![Page 1: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/1.jpg)
BloodHoundTeaching a New Dog Even More
Tricks
![Page 2: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/2.jpg)
Andy Robbins
Job: Adversary Resilience Lead at Specter OpsTool creator/dev: BloodHoundPresenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World CongressTrainer: Black Hat USA, Black Hat Europe
Twitter: @_wald0
![Page 3: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/3.jpg)
Rohan Vazarkar
Job: Adversary Resilience Operator at Specter OpsTool creator/dev: BloodHound, EyeWitness, Empire, etc.Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDETrainer: Black Hat USA
Twitter: @CptJesus
![Page 4: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/4.jpg)
Will Schroeder
Job: Offensive Engineer at Specter OpsTool creator/dev: BloodHound, Veil-FrameWork, PowerView, PowerUp, EmpirePresenter: A lot Trainer: Black Hat USA
Twitter: @harmj0y
![Page 5: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/5.jpg)
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
John LambertGeneral Manager, Microsoft Threat
Intelligence Center
![Page 6: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/6.jpg)
Prior Work
Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack GraphsJohn Dunagan, Alice X. Zheng, Daniel R. Simon, 2008http://bit.ly/2qG0OvE
Active Directory Control PathsLucas Bouillot, Emmanuel Gras, Geraud de Drouas, 2014http://bit.ly/1pBc8FN
![Page 7: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/7.jpg)
![Page 8: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/8.jpg)
BloodHound
• Released at DEF CON 24 in 2016
• Uses graph theory for domain attack path identification
• Easy data collection with PowerShell ingestor based on PowerView
![Page 9: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/9.jpg)
BloodHound Basics
Bob Helpdesk Server1
AdminToMemberOf
![Page 10: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/10.jpg)
Source Target
The source belongs to the target group
MemberOf
![Page 11: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/11.jpg)
Source Target
The source is an administrator on the target computer
AdminTo
![Page 12: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/12.jpg)
Source Target
The source computer has the target user logged in on it
HasSession
![Page 13: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/13.jpg)
Bob Server1
AdminTo
Mary Domain Admins
MemberOf
![Page 14: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/14.jpg)
![Page 15: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/15.jpg)
BloodHound Basics
• Who is logged on where?
• Who has admin rights to what computers?
• What users, groups, and computers belong to what groups?
• With those 3 pieces of information in our database, we can nearly instantly identify any derivative local admin attack path in a domain
• For more in-depth explanation, see our DEF CON presentation here: http://bit.ly/2qE6Yx2
![Page 16: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/16.jpg)
BloodHound 1.3The ACL Attack Path Update
![Page 17: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/17.jpg)
Discretionary Access Control Lists
• All securable objects in Windows and Active Directory have a Security Descriptor
• The Security Descriptor has a DACLand a SACL
• The DACL is populated by Access Control Entries (ACEs), which define what permissions other objects do or do not have against an object
![Page 18: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/18.jpg)
![Page 19: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/19.jpg)
![Page 20: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/20.jpg)
![Page 21: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/21.jpg)
![Page 22: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/22.jpg)
![Page 23: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/23.jpg)
Modeled in the BloodHound Attack Graph
Helpdesk CptJesus
ForceChangePW
![Page 24: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/24.jpg)
Source Target
The ability to change a user password without knowing the
current password
ForceChangePW
Weaponized by: Set-DomainUserPassword
![Page 25: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/25.jpg)
Source Target
The ability to add any other user, group, or computer to a
group.
AddMembers
Weaponized by: Add-DomainGroupMember
![Page 26: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/26.jpg)
Source Target
Full object control over user and group objects
GenericAll
Weaponized by: Add-DomainGroupMember, Set-DomainUserPassword
![Page 27: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/27.jpg)
Source Target
The ability to write any object property value
GenericWrite
Weaponized by: Set-DomainObject or Add-DomainGroupMember
![Page 28: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/28.jpg)
Source Target
The ability to grant object ownership to another principal
WriteOwner
Weaponized by: Set-DomainObjectOwner
![Page 29: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/29.jpg)
Source Target
The ability to add a new ACE to the object’s DACL
WriteDACL
Weaponized by: Add-DomainObjectACL
![Page 30: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/30.jpg)
Source Target
The ability to perform any “extended right” function
AllExtendedRights
Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember
![Page 31: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/31.jpg)
Transitive Object Control
Bob Helpdesk Admin
ForceChangePWAddMembers
![Page 32: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/32.jpg)
BloodHound Interface Demo
![Page 33: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/33.jpg)
Transitive Object Control Attack Path Demo
![Page 34: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/34.jpg)
![Page 35: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/35.jpg)
![Page 36: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/36.jpg)
Get BloodHound:https://bit.ly/GetBloodHound
![Page 37: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/37.jpg)
Thank You!Andy Robbins: @_wald0Rohan Vazarkar: @CptJesusWill Schroeder: @harmj0y
Specter Ops: @SpecterOpswww.specterops.io
![Page 38: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/38.jpg)
![Page 39: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/39.jpg)
![Page 40: BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo](https://reader034.vdocuments.us/reader034/viewer/2022052116/5a64bc7f7f8b9ac21c8b51e3/html5/thumbnails/40.jpg)