Share this page!

Andy Robbins Profile picture
Twitter logo
21 Dec, 8 tweets, 3 min read
🧵In May of 2021, we published our manifesto on a new methodology called Attack Path Management - posts.specterops.io/the-attack-pat….

Enough time has passed now that we are starting to see the outcomes of this methodology, which I'd like to talk to you about:
Strip away the brands, the tools, the people, and everything else, and you are left with the only thing that REALLY matters:

The problem.

The problem that APM seeks to solve is the persistent availability and reliability of attack paths.
Pentesters, red teamers, and real attackers have been abusing attack paths, specifically in Active Directory, for over 20 years. AD attack paths are INSANELY reliable. They can be abused with reliable tools, including legitimate admin tools like Powershell and PsExec.
Think about that: 20 years of abusing AD attack paths. 20 years is a generation of people. In the world of computers, 20 years is an eternity of eternities.

We should not be talking about attack paths 20 years from now.
There are various tools implementing Attack Path Management, including BloodHound Enterprise. Our customers are using BHE to knock out millions, even billions of attack paths in their AD environments in a matter of days and weeks.
It has gotten to the point where our own red team, and some of our red team friends in the industry, simply cannot escalate rights in AD anymore where BHE is deployed. That's a huge, huge, huge win for our customers and the methodology itself.
BHE isn't the only tool doing APM.

You can check out ImproHound, which finds tiering violations for you: github.com/improsec/Impro…
I also think @illumio is doing great APM work in layers 2 and 3: illumio.com
Eventually we will put together a formal report sharing the statistics we are seeing with BHE and make it freely available to everyone. Until then, you can learn more about BHE here: bloodhoundenterprise.io

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andy Robbins Profile picture
21 Dec
There are two very interesting new cmdlets in this release:

Invoke-AzureVMUserDataCommand and Invoke-AzureVMUserDataAgent.

In this thread I'll offer my thoughts on how these can be used for extremely hard-to-detect #Azure c2:
This c2 technique is based on Azure IMDS: docs.microsoft.com/en-us/azure/vi….

This service is accessible to every VM in Azure. As far as I know, there's no reason to ever disable this service for a VM, so it should always be accessible to every Azure VM.
IMDS's REST API is available to each VM at the non-routable, local IP of 169.254.169.254.

In April of this year, Microsoft introduced an IMDS feature called "User Data": azure.microsoft.com/en-us/updates/…
Read 9 tweets
Andy Robbins Profile picture
20 Dec
With 2021 almost over, what were some of your favorite blogs, talks, or people you started following this year? I'll go first:
My favorite overall blog post: "Defenders Mindset" by @JohnLaTwC.

This post is packed with profound insights, from the perspective of someone with decades of deep security experience:
My favorite new follow this year: @inversecos.

Lina is writing the technical content our industry needs: deeply technical, clearly explained, and appropriate for both offense and defense audiences. See her writings here: inversecos.com
Read 7 tweets
Andy Robbins Profile picture
6 Dec
Let's talk about tiered administration in AzureAD:

- What it starts with
- How it can be violated
- What you can do about that

In 10 tweets or less. Go:
1/ There are three default admin roles that belong to Tier Zero in AzureAD:

Global Admin
Priv. Role Admin
Priv. Auth Admin

Everything IN tier zero is tier zero. Everything ELSE is not tier zero has has no business controlling anything IN tier zero.
2/ These admin roles aren't of much use if you don't grant them to anyone. Let's grant a service principal the Global Admin role:
Read 11 tweets
Andy Robbins Profile picture
1 Dec
Thread:

API permissions in #Azure can be configured such that attack paths leading to Global Admin emerge. Prior work and links to our work below:
Blog: Azure Privilege Escalation via Azure API Permissions Abuse posts.specterops.io/azure-privileg…
Recording of the talk: specterops.zoom.us/webinar/regist…
Read 7 tweets
Andy Robbins Profile picture
27 Nov
Thread:

It was @JohnLaTwC who famously said:

“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”

If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.
This quote means a lot to me. A LOT. Graph theory, to me, almost seems like it was invented solely for the information security field. Its purpose and reach is obviously waaaaaaay further than our field, but…
… we have BARELY scratched the surface of what’s possible with applied graph theory in information security. The core feature of #BloodHound is finding the shortest path between two nodes. The algorithm this is based on was first published in 1959.
Read 13 tweets
Andy Robbins Profile picture
25 Nov
There are worlds of untapped security research opportunities in Azure - growing, dynamic, and multiplying worlds. The next few years will produce amazing research. Get a head start with the following resources:
This brand new book by @kfosaaen and @asegunlolu: amazon.com/Penetration-Te…
The world-class writings of @inversecos: inversecos.com/?m=1
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_wald0 has new unrolls!

Check out other threads from @_wald0!

Read all threads by @_wald0

:(