BloodHoundTeaching a New Dog Even More

Tricks

Andy Robbins

Job: Adversary Resilience Lead at Specter OpsTool creator/dev: BloodHoundPresenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World CongressTrainer: Black Hat USA, Black Hat Europe

Twitter: @_wald0

Rohan Vazarkar

Job: Adversary Resilience Operator at Specter OpsTool creator/dev: BloodHound, EyeWitness, Empire, etc.Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDETrainer: Black Hat USA

Twitter: @CptJesus

Will Schroeder

Job: Offensive Engineer at Specter OpsTool creator/dev: BloodHound, Veil-FrameWork, PowerView, PowerUp, EmpirePresenter: A lot Trainer: Black Hat USA

Twitter: @harmj0y

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

John LambertGeneral Manager, Microsoft Threat

Intelligence Center

Prior Work

Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack GraphsJohn Dunagan, Alice X. Zheng, Daniel R. Simon, 2008http://bit.ly/2qG0OvE

Active Directory Control PathsLucas Bouillot, Emmanuel Gras, Geraud de Drouas, 2014http://bit.ly/1pBc8FN

BloodHound

• Released at DEF CON 24 in 2016

• Uses graph theory for domain attack path identification

• Easy data collection with PowerShell ingestor based on PowerView

BloodHound Basics

Bob Helpdesk Server1

AdminToMemberOf

Source Target

The source belongs to the target group

MemberOf

Source Target

The source is an administrator on the target computer

AdminTo

Source Target

The source computer has the target user logged in on it

HasSession

Bob Server1

AdminTo

Mary Domain Admins

MemberOf

BloodHound Basics

• Who is logged on where?

• Who has admin rights to what computers?

• What users, groups, and computers belong to what groups?

• With those 3 pieces of information in our database, we can nearly instantly identify any derivative local admin attack path in a domain

• For more in-depth explanation, see our DEF CON presentation here: http://bit.ly/2qE6Yx2

BloodHound 1.3The ACL Attack Path Update

Discretionary Access Control Lists

• All securable objects in Windows and Active Directory have a Security Descriptor

• The Security Descriptor has a DACLand a SACL

• The DACL is populated by Access Control Entries (ACEs), which define what permissions other objects do or do not have against an object

Modeled in the BloodHound Attack Graph

Helpdesk CptJesus

ForceChangePW

Source Target

The ability to change a user password without knowing the

current password

ForceChangePW

Weaponized by: Set-DomainUserPassword

Source Target

The ability to add any other user, group, or computer to a

group.

AddMembers

Weaponized by: Add-DomainGroupMember

Source Target

Full object control over user and group objects

GenericAll

Weaponized by: Add-DomainGroupMember, Set-DomainUserPassword

Source Target

The ability to write any object property value

GenericWrite

Weaponized by: Set-DomainObject or Add-DomainGroupMember

Source Target

The ability to grant object ownership to another principal

WriteOwner

Weaponized by: Set-DomainObjectOwner

Source Target

The ability to add a new ACE to the object’s DACL

WriteDACL

Weaponized by: Add-DomainObjectACL

Source Target

The ability to perform any “extended right” function

AllExtendedRights

Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember

Transitive Object Control

Bob Helpdesk Admin

ForceChangePWAddMembers

BloodHound Interface Demo

Transitive Object Control Attack Path Demo

Get BloodHound:https://bit.ly/GetBloodHound

Thank You!Andy Robbins: @_wald0Rohan Vazarkar: @CptJesusWill Schroeder: @harmj0y

Specter Ops: @SpecterOpswww.specterops.io