BloodHound: Attack Graphs Practically Applied to Active Directory

•

2 gostaram•3,042 visualizações

Andy Robbins

Presented at Microsoft's BlueHat v18 in Redmond, Washington in September of 2018.

Tecnologia

BloodHound:
Attack Graphs Practically Applied to
Active Directory

HELLO!
I am Andy Robbins
Adversary Resilience Lead at
SpecterOps
BloodHound co-creator and
developer, Red Teamer
You can find me at @_wald0

HELLO!
I am Rohan Vazarkar
Adversary Resilience Senior
Operator at SpecterOps
BloodHound co-creator and
developer, Red Teamer
You can find me at @CptJesus

Agenda
▪ The Problem
▪ The Solution
▪ Conclusion
44

Purpose
We want to demonstrate how graphs can
be an elegant and practical solution to
incredibly complex problems, and inspire
you to consider using graphs for problems
you face
55

Pushed Into a Corner, circa 2014-2015
▪ Remote Code Execution (RCE) flaws in Windows
become increasingly rare and risky to exploit
▪ Maturing vulnerability management programs
ensure ephemerality of RCE in the enterprise
▪ A common methodology appeared...
77

The Data is RIGHT… THERE!
▪ Question: Where are users logged on?
▪ Answer: NetSessionEnum
▪ Question: Who are local admins on a system?
▪ Answer: NetLocalGroupGetMembers
▪ Question: Who belongs to what security group?
▪ Answer: Basic LDAP queries
By default, all data is accessible by any domain authenticated principal
on systems before Windows 10 Anniversary (1607)
2020

An effective, albeit tedious and naive approach...
21
Target Users:
Admin-1
Admin-2
Admin-3
Admin-4
Admin-5
Admin-1 Uses
These Systems:
Computer-1
Computer-2
Computer-3
Admins on Computer-1:
Admin-1
Admin-2
Admin-10
Group-11
Members of Group 11
Use These Systems:
Computer-1
Computer-2
Computer-5
Admins on Computer-5:
Admin-1
Admin-2
Admin-10
Admin-15
Admin-15 Uses These
Systems:
Computer-1
Computer-2
Computer-10
Members of
Group-11:
Admin-5
Admin-6
Admin-7
Admin-8

The Problem, In Short
▪ We have a reliable, proven methodology for
escalating rights in almost any Active Directory
deployment
▪ That methodology is enhanced by data which, by
default, anyone in a domain can access
▪ The data is way too complicated to analyze by hand
2222

It’s a graph, dummy!
▪ Every principal (user, group, computer) is a node
▪ Every privilege (and group membership) is a
relationship
▪ Graphs are phenomenally fast at finding paths
between disparate nodes
2424

25
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
Data Source: LDAP

26
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOf
Data Source: LDAP

27
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOf
AdminTo
Data Source:
NetLocalGroupGetMembers

28
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOfHasSession
AdminTo
Data Source:
NetSessionEnum

Now You’re Thinking With Graphs
▪ Manual “derivative local admin” takes days to
months
▪ Data collection, graph analysis, and attack path
execution takes minutes to hours
2929

Three Problems Graphs Solved
▪ Complexity - Analyzing thousands of paths became
possible
▪ Readability - Presenting concepts to non-technical
audiences became easier
▪ Accessibility - Opened up the methodology to both
the defensive and offensive side
3333

Three Exciting Defensive Applications
▪ Easier, more effective, more accurate permission
auditing
▪ Attack path identification and mitigation/elimination
▪ Empirical key terrain identification
3434

If There’s One Thing to Take Away From this Talk
▪ Graphs are not the solution to every problem;
however, they allow you to look at problems in a
unique way and solve complex problems that
otherwise would be insanely difficult to visualize,
compute, or solve
3535

Acknowledgements and Prior Work
http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf
https://www.sixdub.net/?p=591
https://bitbucket.org/iwseclabs/bta
https://github.com/ANSSI-FR/AD-control-paths
https://powersploit.readthedocs.io/en/latest/Recon/
3636

37
Thank you!
QUESTIONS?
You can find us at:
▪ specterops.io
▪ @SpecterOps
▪ @_wald0
▪ @CptJesus
▪ BloodHound: https://bit.ly/GetBloodHound
▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com

Mais conteúdo relacionado

Mais procurados

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

Will Schroeder

BloodHound Unleashed.pdf

n00py1

I hunt sys admins 2.0

Will Schroeder

Understanding Windows Access Token Manipulation

Justin Bui

Hunting for Credentials Dumping in Windows Environment

Teymur Kheirkhabarov

Passwords#14 - mimikatz

Benjamin Delpy

One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.

Social Engineering the Windows Kernel by James Forshaw

Shakacon

Red Team Revenge - Attacking Microsoft ATA

Nikhil Mittal

Catch Me If You Can: PowerShell Red vs Blue

Will Schroeder

Troopers 19 - I am AD FS and So Can You

Douglas Bienstock

Derbycon - Passing the Torch

Will Schroeder

Evading Microsoft ATA for Active Directory Domination

Nikhil Mittal

Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges. While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory. This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts. The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets. We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups. Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...

DirkjanMollema

A Threat Hunter Himself

Teymur Kheirkhabarov

PowerShell for Practical Purple Teaming

Nikhil Mittal

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Defending Your "Gold"

Will Schroeder

Hunting for Privilege Escalation in Windows Environment

Teymur Kheirkhabarov

Not a Security Boundary

Will Schroeder

Here Be Dragons: The Unexplored Land of Active Directory ACLs

Andy Robbins

Mais procurados (20)

An ACE in the Hole - Stealthy Host Persistence via Security Descriptors

BloodHound Unleashed.pdf

I hunt sys admins 2.0

Understanding Windows Access Token Manipulation

Hunting for Credentials Dumping in Windows Environment

Passwords#14 - mimikatz

Social Engineering the Windows Kernel by James Forshaw

Red Team Revenge - Attacking Microsoft ATA

Catch Me If You Can: PowerShell Red vs Blue

Troopers 19 - I am AD FS and So Can You

Derbycon - Passing the Torch

Evading Microsoft ATA for Active Directory Domination

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...

A Threat Hunter Himself

PowerShell for Practical Purple Teaming

Derbycon - The Unintended Risks of Trusting Active Directory

Defending Your "Gold"

Hunting for Privilege Escalation in Windows Environment

Not a Security Boundary

Here Be Dragons: The Unexplored Land of Active Directory ACLs

Semelhante a BloodHound: Attack Graphs Practically Applied to Active Directory

raph Databases with Neo4j – Emil Eifrem

buildacloud

Add Redis to Postgres to Make Your Microservices Go Boom!

Dave Nielsen

Every professional or individual, wishing to develop an application or create a website, will need to store data in 99% of cases. There are different solutions on the market: relational database management system, NoSQL, datastore, but not necessarily the user manual to make the right choice! Our experts will review the main relational databases - Redis, MySQL / MariaDB, PostgreSQL and MongoDB and help you choose the one that best fits your project.

Myths & Reality - Choose a DBMS tailored to your use cases

OVHcloud

From talk given on June 10, 2020 at the DevTalks Reimagined conference. ABSTRACT: Serverless is an amazing beast of a technology. With it, you can quickly build and deploy incredible systems. You get out-of-the-box scalability and flexibility.Nevertheless, with great power comes great(er) cost!In this talk, you’ll learn about building a huge data pipeline using Serverless architecture, and how to tame the beast.After this session, you will understand the pitfalls to avoid and the great powers to exploit.

THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST

Opher Dubrovsky

Electron

Adrian Caetano

CSA on Rails: a practical case-study

calamitas

In 2018 we've seen a huge uptick in applications using Kubernetes for their deployment method. Many times your persistent data layer is a difficult decision. What will you store data in, how long will you need to access this data and who will manage the lifecycle of this data? These are important questions many developers and ops teams have taken to heart. In this talk we'll review how the data layer is managed for high availability and reliability in modern application deployment. The attendee should leave having a better understanding of the options in front of them and their ability to build applications in any hosting environment.

Solving the Database Problem

Jay Gordon

PostgreSQL at 20TB and Beyond

Chris Travers

Machine Learning development involves comparing models and storing the artifacts they produced. We often compare several algorithms to select the most efficient ones. We assess different hyper-parameters to fine-tune the model. Git helps us store multiple versions of our code. Additionally, we need to keep track of the datasets we are using. This is important not only for audit purposes but also for assessing the performances of the models, developed at a later time. Git is a standard code versioning tool in software development. It can be used to store your datasets but it does not offer an optimal solution.

Data Versioning and Reproducible ML with DVC and MLflow

Databricks

Government and Education Webinar: Simplify Your Database Performance Manageme...

SolarWinds

The new Migrate module in Drupal 8 core is great for upgrading sites from Drupal 6 to Drupal 8. But it's useful for a lot more than just that! Migrate adds the power of any external tool to your content workflow. Not every client is accustomed to using Drupal. Some clients might like Google Spreadsheets; others prefer Markdown files in version control. Using Migrate, you can let your clients use their preferred content building tools—even before you have a Drupal site ready for them! I'll talk about my experiences with several different Migrate-based workflows that we've used at Evolving Web. There's already information out there about building migrations, but most of it focuses on very limited use cases: direct upgrades, or simple nodes. I'll cover many other bits and pieces you need for real-life migration projects, including: * Hierarchical menus * Paths and redirects * Multilingual data * Files and images * Merging multiple migrations * Writing custom migration sources and transformations * Figuring out why your migration isn't working Attendees with some PHP experience will get the most out of this talk—but many parts will be interesting to site builders and project managers as well.

Migrate all the things!

Dave Vasilevsky

Во время доклада, я поделюсь с Вами опытом, который мы получили, используя микросервисы в прод K8S кластере. Также, обозначу основные проблемы, с которыми столкнулась наша команда на этапе их диагностики. И, самое главное - что мы сделали чтобы избежать их в будущем. Отвечу на вопросы: Почему мы мигрировали в облако? Почему dotNet Core 2.2 вызвал кучу проблем? Данный доклад сохранит сотни часов вашим разработчикам и DevOps команде, жизнь которой может напоминать кошмар.

.NET Fest 2019. Леонид Молотиевский. DotNet Core in production

NETFest

Session from BGOUG I presented in June, 2016 Big data is one of the biggest buzzword in today's market. Terms like Hadoop, HDFS, YARN, Sqoop, and non-structured data has been scaring DBA's since 2010 - but where does the DBA team really fit in? In this session, we will discuss everything database administrators and database developers needs to know about big data. We will demystify the Hadoop ecosystem and explore the different components. We will learn how HDFS and MapReduce are changing the data world, and where traditional databases fits into the grand scheme of things. We will also talk about why DBAs are the perfect candidates to transition into Big Data and Hadoop professionals and experts.

Things Every Oracle DBA Needs to Know about the Hadoop Ecosystem

Zohar Elkayam

Hybrid my sql_hadoop_datawarehouse

Laine Campbell

Workshop Español - Introducción a Neo4j

Neo4j

Neo4j: What's Under the Hood & How Knowing This Can Help You

Neo4j

No IT Left Behind - Connecting the Software-Defined Data Center to Multi-Moda...

Intelligent Software Solutions

Роман Нікітченко Big Data solutions architect в компанії V.I.Tech. Спеціаліст з більш ніж 20-річним досвідом роботи в галузі телекому і вбудованих систем, що змінив індустрію на Java Enterprise. Завдяки попередньому досвіду за короткий термін став одним з провідних архітекторів Big Data в Україні.

Big data & frameworks: no book for you anymore

Stfalcon Meetups

When your clients need only small database for personal music library and some kind of HTTP interface to it, everything looks nice and you can use lot of bright frameworks and trusted approaches for your application. But what changes if you step ahead of existing solutions to bring things like population health management? Let's talk about our Big Data experience and meaningful framework usage: - What makes the difference when you go Big Data and Hadoop. - Frameworks and big data: hamsters vs hipsters. - Reality matters. Frameworks cost. How much? - What framework is good for you? - Making your own frameworks.

Big data & frameworks: no book for you anymore.

Roman Nikitchenko

Big Data, Hadoop, NoSQL and more ...

Varad Meru

Semelhante a BloodHound: Attack Graphs Practically Applied to Active Directory (20)

raph Databases with Neo4j – Emil Eifrem

Add Redis to Postgres to Make Your Microservices Go Boom!

Myths & Reality - Choose a DBMS tailored to your use cases

THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST

Electron

CSA on Rails: a practical case-study

Solving the Database Problem

PostgreSQL at 20TB and Beyond

Data Versioning and Reproducible ML with DVC and MLflow

Government and Education Webinar: Simplify Your Database Performance Manageme...

Migrate all the things!

.NET Fest 2019. Леонид Молотиевский. DotNet Core in production

Things Every Oracle DBA Needs to Know about the Hadoop Ecosystem

Hybrid my sql_hadoop_datawarehouse

Workshop Español - Introducción a Neo4j

Neo4j: What's Under the Hood & How Knowing This Can Help You

No IT Left Behind - Connecting the Software-Defined Data Center to Multi-Moda...

Big data & frameworks: no book for you anymore

Big data & frameworks: no book for you anymore.

Big Data, Hadoop, NoSQL and more ...

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

ICT role in 21st century education and its challenges

rafiqahmad00786416

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

BloodHound: Attack Graphs Practically Applied to Active Directory

1. BloodHound: Attack Graphs Practically Applied to Active Directory

2. HELLO! I am Andy Robbins Adversary Resilience Lead at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @_wald0

3. HELLO! I am Rohan Vazarkar Adversary Resilience Senior Operator at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @CptJesus

4. Agenda ▪ The Problem ▪ The Solution ▪ Conclusion 44

5. Purpose We want to demonstrate how graphs can be an elegant and practical solution to incredibly complex problems, and inspire you to consider using graphs for problems you face 55

6. The Problem

7. Pushed Into a Corner, circa 2014-2015 ▪ Remote Code Execution (RCE) flaws in Windows become increasingly rare and risky to exploit ▪ Maturing vulnerability management programs ensure ephemerality of RCE in the enterprise ▪ A common methodology appeared... 77

8. 8

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15

16. 16

17. 17

18. 18 Domain Admin!

19. 19 Domain Admin!

20. The Data is RIGHT… THERE! ▪ Question: Where are users logged on? ▪ Answer: NetSessionEnum ▪ Question: Who are local admins on a system? ▪ Answer: NetLocalGroupGetMembers ▪ Question: Who belongs to what security group? ▪ Answer: Basic LDAP queries By default, all data is accessible by any domain authenticated principal on systems before Windows 10 Anniversary (1607) 2020

21. An effective, albeit tedious and naive approach... 21 Target Users: Admin-1 Admin-2 Admin-3 Admin-4 Admin-5 Admin-1 Uses These Systems: Computer-1 Computer-2 Computer-3 Admins on Computer-1: Admin-1 Admin-2 Admin-10 Group-11 Members of Group 11 Use These Systems: Computer-1 Computer-2 Computer-5 Admins on Computer-5: Admin-1 Admin-2 Admin-10 Admin-15 Admin-15 Uses These Systems: Computer-1 Computer-2 Computer-10 Members of Group-11: Admin-5 Admin-6 Admin-7 Admin-8

22. The Problem, In Short ▪ We have a reliable, proven methodology for escalating rights in almost any Active Directory deployment ▪ That methodology is enhanced by data which, by default, anyone in a domain can access ▪ The data is way too complicated to analyze by hand 2222

23. The Solution

24. It’s a graph, dummy! ▪ Every principal (user, group, computer) is a node ▪ Every privilege (and group membership) is a relationship ▪ Graphs are phenomenally fast at finding paths between disparate nodes 2424

25. 25 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group Data Source: LDAP

26. 26 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf Data Source: LDAP

27. 27 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf AdminTo Data Source: NetLocalGroupGetMembers

28. 28 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOfHasSession AdminTo Data Source: NetSessionEnum

29. Now You’re Thinking With Graphs ▪ Manual “derivative local admin” takes days to months ▪ Data collection, graph analysis, and attack path execution takes minutes to hours 2929

30. 30 BloodHound 1.0 Schema

31. 31 BloodHound 2.0 Schema

32. Conclusion

33. Three Problems Graphs Solved ▪ Complexity - Analyzing thousands of paths became possible ▪ Readability - Presenting concepts to non-technical audiences became easier ▪ Accessibility - Opened up the methodology to both the defensive and offensive side 3333

34. Three Exciting Defensive Applications ▪ Easier, more effective, more accurate permission auditing ▪ Attack path identification and mitigation/elimination ▪ Empirical key terrain identification 3434

35. If There’s One Thing to Take Away From this Talk ▪ Graphs are not the solution to every problem; however, they allow you to look at problems in a unique way and solve complex problems that otherwise would be insanely difficult to visualize, compute, or solve 3535

36. Acknowledgements and Prior Work http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf https://www.sixdub.net/?p=591 https://bitbucket.org/iwseclabs/bta https://github.com/ANSSI-FR/AD-control-paths https://powersploit.readthedocs.io/en/latest/Recon/ 3636

37. 37 Thank you! QUESTIONS? You can find us at: ▪ specterops.io ▪ @SpecterOps ▪ @_wald0 ▪ @CptJesus ▪ BloodHound: https://bit.ly/GetBloodHound ▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com

BloodHound: Attack Graphs Practically Applied to Active Directory

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a BloodHound: Attack Graphs Practically Applied to Active Directory

Semelhante a BloodHound: Attack Graphs Practically Applied to Active Directory (20)

Último

Último (20)

BloodHound: Attack Graphs Practically Applied to Active Directory