BloodHound and the Adversary Resilience Methodology
HELLO!
I am Andy Robbins
I work at SpecterOps
You can find me at @_wald0
3
HELLO!
I am Rohan Vazarkar
I work at SpecterOps
You can find me at @CptJesus
4
Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.
John Lambert
Distinguished Engineer, Microsoft
d
5
What’s New in BloodHound 2.1
Resource Based Constrained Delegation
7
8
UI Improvements
9
10
Collector Improvements
11
The Better Basic Permissions Audit
BloodHound Greatly Simplifies:
13
BloodHound Greatly Simplifies:
14
15
16
17
18
Just tell me which non-DAs can control any DA and how
19
MATCH p1 = (daPrincipal)-[:MemberOf*1..]->(daGroup:Group {name:'DOMAIN ADMINS@DOMAIN.COM'})
WITH p1,daPrincipal,daGroup
OPTIONAL MATCH p2 = (l)-[{isacl:true}]->(daPrincipal)
WHERE NOT l = daGroup AND NOT l = daPrincipal
OPTIONAL MATCH p3 = (m)-[:MemberOf*1..]->(g:Group)-[{isacl:true}]->(daPrincipal)
WHERE NOT m = daPrincipal AND NOT m = daGroup AND NOT g = daGroup AND NOT (m)-[:MemberOf*1..]->(daGroup)
RETURN p1,p2,p3
*Slides available afterwards
20
21
BloodHound Greatly Simplifies:
22
Group Policy Control Audit at a Glance
23
24
25
26
27
28
29
30
Of course this can all be scripted
31
Or….
32
Just tell me which non-DAs can control any GPO that applies to any DA and how
33
MATCH (g3:Group {name:'DOMAIN ADMINS@DOMAIN.COM'})
OPTIONAL MATCH p1 = (g1:GPO)-[:GpLink {enforced:false}]->(container)-[:Contains*1..]->(u1:User)-[:MemberOf*1..]->(g3)
WHERE NONE (x in NODES(p1) WHERE x.blocksinheritance = true AND x:OU AND NOT (g1)-->(x))
OPTIONAL MATCH p2 = (g2:GPO)-[:GpLink {enforced:true}]->(container)-[:Contains*1..]->(u2:User)-[:MemberOf*1..]->(g3)
RETURN p1,p2
34
35
MATCH (g3:Group {name:'DOMAIN ADMINS@DOMAIN.COM'})
OPTIONAL MATCH p1 = (g1:GPO)-[:GpLink {enforced:false}]->(container)-[:Contains*1..]->(u1:User)-[:MemberOf*1..]->(g3)
WHERE NONE (x in NODES(p1) WHERE x.blocksinheritance = true AND x:OU AND NOT (g1)-->(x))
WITH p1,g1,g3,u1
OPTIONAL MATCH p2 = (g2:GPO)-[:GpLink {enforced:true}]->(container)-[:Contains*1..]->(u2:User)-[:MemberOf*1..]->(g3)
WITH p1,p2,g1,g2,g3,COLLECT(u1) + COLLECT(u2) as u
OPTIONAL MATCH p3 = (l)-[{isacl:true}]->(g1)
WHERE NOT l = g3
OPTIONAL MATCH p4 = (m)-[:MemberOf*1..]->(g4:Group)-[{isacl:true}]->(g1)
WHERE NOT (m)-[:MemberOf*1..]->(g3) AND NOT m = g3
OPTIONAL MATCH p5 = (n)-[{isacl:true}]->(g2)
WHERE NOT n = g3
OPTIONAL MATCH p6 = (o)-[:MemberOf*1..]->(g5:Group)-[{isacl:true}]->(g2)
WHERE NOT o IN u AND NOT o = g3 AND NOT g5 = g3
RETURN p1,p2,p3,p4,p5,p6
36
37
Finding Systemic Issues
Finding Systemic Issues
39
Finding Systemic Issues
40
Least Privilege Violations: Two Perspectives
Inbound permissions
Outbound permissions
41
Least Privilege Violations: Two Perspectives
Inbound permissions
Outbound permissions
42
Least Privilege Violations: Two Perspectives
Inbound permissions
Outbound permissions
43
MATCH (c:Computer {domain:'DOMAIN.COM'})
OPTIONAL MATCH (n1:User)-[:AdminTo]->(c)
OPTIONAL MATCH (n2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c)
WITH COLLECT(n1) + COLLECT(n2) as tempVar,c
UNWIND tempVar as Admins
RETURN c.name,COUNT(DISTINCT(Admins)) as Admins
ORDER BY Admins DESC
44
45
Least Privilege Violations: Two Perspectives
Inbound permissions
Outbound permissions
46
Least Privilege Violations: Two Perspectives
Inbound permissions
Outbound permissions
47
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
48
49
50
51
What is this going to break?
52
53
54
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136
55
56
Result
Total events after 14 months: 0
We removed the offending ACEs
Nothing broke!
5 months before PrivExchange hit the headlines
57
Finding Systemic Issues
58
59
MATCH (c:Computer {domain:'DOMAIN.COM'})
OPTIONAL MATCH (n1:User)-[:AdminTo]->(c)
WHERE NOT n1.domain = c.domain
OPTIONAL MATCH (n2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c)
WHERE NOT n2.domain = c.domain
WITH COLLECT(n1) + COLLECT(n2) as tempVar,c
UNWIND tempVar as foreignAdmins
RETURN c.name,COUNT(DISTINCT(foreignAdmins)) as foreignAdmins
ORDER BY foreignAdmins DESC
60
61
62
Introducing:�BloodHound Analytics
bloodhoundanalytics.pbix
64
65
66
67
68
bloodhoundanalytics.py
69
Attackers DEFENDERS think in graphs
You can find us at:
@SpecterOps
@_wald0
@CptJesus
Join the BloodHound Slack:
https://bloodhoundgang.herokuapp.com
70
CREDITS
Special thanks to all the people who made and released these awesome resources for free:
71