Attending @_wald0 and @CptJesus's webcast now: register.gotowebinar.com/register/50128…. Live-tweeting as follows [1/n]
Andy just gave props to MS Research: alicezheng.org/papers/sosp200…, @PyroTek3 (adsecurity.org), and @harmj0y (github.com/PowerShellMafi…). Great stuff! [2/n]
Obligatory shout-out to @JohnLaTwC for "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win" quote. So true! Now they're trying to bring this powerful technique (finding and mitigating attack paths) to defenders.
@_wald0 is doing a quick demo of BloodHound UI now. If you've never used BloodHound before, this webcast recording (which will go live after the webcast is complete) is a great first intro. [4/n]
The latest BloodHound UI is pretty awesome. Lots of new "edges" (relationships between nodes like Computers and Users), and the UI itself tells you how attackers can abuse edges like GenericAll, HasSession, MemberOf, etc. Plus: dark mode! [5/n]
Shout-out to prior talk on Resilience Methodology, the process of enumerating attack paths, analyzing them, generating hypotheses to reduce their numbers, and deploying prioritized fixes periodically (brighttalk.com/webcast/15713/…). Next up is @CptJesus! [6/n]
@CptJesus is introducing SharpHound, the C# ingestor for BloodHound data. Network requirements are attached to this tweet. Data is JSON-formatted and put into a zip file for easy transfer. The data collector needs access to AD, and ideally 445/tcp to all domain computers. [7/n] 
tl;dr for BloodHound data collection:
SharpHound.exe -c All,LoggedOn
SharpHound.exe -c SessionLoop -MaxLoopTime 24H
It's sadly possible for this dual-use tool to be flagged as malicious by AV. Easy workaround is to use the .ps1 version instead: github.com/BloodHoundAD/B…
[8/n]
SharpHound.exe -c All,LoggedOn
SharpHound.exe -c SessionLoop -MaxLoopTime 24H
It's sadly possible for this dual-use tool to be flagged as malicious by AV. Easy workaround is to use the .ps1 version instead: github.com/BloodHoundAD/B…
[8/n]
Next up, back to @_wald0 for a case study in Domain Admin Isolation. First we'll look at analyzing attack paths and generating hypotheses [9/n]
One more note on data gathering - that SessionLoop data is valuable, because sessions by their nature are ephemeral. Gathering data for 24+ hours helps a lot with that. [10/n]
Here's an example attack path from a real @SpecterOps engagement (sanitized, of course). Left side is Domain Users, which have RDP rights to a box with a local privesc vulnerability and many sessions, with multiple paths to DA group on the right. [11/n]
FWIW I've seen the exact scenario in 11/n before. Either Domain Users in RDP group, or Domain Users in local Administrators group (gasp!) on a few machines. [12/n]
Next Andy walked through removing a particular edge (the Domain Users CanRDP to the specific machine) as a hypothesis for reducing paths to DA. It's not very effective...
Still 100% of users have a path to DA - via RDP to a different box. But wait, there's still hope!
[13/n]
Still 100% of users have a path to DA - via RDP to a different box. But wait, there's still hope!
[13/n]
The huge win was focusing on Domain Users having way too many RDP rights. Removing those permissions dropped users with paths to DA down to 65%.
65% still isn't great, agreed, but it's 35% better than before :) Next up Andy is focusing on the right side, Domain Admins.
[14/n]
65% still isn't great, agreed, but it's 35% better than before :) Next up Andy is focusing on the right side, Domain Admins.
[14/n]
Here's a view of non-DC sessions by Domain Admins. Controlling any of these workstations is an instant path to DA, via Mimikatz / token stealing, etc. Removing these edges and recalculating finds 65% of users still have a path to DA - but it's still an incremental win.
[15/n]
[15/n]
The downfall in this case study was a lot of users and groups (legacy / "Most Privileged Access") having admin rights on domain controllers. Removing those permissions, 65% of users still have paths to DA. Darn! Must be another path available... [16/n]
So now we're simulating DA's only logging into DC's, and removed those RDP rights for Domain Users. But aha! There's still lots of ACL paths available. @_wald0 is talking through Exchange's default permissions, which means Exchange servers can add new DA's. Sigh. [17/n]
More background on the Exchange issue: blackhat.com/docs/us-17/wed…
Latest Exchange versions no longer require or add these ACL's. Removing these permissions drops users with paths to DA down to 15% - a huge win!
But wait, there's more...
[18/n]
Latest Exchange versions no longer require or add these ACL's. Removing these permissions drops users with paths to DA down to 15% - a huge win!
But wait, there's more...
[18/n]
Next, @_wald0 is taking a look at Group Policy and its ACL's. All these GPO's apply to Domain Admins. Any way to control the GPO's can make a route to DA.
Side note, I often argue that Group Policy is the second-most powerful tool a Windows admin has... #1 is your brain. [19/n]
Side note, I often argue that Group Policy is the second-most powerful tool a Windows admin has... #1 is your brain. [19/n]
Now that we know which GPO's affect DA's, we'll look at the non-DA users and groups that can control them. 15% of the domain can gain access to the four users on the left side of the screenshot.
Side note, GPO's affecting DC's are also of course a route to AD takeover. [20/n]
Side note, GPO's affecting DC's are also of course a route to AD takeover. [20/n]
About a week and half into the 2 week engagement, @SpecterOps recommended removing those four specific users' rights to edit those groups (break the left side of the chain from 20/n). Now less than 1% of users can reach DA [21/n]
One reminder: DA is not the attacker's goal. Your data (usually) is. Find paths to specific servers, Azure sync accounts, privescs (Tier 1 -> Tier 0), contamination between dev and prod as well.
That said, DA helps attackers a lot. Go forth and reduce your paths! [22/n]
That said, DA helps attackers a lot. Go forth and reduce your paths! [22/n]
Time for questions! Shout-out to BloodHound Slack (which I frequent): bloodhoundgang.herokuapp.com
1st question is answered by @CptJesus on huge networks, over ~100k+ principals means you may have to tailor queries carefully. 2nd Q: Re-importing data is fine, REST API is dead [23/n]
1st question is answered by @CptJesus on huge networks, over ~100k+ principals means you may have to tailor queries carefully. 2nd Q: Re-importing data is fine, REST API is dead [23/n]
Q: Obfuscating SharpHound? A: Recompile/obfuscate yourself, or use the .ps1 version.
Q: What if you're worried about stealth? A: SharpHound -Stealth and optionally -ExcludeDC to avoid MS ATA.
Q: Performance issues? A: Not really, DC's are meant to LDAP all day long.
[24/n]
Q: What if you're worried about stealth? A: SharpHound -Stealth and optionally -ExcludeDC to avoid MS ATA.
Q: Performance issues? A: Not really, DC's are meant to LDAP all day long.
[24/n]
Q: What about sparsest cuts (en.wikipedia.org/wiki/Cut_(grap…)?
A: That's, uh, hard, and difficult to scale to huge graphs like BloodHound. @_wald0 could do 100 nodes, but not 1k+. Instead, focus on left and right sides of attack paths, and AD knowledge.
[25/n]
A: That's, uh, hard, and difficult to scale to huge graphs like BloodHound. @_wald0 could do 100 nodes, but not 1k+. Instead, focus on left and right sides of attack paths, and AD knowledge.
[25/n]
Q: Constrained/unconstrained delegation? A: Yes, latest BloodHound has edges for it.
Q: What gets logged? A: SharpHound doesn't try to be stealthy, execution is logged, LDAP traffic is mostly normal.
Q: Has anyone done real-time session enum? A: No, but that'd be cool.
[26/n]
Q: What gets logged? A: SharpHound doesn't try to be stealthy, execution is logged, LDAP traffic is mostly normal.
Q: Has anyone done real-time session enum? A: No, but that'd be cool.
[26/n]
Q: How'd you add the local privesc path from RDP? A: We didn't, we found the privesc through manual analysis. If no privesc, remove the CanRDP path. If privesc, mark the computer as "Owned".
Q: How do you show BloodHound data? A: Literally screenshots of the BH UI.
[27/n]
Q: How do you show BloodHound data? A: Literally screenshots of the BH UI.
[27/n]
Q: What about accounts marked as sensitive and not available for delegation? A: Manual analysis, currently.
Q: Will the PowerBI workbook be made available? A: Yes, free and open source, just gotta make it usable.
Q: Can we undo removing edges? A: No, just re-import.
[28/n]
Q: Will the PowerBI workbook be made available? A: Yes, free and open source, just gotta make it usable.
Q: Can we undo removing edges? A: No, just re-import.
[28/n]
Q: Where'd that "% of users with paths to DA" number come from? A: The PowerBI workbook, and a standalone script. Or manual neo4j cypher query.
Last Q: What makes a high-value target? A: High-value targets can all reach DA.
[29/n]
Last Q: What makes a high-value target? A: High-value targets can all reach DA.
[29/n]
And that's a wrap! Webcast complete, lots of great questions. One more shout-out for the BloodHound Slack, lots of great discussions happening every day: bloodhoundgang.herokuapp.com.
Thanks for following this tweet-storm! [30/30]
Thanks for following this tweet-storm! [30/30]
