BloodHound: Attack Graphs Practically Applied to Active Directory

•

2 gefällt mir•3,042 views

Andy Robbins

Presented at Microsoft's BlueHat v18 in Redmond, Washington in September of 2018.

Technologie

BloodHound:
Attack Graphs Practically Applied to
Active Directory

HELLO!
I am Andy Robbins
Adversary Resilience Lead at
SpecterOps
BloodHound co-creator and
developer, Red Teamer
You can find me at @_wald0

HELLO!
I am Rohan Vazarkar
Adversary Resilience Senior
Operator at SpecterOps
BloodHound co-creator and
developer, Red Teamer
You can find me at @CptJesus

Agenda
▪ The Problem
▪ The Solution
▪ Conclusion
44

Purpose
We want to demonstrate how graphs can
be an elegant and practical solution to
incredibly complex problems, and inspire
you to consider using graphs for problems
you face
55

Pushed Into a Corner, circa 2014-2015
▪ Remote Code Execution (RCE) flaws in Windows
become increasingly rare and risky to exploit
▪ Maturing vulnerability management programs
ensure ephemerality of RCE in the enterprise
▪ A common methodology appeared...
77

The Data is RIGHT… THERE!
▪ Question: Where are users logged on?
▪ Answer: NetSessionEnum
▪ Question: Who are local admins on a system?
▪ Answer: NetLocalGroupGetMembers
▪ Question: Who belongs to what security group?
▪ Answer: Basic LDAP queries
By default, all data is accessible by any domain authenticated principal
on systems before Windows 10 Anniversary (1607)
2020

An effective, albeit tedious and naive approach...
21
Target Users:
Admin-1
Admin-2
Admin-3
Admin-4
Admin-5
Admin-1 Uses
These Systems:
Computer-1
Computer-2
Computer-3
Admins on Computer-1:
Admin-1
Admin-2
Admin-10
Group-11
Members of Group 11
Use These Systems:
Computer-1
Computer-2
Computer-5
Admins on Computer-5:
Admin-1
Admin-2
Admin-10
Admin-15
Admin-15 Uses These
Systems:
Computer-1
Computer-2
Computer-10
Members of
Group-11:
Admin-5
Admin-6
Admin-7
Admin-8

The Problem, In Short
▪ We have a reliable, proven methodology for
escalating rights in almost any Active Directory
deployment
▪ That methodology is enhanced by data which, by
default, anyone in a domain can access
▪ The data is way too complicated to analyze by hand
2222

It’s a graph, dummy!
▪ Every principal (user, group, computer) is a node
▪ Every privilege (and group membership) is a
relationship
▪ Graphs are phenomenally fast at finding paths
between disparate nodes
2424

25
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
Data Source: LDAP

26
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOf
Data Source: LDAP

27
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOf
AdminTo
Data Source:
NetLocalGroupGetMembers

28
Domain AdminsAlice AdminComputer 1
Bob User
Helpdesk Group
MemberOf
MemberOfHasSession
AdminTo
Data Source:
NetSessionEnum

Now You’re Thinking With Graphs
▪ Manual “derivative local admin” takes days to
months
▪ Data collection, graph analysis, and attack path
execution takes minutes to hours
2929

Three Problems Graphs Solved
▪ Complexity - Analyzing thousands of paths became
possible
▪ Readability - Presenting concepts to non-technical
audiences became easier
▪ Accessibility - Opened up the methodology to both
the defensive and offensive side
3333

Three Exciting Defensive Applications
▪ Easier, more effective, more accurate permission
auditing
▪ Attack path identification and mitigation/elimination
▪ Empirical key terrain identification
3434

If There’s One Thing to Take Away From this Talk
▪ Graphs are not the solution to every problem;
however, they allow you to look at problems in a
unique way and solve complex problems that
otherwise would be insanely difficult to visualize,
compute, or solve
3535

Acknowledgements and Prior Work
http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf
https://www.sixdub.net/?p=591
https://bitbucket.org/iwseclabs/bta
https://github.com/ANSSI-FR/AD-control-paths
https://powersploit.readthedocs.io/en/latest/Recon/
3636

37
Thank you!
QUESTIONS?
You can find us at:
▪ specterops.io
▪ @SpecterOps
▪ @_wald0
▪ @CptJesus
▪ BloodHound: https://bit.ly/GetBloodHound
▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com

Weitere ähnliche Inhalte

Was ist angesagt?

Hunting Lateral Movement in Windows Infrastructure

Sergey Soldatov

Abusing MS SQL Using SQLRecon

Sanjiv Kawa

Defending Your "Gold"

Will Schroeder

A Threat Hunter Himself

Teymur Kheirkhabarov

Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.

Windows Operating System Archaeology

enigma0x3

Not a Security Boundary

Will Schroeder

Next Generation War: EDR vs RED TEAM

BGA Cyber Security

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

44CON

FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.

FreeIPA - Attacking the Active Directory of Linux

Julian Catrambone

Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO. In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.

(Ab)Using GPOs for Active Directory Pwnage

Petros Koutroumpis

Derbycon - The Unintended Risks of Trusting Active Directory

Will Schroeder

Passwords#14 - mimikatz

Benjamin Delpy

Introduction to red team operations

Sunny Neo

Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.

SpecterOps Webinar Week - Kerberoasting Revisisted

Will Schroeder

DerbyCon 2019 - Kerberoasting Revisited

Will Schroeder

Effective Threat Hunting with Tactical Threat Intelligence

Dhruv Majumdar

Nonamecon 2021 presentation. Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year. The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. Presentation topics: - Netflow Mitre Matrix view - Full packet captures vs Netflow - Zeek - Zeek packages - RDP initial comprometation - Empire Powershell and CobaltStrike or what to expect after initial loader execution. - Empire powershell initial connection - Beaconing. RITA - Scanning detection - Internal enumeration detection - Lateral movement techniques widely used - Kerberos attacks - PSExec and fileless ways of delivering payloads in the network - Zerologon detection - Data exfiltration - Data exfiltration over C2 channel - Data exfiltration using time size limits (data chunks) - DNS exfiltration - Detecting ransomware in your network - Real incident investigation Authors: Oleh Levytskyi (https://twitter.com/LeOleg97) Bogdan Vennyk (https://twitter.com/bogdanvennyk)

Hunting for APT in network logs workshop presentation

OlehLevytskyi1

A Threat Hunter Himself

Sergey Soldatov

Threat Hunting

Splunk

Hunting for Credentials Dumping in Windows Environment

Teymur Kheirkhabarov

Was ist angesagt? (20)

Hunting Lateral Movement in Windows Infrastructure

Abusing MS SQL Using SQLRecon

Defending Your "Gold"

A Threat Hunter Himself

Windows Operating System Archaeology

Not a Security Boundary

Next Generation War: EDR vs RED TEAM

44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back

FreeIPA - Attacking the Active Directory of Linux

(Ab)Using GPOs for Active Directory Pwnage

Derbycon - The Unintended Risks of Trusting Active Directory

Passwords#14 - mimikatz

Introduction to red team operations

SpecterOps Webinar Week - Kerberoasting Revisisted

DerbyCon 2019 - Kerberoasting Revisited

Effective Threat Hunting with Tactical Threat Intelligence

Hunting for APT in network logs workshop presentation

A Threat Hunter Himself

Threat Hunting

Hunting for Credentials Dumping in Windows Environment

Ähnlich wie BloodHound: Attack Graphs Practically Applied to Active Directory

raph Databases with Neo4j – Emil Eifrem

buildacloud

Add Redis to Postgres to Make Your Microservices Go Boom!

Dave Nielsen

Every professional or individual, wishing to develop an application or create a website, will need to store data in 99% of cases. There are different solutions on the market: relational database management system, NoSQL, datastore, but not necessarily the user manual to make the right choice! Our experts will review the main relational databases - Redis, MySQL / MariaDB, PostgreSQL and MongoDB and help you choose the one that best fits your project.

Myths & Reality - Choose a DBMS tailored to your use cases

OVHcloud

From talk given on June 10, 2020 at the DevTalks Reimagined conference. ABSTRACT: Serverless is an amazing beast of a technology. With it, you can quickly build and deploy incredible systems. You get out-of-the-box scalability and flexibility.Nevertheless, with great power comes great(er) cost!In this talk, you’ll learn about building a huge data pipeline using Serverless architecture, and how to tame the beast.After this session, you will understand the pitfalls to avoid and the great powers to exploit.

THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST

Opher Dubrovsky

Electron

Adrian Caetano

CSA on Rails: a practical case-study

calamitas

In 2018 we've seen a huge uptick in applications using Kubernetes for their deployment method. Many times your persistent data layer is a difficult decision. What will you store data in, how long will you need to access this data and who will manage the lifecycle of this data? These are important questions many developers and ops teams have taken to heart. In this talk we'll review how the data layer is managed for high availability and reliability in modern application deployment. The attendee should leave having a better understanding of the options in front of them and their ability to build applications in any hosting environment.

Solving the Database Problem

Jay Gordon

PostgreSQL at 20TB and Beyond

Chris Travers

Machine Learning development involves comparing models and storing the artifacts they produced. We often compare several algorithms to select the most efficient ones. We assess different hyper-parameters to fine-tune the model. Git helps us store multiple versions of our code. Additionally, we need to keep track of the datasets we are using. This is important not only for audit purposes but also for assessing the performances of the models, developed at a later time. Git is a standard code versioning tool in software development. It can be used to store your datasets but it does not offer an optimal solution.

Data Versioning and Reproducible ML with DVC and MLflow

Databricks

Government and Education Webinar: Simplify Your Database Performance Manageme...

SolarWinds

The new Migrate module in Drupal 8 core is great for upgrading sites from Drupal 6 to Drupal 8. But it's useful for a lot more than just that! Migrate adds the power of any external tool to your content workflow. Not every client is accustomed to using Drupal. Some clients might like Google Spreadsheets; others prefer Markdown files in version control. Using Migrate, you can let your clients use their preferred content building tools—even before you have a Drupal site ready for them! I'll talk about my experiences with several different Migrate-based workflows that we've used at Evolving Web. There's already information out there about building migrations, but most of it focuses on very limited use cases: direct upgrades, or simple nodes. I'll cover many other bits and pieces you need for real-life migration projects, including: * Hierarchical menus * Paths and redirects * Multilingual data * Files and images * Merging multiple migrations * Writing custom migration sources and transformations * Figuring out why your migration isn't working Attendees with some PHP experience will get the most out of this talk—but many parts will be interesting to site builders and project managers as well.

Migrate all the things!

Dave Vasilevsky

Во время доклада, я поделюсь с Вами опытом, который мы получили, используя микросервисы в прод K8S кластере. Также, обозначу основные проблемы, с которыми столкнулась наша команда на этапе их диагностики. И, самое главное - что мы сделали чтобы избежать их в будущем. Отвечу на вопросы: Почему мы мигрировали в облако? Почему dotNet Core 2.2 вызвал кучу проблем? Данный доклад сохранит сотни часов вашим разработчикам и DevOps команде, жизнь которой может напоминать кошмар.

.NET Fest 2019. Леонид Молотиевский. DotNet Core in production

NETFest

Session from BGOUG I presented in June, 2016 Big data is one of the biggest buzzword in today's market. Terms like Hadoop, HDFS, YARN, Sqoop, and non-structured data has been scaring DBA's since 2010 - but where does the DBA team really fit in? In this session, we will discuss everything database administrators and database developers needs to know about big data. We will demystify the Hadoop ecosystem and explore the different components. We will learn how HDFS and MapReduce are changing the data world, and where traditional databases fits into the grand scheme of things. We will also talk about why DBAs are the perfect candidates to transition into Big Data and Hadoop professionals and experts.

Things Every Oracle DBA Needs to Know about the Hadoop Ecosystem

Zohar Elkayam

Hybrid my sql_hadoop_datawarehouse

Laine Campbell

Workshop Español - Introducción a Neo4j

Neo4j

Neo4j: What's Under the Hood & How Knowing This Can Help You

Neo4j

No IT Left Behind - Connecting the Software-Defined Data Center to Multi-Moda...

Intelligent Software Solutions

Роман Нікітченко Big Data solutions architect в компанії V.I.Tech. Спеціаліст з більш ніж 20-річним досвідом роботи в галузі телекому і вбудованих систем, що змінив індустрію на Java Enterprise. Завдяки попередньому досвіду за короткий термін став одним з провідних архітекторів Big Data в Україні.

Big data & frameworks: no book for you anymore

Stfalcon Meetups

When your clients need only small database for personal music library and some kind of HTTP interface to it, everything looks nice and you can use lot of bright frameworks and trusted approaches for your application. But what changes if you step ahead of existing solutions to bring things like population health management? Let's talk about our Big Data experience and meaningful framework usage: - What makes the difference when you go Big Data and Hadoop. - Frameworks and big data: hamsters vs hipsters. - Reality matters. Frameworks cost. How much? - What framework is good for you? - Making your own frameworks.

Big data & frameworks: no book for you anymore.

Roman Nikitchenko

Big Data, Hadoop, NoSQL and more ...

Varad Meru

Ähnlich wie BloodHound: Attack Graphs Practically Applied to Active Directory (20)

raph Databases with Neo4j – Emil Eifrem

Add Redis to Postgres to Make Your Microservices Go Boom!

Myths & Reality - Choose a DBMS tailored to your use cases

THE RISE AND FALL OF SERVERLESS COSTS - TAMING THE (SERVERLESS) BEAST

Electron

CSA on Rails: a practical case-study

Solving the Database Problem

PostgreSQL at 20TB and Beyond

Data Versioning and Reproducible ML with DVC and MLflow

Government and Education Webinar: Simplify Your Database Performance Manageme...

Migrate all the things!

.NET Fest 2019. Леонид Молотиевский. DotNet Core in production

Things Every Oracle DBA Needs to Know about the Hadoop Ecosystem

Hybrid my sql_hadoop_datawarehouse

Workshop Español - Introducción a Neo4j

Neo4j: What's Under the Hood & How Knowing This Can Help You

No IT Left Behind - Connecting the Software-Defined Data Center to Multi-Moda...

Big data & frameworks: no book for you anymore

Big data & frameworks: no book for you anymore.

Big Data, Hadoop, NoSQL and more ...

Kürzlich hochgeladen

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Explore 'The Codex of Business: Writing Software for Real-World Solutions,' a compelling SlideShare presentation that delves into digital transformation in healthcare. Discover through a detailed case study how Agile methodologies empower healthcare providers to develop, iterate, and refine digital solutions that address real-world challenges. Learn how strategic planning, user feedback, and continuous improvement drive success in deploying technologies that enhance patient care and operational efficiency. Ideal for healthcare professionals, IT specialists, and digital transformation advocates seeking actionable insights and practical examples of technology making a real difference.

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Malak Abu Hammad

Microsoft's Threat Matrix for Kubernetes helps organizations understand the attack surface a Kubernetes deployment introduces to their environments. This ensures that adequate detections and mitigations are in place. By covering over 40 different attacker techniques, defenders can learn about Kubernetes-specific mitigations and controls to deploy to their environments. In this session, we will explore the MS-TA9013 Host Path Mount technique, which is commonly used by attackers to perform privilege escalation in a Kubernetes cluster. Attendees will learn how attackers and defenders can: * Escape the container's host volume mount to gain persistence on an underlying node * Move laterally from the underlying node into the customer's cloud environment * Analyze Kubernetes audit logs to detect pods deployed with a hostPath mount * Deploy an admission controller that prevents new pods from using a hostPath mount

Breaking the Kubernetes Kill Chain: Host Path Mount

Puma Security, LLC

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Slack Application Development 101 Slides

praypatel2

Kürzlich hochgeladen (20)

GenCyber Cyber Security Day Presentation

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Advantages of Hiring UIUX Design Service Providers for Your Business

Finology Group – Insurtech Innovation Award 2024

Boost PC performance: How more available memory can improve productivity

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Presentation on how to chat with PDF using ChatGPT code interpreter

Driving Behavioral Change for Information Management through Data-Driven Gree...

🐬 The future of MySQL is Postgres 🐘

Automating Google Workspace (GWS) & more with Apps Script

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Breaking the Kubernetes Kill Chain: Host Path Mount

Tata AIG General Insurance Company - Insurer Innovation Award 2024

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

08448380779 Call Girls In Civil Lines Women Seeking Men

A Year of the Servo Reboot: Where Are We Now?

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Slack Application Development 101 Slides

BloodHound: Attack Graphs Practically Applied to Active Directory

1. BloodHound: Attack Graphs Practically Applied to Active Directory

2. HELLO! I am Andy Robbins Adversary Resilience Lead at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @_wald0

3. HELLO! I am Rohan Vazarkar Adversary Resilience Senior Operator at SpecterOps BloodHound co-creator and developer, Red Teamer You can find me at @CptJesus

4. Agenda ▪ The Problem ▪ The Solution ▪ Conclusion 44

5. Purpose We want to demonstrate how graphs can be an elegant and practical solution to incredibly complex problems, and inspire you to consider using graphs for problems you face 55

6. The Problem

7. Pushed Into a Corner, circa 2014-2015 ▪ Remote Code Execution (RCE) flaws in Windows become increasingly rare and risky to exploit ▪ Maturing vulnerability management programs ensure ephemerality of RCE in the enterprise ▪ A common methodology appeared... 77

8. 8

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. 15

16. 16

17. 17

18. 18 Domain Admin!

19. 19 Domain Admin!

20. The Data is RIGHT… THERE! ▪ Question: Where are users logged on? ▪ Answer: NetSessionEnum ▪ Question: Who are local admins on a system? ▪ Answer: NetLocalGroupGetMembers ▪ Question: Who belongs to what security group? ▪ Answer: Basic LDAP queries By default, all data is accessible by any domain authenticated principal on systems before Windows 10 Anniversary (1607) 2020

21. An effective, albeit tedious and naive approach... 21 Target Users: Admin-1 Admin-2 Admin-3 Admin-4 Admin-5 Admin-1 Uses These Systems: Computer-1 Computer-2 Computer-3 Admins on Computer-1: Admin-1 Admin-2 Admin-10 Group-11 Members of Group 11 Use These Systems: Computer-1 Computer-2 Computer-5 Admins on Computer-5: Admin-1 Admin-2 Admin-10 Admin-15 Admin-15 Uses These Systems: Computer-1 Computer-2 Computer-10 Members of Group-11: Admin-5 Admin-6 Admin-7 Admin-8

22. The Problem, In Short ▪ We have a reliable, proven methodology for escalating rights in almost any Active Directory deployment ▪ That methodology is enhanced by data which, by default, anyone in a domain can access ▪ The data is way too complicated to analyze by hand 2222

23. The Solution

24. It’s a graph, dummy! ▪ Every principal (user, group, computer) is a node ▪ Every privilege (and group membership) is a relationship ▪ Graphs are phenomenally fast at finding paths between disparate nodes 2424

25. 25 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group Data Source: LDAP

26. 26 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf Data Source: LDAP

27. 27 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOf AdminTo Data Source: NetLocalGroupGetMembers

28. 28 Domain AdminsAlice AdminComputer 1 Bob User Helpdesk Group MemberOf MemberOfHasSession AdminTo Data Source: NetSessionEnum

29. Now You’re Thinking With Graphs ▪ Manual “derivative local admin” takes days to months ▪ Data collection, graph analysis, and attack path execution takes minutes to hours 2929

30. 30 BloodHound 1.0 Schema

31. 31 BloodHound 2.0 Schema

32. Conclusion

33. Three Problems Graphs Solved ▪ Complexity - Analyzing thousands of paths became possible ▪ Readability - Presenting concepts to non-technical audiences became easier ▪ Accessibility - Opened up the methodology to both the defensive and offensive side 3333

34. Three Exciting Defensive Applications ▪ Easier, more effective, more accurate permission auditing ▪ Attack path identification and mitigation/elimination ▪ Empirical key terrain identification 3434

35. If There’s One Thing to Take Away From this Talk ▪ Graphs are not the solution to every problem; however, they allow you to look at problems in a unique way and solve complex problems that otherwise would be insanely difficult to visualize, compute, or solve 3535

36. Acknowledgements and Prior Work http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf https://www.sixdub.net/?p=591 https://bitbucket.org/iwseclabs/bta https://github.com/ANSSI-FR/AD-control-paths https://powersploit.readthedocs.io/en/latest/Recon/ 3636

37. 37 Thank you! QUESTIONS? You can find us at: ▪ specterops.io ▪ @SpecterOps ▪ @_wald0 ▪ @CptJesus ▪ BloodHound: https://bit.ly/GetBloodHound ▪ BloodHound Slack: https://bloodhoundgang.herokuapp.com

BloodHound: Attack Graphs Practically Applied to Active Directory

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie BloodHound: Attack Graphs Practically Applied to Active Directory

Ähnlich wie BloodHound: Attack Graphs Practically Applied to Active Directory (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

BloodHound: Attack Graphs Practically Applied to Active Directory