six degrees of domain admin - sans filelocal admin “the chaining or linking of administrator...
TRANSCRIPT
![Page 1: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/1.jpg)
Six Degrees of
Domain Admin
![Page 2: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/2.jpg)
About UsI am Rohan VazarkarJob: Pentester at Veris Group’s ATD
Tool creator/dev: EyeWitness, Python Empyre, etc.
Presenter: BSidesDC/LV/DE, Black Hat Arsenal, DefCon
Trainer: Black Hat USA 2016
Twitter: @CptJesus
![Page 3: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/3.jpg)
About UsI am Andy RobbinsJob: Pentester at Veris Group’s ATD
Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA
International, DefCon
Trainer: Black Hat USA 2016
Other: Ask me about ACH
Twitter: @_wald0
![Page 4: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/4.jpg)
About UsI am Will SchroederJob: Researcher at Veris Group’s ATD
Tool creator/dev: Veil-Framework, PowerView, PowerUp,
Empire/Empyre
Speaker: Ask me
Trainer: Black Hat USA 2014-2016
Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y
![Page 5: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/5.jpg)
The Current State of Active
Directory Domain Privilege
Escalation
![Page 6: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/6.jpg)
“Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft Threat Intelligence Center
![Page 7: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/7.jpg)
AD Domain Priv Esc◇Active Directory is everywhere
◇Usage = Attention = Research time and
$$$
◇Sometimes we get easy buttons!
![Page 8: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/8.jpg)
DA
![Page 9: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/9.jpg)
DA
👤
👤👤
👤
👤
👤
👤
![Page 10: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/10.jpg)
Derivative
Local Admin“The chaining or linking of
administrator rights through
compromising other privileged
accounts”
Justin Warner @sixdub
![Page 11: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/11.jpg)
👤 👤Bob PC1 Mary PC2
![Page 12: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/12.jpg)
👤Bob Help
Desk
Server
Admins
PC2
![Page 13: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/13.jpg)
Challenges◇Extremely time consuming and tedious
◇Not comprehensive
◇Limited situational awareness
◇Did you even need DA?
![Page 14: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/14.jpg)
What do we need?◇Who is logged on where?
◇Who has admin rights where?
◇What users and groups belong to what
groups?
![Page 15: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/15.jpg)
Stealthy Data Collection
with PowerView
![Page 16: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/16.jpg)
“The best tool these days
for understanding Windows
networks is PowerView…”
Phineas Phisher
http://pastebin.com/raw/0SNSvyjJ
![Page 17: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/17.jpg)
PowerView
◇A pure PowerShell v2.0+ domain/network
situational awareness tool
◇Collects the data that BloodHound is built
on and doesn’t need elevated
privileges for most collection methods!
![Page 18: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/18.jpg)
Who’s Logged in Where?
◇Invoke-UserHunter:■ Get-NetSession – sessions w/ a remote machine
■ Get-NetLoggedOn/Get-LoggedOnLocal – who’s
logged in on what machine
◇-Stealth:■ Enumerate commonly trafficked servers and query
remote sessions for each
aka “user hunting”
![Page 19: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/19.jpg)
Who Can Admin What?
◇We can enumerate members of a local
group on a remote machine, without
admin privileges!■ The WinNT service provider or
NetLocalGroupMembers()
◇PowerView:■ Get-NetLocalGroup –ComputerName IP [-API]
![Page 20: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/20.jpg)
Who Can Admin What?GPO Edition
◇GPOs can set local administrators
◇GPOs are applied to OUs/Sites■ correlation == local admin information through
communication with only a DC!
◇PowerView:■ Find-GPOLocation
![Page 21: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/21.jpg)
Who’s in What Groups?
◇Enumerate all groups and pull the
members of each
◇PowerView:■ Get-NetGroup | Get-NetGroupMember
◇That’s it!
![Page 22: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/22.jpg)
Bringing it All TogetherThe BloodHound Ingestor
Invoke-BloodHound automates gathering PowerView data
for a domain and spits out CSV files
Give it a REST URI and a User/Pass to send it directly to
the database!
![Page 23: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/23.jpg)
BloodHoundLive demo!
![Page 24: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/24.jpg)
bit.ly/GetBloodHound
![Page 25: Six Degrees of Domain Admin - SANS fileLocal Admin “The chaining or linking of administrator rights through compromising other privileged accounts” Justin Warner @sixdub 👤 👤](https://reader031.vdocuments.us/reader031/viewer/2022022807/5ce4ad3e88c993105f8c75b1/html5/thumbnails/25.jpg)
Thanks!@_wald0
@CptJesus
@harmj0y