Starting state
You have a domain-joined foothold or valid domain credentials, and your engagement scope is already defined. The Network Map shows hosts, ports, and services with subnet grouping and a public-exposure boundary. Before you collect, right-click the relevant hosts and choose "Add to scope" so the AD-graph overlay later lands on assets you are authorized to touch.
Inputs
- Domain name, a reachable domain controller, and a set of credentials (user, hash, or ticket).
- A cloud inventory export for the tenant: Azure Resource Graph, AWS Resource Explorer, GCP asset export, BloodHound-azure, or generic JSON.
- A defined scope so collection stays inside the engagement boundary.
Key steps
1. Collect the AD graph
From the AD/Identity panel, run BloodHound, SharpHound, or ROADrecon. If you prefer to drive it yourself, right-click the DC in the Network Map and choose "Open in terminal as $T", then run the collector with the placeholder host already in place.
bloodhound-python -d corp.local -u svc_user -p '...' -c All -dc $T
2. Ingest and review identity weaknesses
Ingest writes the collected data into the AD graph store, and AD-graph nodes overlay onto the Network Map. Open the Kerberos roast and AS-REP panels to surface roastable accounts, and hand any captured hashes to the hash-crack panel (hashcat) for a recoverability read.
3. Import the cloud side
In Cloud Architecture, run the importer against your export. It accepts Resource Graph, Resource Explorer, GCP asset, generic JSON, and BloodHound-azure, and builds an AWS, Azure, or GCP asset graph alongside the AD graph.
4. Switch the overlay to attack paths
The cloud graph supports overlay modes for identity, trust, attack paths, and exposure. Switch to attack paths to see how a foothold reaches sensitive cloud roles, and to exposure to find assets sitting past the public boundary.
5. Follow the hybrid pivot
Use the hybrid pivot to link an AD identity to its cloud counterpart (and back). Start from a roastable or over-privileged AD account, follow it across the boundary to its Entra ID or cloud role, and read the path end to end as one chain.
Set the APT29 profile first
APT29 models the hybrid AD into Entra ID and M365 path. With that ATT&CK profile selected, the AI assistant, the tool recommender, and the findings-gated Next Actions panel all lean toward the identity-boundary moves this playbook covers.
Expected outputs
One spanning graph
A single view that spans on-prem AD and the cloud asset graph, with the public-exposure boundary visible.
A walkable path
An attack path from foothold to cloud role that you can trace node by node, plus findings persisted to the encrypted local store for the report.
Common operator decisions
Which collection method. bloodhound-python is convenient from a Linux foothold with creds, SharpHound fits when you can run on a domain-joined Windows host, and ROADrecon targets the Entra ID side. Pick the one that matches where you have execution.
When to trust hybrid pivot links. The pivot infers the AD-to-cloud relationship from your imports. Confirm a high-impact link against the underlying account mapping before you write it up as a real path.
Scoping cloud exposure. The exposure overlay can surface assets outside your engagement. Decide what stays in scope before you report it, and keep collection inside the boundary you defined.
Get AD security drops in your inbox
Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.