Share this page!

Maybe Scrolly?
Andrew Robbins Profile picture
Twitter logo
13 May, 8 tweets, 4 min read
(1/n) The other day, @JulioUrena asked a great question in the BloodHound Slack:

"How can I determine which Group Policies apply to members of a certain group?"

We can use #BloodHound to answer this question, but I want to explain the moving pieces here as well
(2/n) Group Policy can't be applied directly to security groups, except when using SID filtering and linking the Group Policy correctly. SID filtering on GPOs is not very common, so #BloodHound doesn't currently model that.

We can still use #BloodHound to figure this out though
(3/n) Take for example this security group -- real data so labels are hidden (left CTRL in BloodHound GUI). This group has 7 users in it, but because it has a group added to it...
(4/n) ...there are actually many more users effectively joined to this group:
(5/n) Group Policies are linked to containers, so let's find out where these users live in the OU tree structure:
(6/n) Last step: let's find which GPOs are linked to any container in this structure:
(7/n) The best part of all this? The cypher for this query is *very* simple, and @neo4j completes the query in milliseconds:
(8/8) Read more about how Group Policy works here: wald0.com/?p=179 - with special thanks to @grouppolicyguy.
Join the #BloodHound Slack here: bloodhoundgang.herokuapp.com

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andrew Robbins

Andrew Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andrew Robbins Profile picture
9 Mar
I am thrilled to announce #BloodHoundEnterprise, which will be released in Summer of 2021!

Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…

A thread of major points about BloodHound Enterprise: Image
Once an attacker has access to Active Directory, it's virtually guaranteed they can find an attack path resulting in the compromise of a Tier 0 asset (Domain Admin). Owning Tier 0 means owning AD. Owning AD means owning the organization, all its data, users, processes, etc.
The scale, availability, and growth of those attack paths has exposed an enormous gap in how we try to secure Active Directory today. Organizations try (and fail) to fill that gap with technologies, products, and processes.
Read 9 tweets
Andrew Robbins Profile picture
26 Sep 20
The hardest targets I faced while pentesting/red teaming all had one thing in common: mature, funded, and empowered vuln/patch management programs.

The hardest of all combined vuln/patch management with least privilege enforcement - and inspired the creation of #BloodHound.
Are patch/vuln management and least privilege enforcement sexy? No.

Are they easy? Hell no.

Are they worth the initial and continued investment? Absolutely yes.
The best teams have processes for pretty easily dealing with things like Zerologon. They hear about the new scary vuln, understand its impact, test patch deployment to a subset of affected systems, then deploy to all affected systems, and audit patch deployment/effectiveness.
Read 8 tweets
Andrew Robbins Profile picture
20 Apr 20
(1/9) My first pentest job was at a company called TrustCC - little-known then and since purchased. We had a tradition whenever got DA: horrible, awful, cringe-worthy puns.
(2/9) We would send internal emails that were half celebratory, half instructive, explaining how we got DA in that particular client environment. But the email subject was REQUIRED to be a pun based on the client name.
(3/9) So if the client was "Sunny Hills Bank", the email subject might be "Walking on the Sunny (Hills Bank) Side of the Street: Path to DA #1".
Read 9 tweets
Andrew Robbins Profile picture
20 Feb 19
1/n Domain trust boundaries are not, of course, security boundaries; however many organizations effectively treat them as such. #BloodHound's attack graph tells the real story of how isolated our domains are from each other. Take this simple 3-domain forest for example.
2/n The domain trust map is pretty simple. Domain 1 is trusted by Domain 2, and Domain 2 is trusted by Domain 3. (This is real, anonymized data). So principals in Domain 1 can query Domain 2 or 3 for information, but no privileges are implied by default. Image
3/n With #BloodHound we can easily find the shortest attack paths from "Domain Users" in Domain 1 to "Domain Admins" in Domain 3. Pretty easy attack path, and very common situation in the real world: Image
Read 7 tweets
Andrew Robbins Profile picture
4 Feb 19
1/4 #PrivExchange by @_dirkjan perfectly illustrates how legacy permissions degrade an Active Directory environment's security posture. I want to share three free resources that will help you proactively protect your organization.
2/4 First is part one introducing our Adversary Resilience methodology. Part one covers the high level concepts of this new methodology:

posts.specterops.io/introducing-th…
3/4 Second is part two introducing our Adversary Resilience methodology, and shows the nuts and bolts involved. We've made big improvements to the methodology since its introduction and will be speaking about those publicly at @WEareTROOPERS in March:

posts.specterops.io/introducing-th…
Read 4 tweets
Andrew Robbins Profile picture
31 Jan 19
1/n - Here's how #BloodHound can help you determine whether you are vulnerable to PrivExchange by @_dirkjan:

Find the domain head object in the BloodHound GUI, click the number next to "First Degree Controllers". See whether an Exchange security group is present:
2/n - Unroll this view by clicking the number next to "Unrolled Controllers" to see the real number of users and computers with control of the domain head
3/n - "WriteDacl" on the domain head is extremely dangerous, as @_dirkjan outlined in his blog, but Exchange servers often have way, WAY more privileges than this. Click an Exchange server and see the real count of domain objects it has control of
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_wald0 has new unrolls!

Check out other threads from @_wald0!

Read all threads by @_wald0

:(