Justin Kohler Profile picture
Mar 1, 2022 14 tweets 4 min read Read on X
Our #BloodHoundEnterprise customers really value measuring the exposure of any given #AttackPath so I figured I'd do a quick 🧵 to explain how this works
We'll start with an example, Riley (a regular user) has rights over a Domain Controller (Tier Zero / Critical Asset): Image
This is certainly an issue we'd want to address but how do we really assess the risk?

Let's look at who can control Riley's account.
The Help Desk Group (5 members) can reset her password and the sysadmin team (3 members) who have local administrative rights on her machine: Image
This is starting to look serious.

But look at what happens when Riley runs a script across some servers to install some software: Image
Things are looking far worse than our initial view: Image
This exposure measurement continues even further:
- Who can target the Help Desk team?
- Who has privileges on those servers?

And further still:
- For each of those answers, who has an Attack Path to those?

And so on, and so on
A seemingly innocuous privilege can quickly cascade through the relationships in AD and make it trivial for an adversary to find a path to their objective.
BloodHound Enterprise continuously monitors and measures this Attack Path risk by first mapping all paths from critical assets: Image
Identifies Attack Path Choke Points: Image
And quantifies their exposure based on how much of the environment can abuse each path.

I.e. "92% of all users have an Attack Path to fully control our domain through this GenericWrite privilege on the CONTOSODC01 Domain Controller": Image
This is objective, empirical measurement of risk.

Your environment and your specific AD architecture.

Your specific risk.
Empirical measurements of risk allow BloodHound Enterprise customers to better prioritize remediation: Image
For more detail, check out this post:
posts.specterops.io/3-foundational…

Want to see it in your environment? Sign up here for a demo: bloodhoundenterprise.io

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Justin Kohler

Justin Kohler Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JustinKohler10

Jul 25, 2023
Do you know who owns your #ActiveDirectory Domain Controllers? Find and fix this common Attack Path in 5 minutes with #BloodHound in this 🧵
Creators of AD objects are the default security owner, here's a common example:

1. Bob creates a computer, Bob now owns this object in ADUC
2. Computer is promoted to a DC
3. Bob now owns a DC
This creates an "Owns" edge in BloodHound.

Object owners retain the ability to modify object security descriptors, regardless of permissions on the object’s DACL.

TL;DR: Bob's account can be used to attack the DC
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(