and trust\r\nmisconfigurations, we will commonly use the pre-built queries “Find Top 10 Users with Most Local Admin\r\nRights” and “Map Domain Trusts.” These queries will provide some quick wins and show you which accounts\r\nhave access to the most systems, and whether there are two-way trusts between foreign domains that could allow\r\nfor greater access to the environment. Another great way to find hidden administrator accounts is to view system,\r\ngroup or user node information directly. You investigate any user, group, or system name in the environment by\r\nsimply typing in the first few characters of the name – the tool will autocomplete. Once you select a node, the\r\n“Node Info” field in the left panel populates. You can also right-click a node and choose the sub-option “Expand”\r\nto see the members of that node, as shown in Figure 4.\r\nFigure 4: BloodHound User Interface Another way we have been able to easily discover hidden administrator\r\naccounts is to search for a sensitive system such as a domain controller. This can be done by simply searching for\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 4 of 6\n\nthe “Domain Controllers” group and left-clicking the group node. The “Node Info” field on the left will populate.\r\nNext, left-click the number next to “Direct Members” under the “Group Members” section. You will now see all\r\nthe domain controller system nodes under that group, as shown in Figure 5.\r\nFigure 5: BloodHound Domain Controller Group Members Next, left-click on one of the system nodes (example:\r\n“GOAT-DC”) and left-click the number next to “Derivative Local Admins” under the “Local Admins” section,\r\nshown in Figure 6.\r\nFigure 6: BloodHound GOAT-DC Derivative Local Admins Now we can see there are two accounts that have\r\nlocal administrator access to our domain controllers that are not in the “Domain Admins” group and did not even\r\nshow up in Figure 4. We just found two hidden administrator accounts that have similar access to a domain\r\nadministrator account. It is very likely one of these accounts may be used for automated tasks, which makes them\r\nvery desirable for an adversary looking to blend into normal environment activity.\r\nConclusion\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 5 of 6\n\nHidden administrator accounts in an environment are often forgotten, or completely unknown. They can provide\r\nattackers with a discreet way to obtain domain administrator rights and fully compromise an environment.\r\nBloodHound is highly effective at identifying hidden administrator accounts and is both powerful and easy to use.\r\nIt can provide a wealth of insight into your AD environment in minutes and is a great tool to have in your arsenal\r\nwhen hunting for unique and hidden relationships. We recommend organizations take advantage of free tools like\r\nBloodHound and include them as part of their periodic, proactive security assessments. The more proactive we are\r\nin security, the better we can anticipate threats, prepare our teams, and improve our ability to stop breaches. Learn\r\nabout CrowdStrike Services proactive services offerings. Download the CrowdStrike Red Team data sheet.\r\nSource: https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nhttps://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/"
	],
	"report_names": [
		"hidden-administrative-accounts-bloodhound-to-the-rescue"
	],
	"threat_actors": [],
	"ts_created_at": 1775434626,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f87bbbdc94d57cc03dd7648cef29bd77f6e31d9.pdf",
		"text": "https://archive.orkl.eu/3f87bbbdc94d57cc03dd7648cef29bd77f6e31d9.txt",
		"img": "https://archive.orkl.eu/3f87bbbdc94d57cc03dd7648cef29bd77f6e31d9.jpg"
	}
}