At Paranoia17 we publicly announced the release of BloodHound 1.3 - The ACL Attack Path Update. This update brings securable object control to the fore, based on work by Emmanuel Gras and Lucas Bouillot.
2. Andy Robbins
Job: Adversary Resilience Lead at Specter
Ops
Tool creator/dev: BloodHound
Presenter: DEF CON, ekoparty, Black Hat
Arsenal, BSidesLV, BSidesSeattle, ISSA
Intl, ISC2 World Congress
Trainer: Black Hat USA, Black Hat Europe
Twitter: @_wald0
3. Rohan Vazarkar
Job: Adversary Resilience Operator at
Specter Ops
Tool creator/dev: BloodHound,
EyeWitness, Empire, etc.
Presenter: DEF CON, ekoparty, Black
Hat Arsenal, BSidesLV, BSidesDC,
BSidesDE
Trainer: Black Hat USA
Twitter: @CptJesus
4. Will Schroeder
Job: Offensive Engineer at Specter Ops
Tool creator/dev: BloodHound, Veil-
FrameWork, PowerView, PowerUp,
Empire
Presenter: A lot
Trainer: Black Hat USA
Twitter: @harmj0y
5. “Defenders think in
lists. Attackers think in
graphs. As long as this
is true, attackers win.”
John Lambert
General Manager, Microsoft Threat
Intelligence Center
6. Prior Work
Heat-ray: Combating Identity Snowball
Attacks Using Machine Learning,
Combinatorial Optimization and Attack
Graphs
John Dunagan, Alice X. Zheng, Daniel R. Simon, 2008
http://bit.ly/2qG0OvE
Active Directory Control Paths
Lucas Bouillot, Emmanuel Gras, Geraud de Drouas,
2014
7.
8. BloodHound
• Released at DEF CON 24 in
2016
• Uses graph theory for domain
attack path identification
• Easy data collection with
PowerShell ingestor based on
15. BloodHound Basics
• Who is logged on where?
• Who has admin rights to what computers?
• What users, groups, and computers belong to
what groups?
• With those 3 pieces of information in our
database, we can nearly instantly identify any
derivative local admin attack path in a domain
• For more in-depth explanation, see our DEF
CON presentation here: http://bit.ly/2qE6Yx2
17. Discretionary Access Control Lists
• All securable objects in Windows and
Active Directory have a Security
Descriptor
• The Security Descriptor has a DACL
and a SACL
• The DACL is populated by Access
Control Entries (ACEs), which define
what permissions other objects do or
do not have against an object
18.
19.
20.
21.
22.
23. Modeled in the BloodHound Attack
Graph
Helpdesk CptJesus
ForceChangePW
24. Source Target
The ability to change a user password without knowing the
current password
ForceChangePW
Weaponized by: Set-DomainUserPassword
25. Source Target
The ability to add any other user, group, or computer to a
group.
AddMembers
Weaponized by: Add-DomainGroupMember
26. Source Target
Full object control over user and group objects
GenericAll
Weaponized by: Add-DomainGroupMember, Set-
DomainUserPassword
27. Source Target
The ability to write any object property value
GenericWrite
Weaponized by: Set-DomainObject or Add-DomainGroupMember
28. Source Target
The ability to grant object ownership to another principal
WriteOwner
Weaponized by: Set-DomainObjectOwner
29. Source Target
The ability to add a new ACE to the object’s DACL
WriteDACL
Weaponized by: Add-DomainObjectACL
30. Source Target
The ability to perform any “extended right” function
AllExtendedRights
Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember