bloodhound 1.3 - the acl attack path update - paranoia17, oslo
Post on 21-Jan-2018
3.077 Views
Preview:
TRANSCRIPT
BloodHoundTeaching a New Dog Even More
Tricks
Andy Robbins
Job: Adversary Resilience Lead at Specter OpsTool creator/dev: BloodHoundPresenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World CongressTrainer: Black Hat USA, Black Hat Europe
Twitter: @_wald0
Rohan Vazarkar
Job: Adversary Resilience Operator at Specter OpsTool creator/dev: BloodHound, EyeWitness, Empire, etc.Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDETrainer: Black Hat USA
Twitter: @CptJesus
Will Schroeder
Job: Offensive Engineer at Specter OpsTool creator/dev: BloodHound, Veil-FrameWork, PowerView, PowerUp, EmpirePresenter: A lot Trainer: Black Hat USA
Twitter: @harmj0y
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
John LambertGeneral Manager, Microsoft Threat
Intelligence Center
Prior Work
Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack GraphsJohn Dunagan, Alice X. Zheng, Daniel R. Simon, 2008http://bit.ly/2qG0OvE
Active Directory Control PathsLucas Bouillot, Emmanuel Gras, Geraud de Drouas, 2014http://bit.ly/1pBc8FN
BloodHound
• Released at DEF CON 24 in 2016
• Uses graph theory for domain attack path identification
• Easy data collection with PowerShell ingestor based on PowerView
BloodHound Basics
Bob Helpdesk Server1
AdminToMemberOf
Source Target
The source belongs to the target group
MemberOf
Source Target
The source is an administrator on the target computer
AdminTo
Source Target
The source computer has the target user logged in on it
HasSession
Bob Server1
AdminTo
Mary Domain Admins
MemberOf
BloodHound Basics
• Who is logged on where?
• Who has admin rights to what computers?
• What users, groups, and computers belong to what groups?
• With those 3 pieces of information in our database, we can nearly instantly identify any derivative local admin attack path in a domain
• For more in-depth explanation, see our DEF CON presentation here: http://bit.ly/2qE6Yx2
BloodHound 1.3The ACL Attack Path Update
Discretionary Access Control Lists
• All securable objects in Windows and Active Directory have a Security Descriptor
• The Security Descriptor has a DACLand a SACL
• The DACL is populated by Access Control Entries (ACEs), which define what permissions other objects do or do not have against an object
Modeled in the BloodHound Attack Graph
Helpdesk CptJesus
ForceChangePW
Source Target
The ability to change a user password without knowing the
current password
ForceChangePW
Weaponized by: Set-DomainUserPassword
Source Target
The ability to add any other user, group, or computer to a
group.
AddMembers
Weaponized by: Add-DomainGroupMember
Source Target
Full object control over user and group objects
GenericAll
Weaponized by: Add-DomainGroupMember, Set-DomainUserPassword
Source Target
The ability to write any object property value
GenericWrite
Weaponized by: Set-DomainObject or Add-DomainGroupMember
Source Target
The ability to grant object ownership to another principal
WriteOwner
Weaponized by: Set-DomainObjectOwner
Source Target
The ability to add a new ACE to the object’s DACL
WriteDACL
Weaponized by: Add-DomainObjectACL
Source Target
The ability to perform any “extended right” function
AllExtendedRights
Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember
Transitive Object Control
Bob Helpdesk Admin
ForceChangePWAddMembers
BloodHound Interface Demo
Transitive Object Control Attack Path Demo
Get BloodHound:https://bit.ly/GetBloodHound
Thank You!Andy Robbins: @_wald0Rohan Vazarkar: @CptJesusWill Schroeder: @harmj0y
Specter Ops: @SpecterOpswww.specterops.io
top related