At Paranoia17 we publicly announced the release of BloodHound 1.3 - The ACL Attack Path Update. This update brings securable object control to the fore, based on work by Emmanuel Gras and Lucas Bouillot.

1. BloodHound
Teaching a New Dog Even More
Tricks

2. Andy Robbins
Job: Adversary Resilience Lead at Specter
Ops
Tool creator/dev: BloodHound
Presenter: DEF CON, ekoparty, Black Hat
Arsenal, BSidesLV, BSidesSeattle, ISSA
Intl, ISC2 World Congress
Trainer: Black Hat USA, Black Hat Europe
Twitter: @_wald0

3. Rohan Vazarkar
Job: Adversary Resilience Operator at
Specter Ops
Tool creator/dev: BloodHound,
EyeWitness, Empire, etc.
Presenter: DEF CON, ekoparty, Black
Hat Arsenal, BSidesLV, BSidesDC,
BSidesDE
Trainer: Black Hat USA
Twitter: @CptJesus

4. Will Schroeder
Job: Offensive Engineer at Specter Ops
Tool creator/dev: BloodHound, Veil-
FrameWork, PowerView, PowerUp,
Empire
Presenter: A lot 
Trainer: Black Hat USA
Twitter: @harmj0y

5. “Defenders think in
lists. Attackers think in
graphs. As long as this
is true, attackers win.”
John Lambert
General Manager, Microsoft Threat
Intelligence Center

6. Prior Work
Heat-ray: Combating Identity Snowball
Attacks Using Machine Learning,
Combinatorial Optimization and Attack
Graphs
John Dunagan, Alice X. Zheng, Daniel R. Simon, 2008
http://bit.ly/2qG0OvE
Active Directory Control Paths
Lucas Bouillot, Emmanuel Gras, Geraud de Drouas,
2014

8. BloodHound
• Released at DEF CON 24 in
2016
• Uses graph theory for domain
attack path identification
• Easy data collection with
PowerShell ingestor based on

9. BloodHound Basics
Bob Helpdesk Server1
AdminToMemberOf

10. Source Target
The source belongs to the target group
MemberOf

11. Source Target
The source is an administrator on the target computer
AdminTo

12. Source Target
The source computer has the target user logged in on it
HasSession

13. Bob Server1
AdminTo
Mary Domain Admins
MemberOf

15. BloodHound Basics
• Who is logged on where?
• Who has admin rights to what computers?
• What users, groups, and computers belong to
what groups?
• With those 3 pieces of information in our
database, we can nearly instantly identify any
derivative local admin attack path in a domain
• For more in-depth explanation, see our DEF
CON presentation here: http://bit.ly/2qE6Yx2

16. BloodHound 1.3
The ACL Attack Path Update

17. Discretionary Access Control Lists
• All securable objects in Windows and
Active Directory have a Security
Descriptor
• The Security Descriptor has a DACL
and a SACL
• The DACL is populated by Access
Control Entries (ACEs), which define
what permissions other objects do or
do not have against an object

23. Modeled in the BloodHound Attack
Graph
Helpdesk CptJesus
ForceChangePW

24. Source Target
The ability to change a user password without knowing the
current password
ForceChangePW
Weaponized by: Set-DomainUserPassword

25. Source Target
The ability to add any other user, group, or computer to a
group.
AddMembers
Weaponized by: Add-DomainGroupMember

26. Source Target
Full object control over user and group objects
GenericAll
Weaponized by: Add-DomainGroupMember, Set-
DomainUserPassword

27. Source Target
The ability to write any object property value
GenericWrite
Weaponized by: Set-DomainObject or Add-DomainGroupMember

28. Source Target
The ability to grant object ownership to another principal
WriteOwner
Weaponized by: Set-DomainObjectOwner

29. Source Target
The ability to add a new ACE to the object’s DACL
WriteDACL
Weaponized by: Add-DomainObjectACL

30. Source Target
The ability to perform any “extended right” function
AllExtendedRights
Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember

31. Transitive Object Control
Bob Helpdesk Admin
ForceChangePWAddMembers

32. BloodHound Interface Demo

33. Transitive Object Control Attack Path
Demo

36. Get BloodHound:
https://bit.ly/GetBloodHound

37. Thank You!
Andy Robbins: @_wald0
Rohan Vazarkar: @CptJesus
Will Schroeder: @harmj0y
Specter Ops: @SpecterOps
www.specterops.io