GPTHound – Your Active Directory Security Assistant


August 25, 2023




Track 2

Active Directory (AD) issues have persisted for a long time, accumulating a wealth of information security research and numerous AD detection tools. Security professionals face challenges in identifying various types of issues and interpreting them due to the need for extensive prior knowledge and narrative skills, which can lead to inconsistencies in quality. Since AD information is highly dependent on an organization’s operational context and varies between organizations, fixed rules in AD security become impractical as the definition of sensitive information and organizational structures are unique to each organization.

Based on our experience conducting AD assessment services, the AD assessment process comprises four phases:

  1. Generate Query to Search Attack Path: Simplify tool usage and report generation for analysts by leveraging LLM to convert natural language into neo4j queries with tools such as Bloodhound.
  2. Cluster Users/Hosts: Use LLM for asset classification to group objects or potential attack groups based on job roles and groups, thus identifying assets cluster.
  3. Search Sensitive Information: Use LLM to find information on AD, such as passwords, with the added capability of detecting sensitive information in multiple languages.
  4. Explain Attack Path and Remediation: Utilize LLM modules to accurately explain attack paths between different object types and provide appropriate recommendations.

In this talk, we will explain how we designed and implemented this, discuss the challenges encountered when integrating LLM modules, and share the results obtained through our AD assistant analysis.

Notably, our results demonstrate a significantly improved ability to find passwords compared to existing password finder tools, with the added advantage of cross-language support and rapid filtering of irrelevant data and demo attack path and remediation explanations. We will also present a comparison between the analysis findings and the actual domain conditions, using data from over 20 domains.



John Jiang is a researcher of the Research Team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Active Directory Security.He has presented technical presentations in non-academic technical conferences, such as HITCON, CodeBlue, HITB and BlackHat.