1 of 92

Finding Our Path

How We’re Trying to Improve Active Directory Security

2 of 92

Andy Robbins

@_wald0

Rohan Vazarkar

@CptJesus

Will Schroeder

@harmj0y

2

3 of 92

Background

4 of 92

Prior Work and Acknowledgements

Alice Zheng, John Dunagan, Daniel Simon:

http://alicezheng.org/papers/sosp2009-heatray-10pt.pdf�

Emmanuel Gras and Lucas Bouillot:

https://github.com/ANSSI-FR/AD-control-paths�

Sean Metcalf:

https://www.adsecurity.org

4

5 of 92

What is BloodHound?

A way to apply graph theory to Active Directory
A way to simplify Active Directory privilege analysis
A way to visualize Active Directory relationships

Google Maps for Active Directory

5

6 of 92

What problem did BloodHound solve?

How do you go from one place in Active Directory to another?
How do you escalate your privileges without scanning the network many, many times?
How do you analyze permissions more efficiently than built-in tools?

6

7 of 92

7

8 of 92

8

Allows enumeration of remote server sessions as an unprivileged user!

9 of 92

9

Allows enumeration of local group members on remote servers as an unprivileged user!

10 of 92

Story Time!

A pentester named Nat Melson gets initial access in cornhub.io
Wants to get Domain Admin... how do they do it?
Let’s look at the small Indiana office

10

11 of 92

12 of 92

1

13 of 92

1

2

1

14 of 92

1

2

1

15 of 92

1

2

1

16 of 92

2

3

2

17 of 92

2

3

2

3

2

18 of 92

2

3

2

3

2

19 of 92

2

3

2

3

2

20 of 92

Story Time!

This process is SLOW
More and more network hits as you keep going, more and more chances to get caught
Keeping track of things gets exponentially more difficult as environment size increases!
An entire branch of math exists to solve this exact problem...so why are we doing it by hand?

20

21 of 92

22 of 92

2

23 of 92

2

24 of 92

2

25 of 92

But wait...there’s more!

Running SharpHound, doesn’t just get you this info, you get so much more!

Kerberos (mis)configurations
Security group memberships
Abusable ACEs
Potential MSSQL Abuse

25

26 of 92

In the real world

BloodHound was created due to a massive organization with hundreds of thousands of endpoints
Manual analysis took weeks for a single domain.

The organization had hundreds of domains.
This did not spark joy 👎

BloodHound showed us a path that jumped through 7 different domains, and resulted in a compromise of the forest root.

26

27 of 92

Example Attack Path

28 of 92

Resource-based Constrained Delegation

Motivation: A modern (server 2012+) way to “safely” allow user impersonation in Active Directory

28

29 of 92

29

Auth to

Frontend Service

“Pretend”

to be

User

Frontend

Backend

User

30 of 92

Resource-based Constrained Delegation: Background

Implemented with a security descriptor (DACL) on a target resource/computer object

The DACL is stored as a series of binary bytes in the msDS-AllowedToActOnBehalfOfOtherIdentity
Defines who is allowed to impersonate (any) users to the target system

Impersonation is performed with the S4U2self/S4U2proxy Kerberos extensions

30

31 of 92

Resource-based Constrained Delegation: Background

In Spring 2019, Elad Shamir released his “Wagging the Dog” post on RBCD abuse
His big finding:

Non-forwardable S4U2self tickets still work for S4U2proxy when performing resource-based constrained delegation

Translation: this grants us a generalized ACL-based computer takeover attack primitive!

31

32 of 92

Resource-based Constrained Delegation: In English

If we can modify the msDS-AllowedToActOnBehalfOfOtherIdentity property of a computer object in Active Directory, we can compromise the computer itself in modern domains!

32

33 of 92

(Videos 1-4)

34 of 92

The Adversary Resilience Methodology

35 of 92

Attackers think in graphs, defenders think in lists.

As long as this is true, attackers win.

John Lambert

Distinguished Engineer, Microsoft

35

https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/

“

36 of 92

Enumerate Attack Paths

Deploy Prioritized Fixes

Analyze Attack Paths

Adversary Resilience Methodology

Generate/Validate Remediation Hypotheses

https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604

37 of 92

Enumerate Attack Paths

Deploy Prioritized Fixes

Analyze Attack Paths

Adversary Resilience Methodology

Generate/Validate Remediation Hypotheses

https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604

38 of 92

Quantify Privileges, Understand Attack Paths

Objective: find critical low hanging fruit, generate descriptive statistics, measure overall security posture

38

39 of 92

Most Privileged Groups

39

40 of 92

Computers with Most Admins

40

41 of 92

(Video 5)

42 of 92

Privileged Kerberoastable Users

42

43 of 92

Privileged Kerberoastable Users With Weak Passwords

43

44 of 92

Percentage of Users with a Path to Domain Admin

44

45 of 92

Enumerate Attack Paths

Deploy Prioritized Fixes

Analyze Attack Paths

Adversary Resilience Methodology

Generate/Validate Remediation Hypotheses

https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604

46 of 92

Enumerate Attack Paths

Deploy Prioritized Fixes

Analyze Attack Paths

Adversary Resilience Methodology

Generate/Validate Remediation Hypotheses

https://posts.specterops.io/introducing-the-adversary-resilience-methodology-part-one-e38e06ffd604

47 of 92

Generate and Validate Remediation Hypotheses

Objective: eliminate or mitigate as many attack paths as possible using practical and measurably effective strategies

47

48 of 92

48

49 of 92

49

50 of 92

50

51 of 92

51

52 of 92

52

53 of 92

53

54 of 92

54

55 of 92

55

56 of 92

56

57 of 92

57

58 of 92

58

59 of 92

59

60 of 92

60

61 of 92

Finding “All Paths” means finding the longest path

In graph theory, the longest path problem is NP-hard for directed, cyclic graphs

62 of 92

20,346,385

62

Shortest Attack Paths

63 of 92

Active Directory is not a maze.

63

64 of 92

Active Directory is not a maze.

64

65 of 92

Active Directory is a map.

65

66 of 92

66

67 of 92

67

68 of 92

68

69 of 92

69

70 of 92

70

71 of 92

71

72 of 92

72

73 of 92

73

74 of 92

74

75 of 92

75

76 of 92

Forget about analyzing all paths.

Focus on isolating sensitive principals.

77 of 92

Domain Admin Exposure

Credentials in memory
Abusable ACEs
GPO Abuse
Kerberoast
AS-REP Roast

77

78 of 92

Domain Admin Exposure

Credentials in memory
Abusable ACEs
GPO Abuse .
Kerberoast
AS-REP Roast

78

79 of 92

79

80 of 92

80

81 of 92

81

82 of 92

Percentage of Users with a Path to Domain Admin

Before

After

82

83 of 92

Domain Admin Exposure

Credentials in memory
Abusable ACEs
GPO Abuse .
Kerberoast
AS-REP Roast

83

84 of 92

Domain Admin Exposure

Credentials in memory
Abusable ACEs .
GPO Abuse .
Kerberoast
AS-REP Roast

84

85 of 92

86 of 92

87 of 92

88 of 92

Percentage of Users with a Path to Domain Admin

Before

After

88

89 of 92

Percentage of Users with a Path to Domain Admin

Before

After

89

90 of 92

Everything In This Talk is Free and Open Source

Tools: Methodology:�BloodHound: Resilience Methodology:� https://bit.ly/GetBloodHound https://bit.ly/2YI2g5B �BloodHound Analytics:� https://github.com/BloodHoundAD/BloodHound-Tools �PowerView:� https://bit.ly/1pzQCnv �PowerMad: � https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1 �Invoke-DCSync:� https://gist.github.com/monoxgas/9d238accd969550136db

90

91 of 92

Andy Robbins

@_wald0

Rohan Vazarkar

@CptJesus

Will Schroeder

@harmj0y

@SpecterOps specterops.io

Thank you!

91

92 of 92

CREDITS

Special thanks to all the people who made and released these awesome resources for free:

Presentation template by SlidesCarnival
Maps from David Rumsey Map Collection

92