Discover and read the best of Twitter Threads about #BloodHoundEnterprise
Most recents (6)
One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.
Control the foundation and you control the enterprise.
Control the foundation and you control the enterprise.
Users in Azure deserve attention from attackers and defenders. But Service Principals deserve as much attention, and actually maybe deserve much more attention than users. A quick thread on why, and resources for attackers and defenders:
First, the password reset system in Azure has tiered administration baked into it. Only your T0 users can reset T0 users' passwords:
That system is amazingly effective at preventing the existence of password reset based attack paths.
But attack paths involving adding new service principal credentials can and do emerge.
And nowhere are those attack paths more difficult to audit than when they involve MIs
But attack paths involving adding new service principal credentials can and do emerge.
And nowhere are those attack paths more difficult to audit than when they involve MIs
The #BloodHoundEnterprise team's working culture, as explained by Marcus Aurelius, a short thread: 🧵
“The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane.”
We are not afraid of challenging the status quo and doing things radically different than what came before.
We are not afraid of challenging the status quo and doing things radically different than what came before.
“If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed.”
Every week we have "Demo/Retro", which...
Every week we have "Demo/Retro", which...
Our #BloodHoundEnterprise customers really value measuring the exposure of any given #AttackPath so I figured I'd do a quick 🧵 to explain how this works
We'll start with an example, Riley (a regular user) has rights over a Domain Controller (Tier Zero / Critical Asset): 
This is certainly an issue we'd want to address but how do we really assess the risk?
Let's look at who can control Riley's account.
Let's look at who can control Riley's account.
Three of the most common issues #BloodHoundEnterprise finds, their impacts, and how you can use FOSS #BloodHound to find and fix these issues yourself, today: 🧵
Issue #1: Domain Controller object ownership. This issue is *extremely* common and *extremely* dangerous when looking at attack path possibilities this opens up. This is also *extremely* easy to fix.
In FOSS #BloodHound, run this query using the "raw query" bar at the bottom:
MATCH (g:Group)
WHERE g.objectid ENDS WITH '-516'
MATCH p = (n:Base)-[:Owns]->(c:Computer)-[:MemberOf*1..]->(g)
RETURN p
MATCH (g:Group)
WHERE g.objectid ENDS WITH '-516'
MATCH p = (n:Base)-[:Owns]->(c:Computer)-[:MemberOf*1..]->(g)
RETURN p
I am thrilled to announce #BloodHoundEnterprise, which will be released in Summer of 2021!
Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…
A thread of major points about BloodHound Enterprise:
Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…
A thread of major points about BloodHound Enterprise:
Once an attacker has access to Active Directory, it's virtually guaranteed they can find an attack path resulting in the compromise of a Tier 0 asset (Domain Admin). Owning Tier 0 means owning AD. Owning AD means owning the organization, all its data, users, processes, etc.
The scale, availability, and growth of those attack paths has exposed an enormous gap in how we try to secure Active Directory today. Organizations try (and fail) to fill that gap with technologies, products, and processes.
