Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BloodHound
Teaching a New Dog Even More
Tricks
Andy Robbins
Job: Adversary Resilience Lead at Specter
Ops
Tool creator/dev: BloodHound
Presenter: DEF CON, ekoparty, Blac...
Rohan Vazarkar
Job: Adversary Resilience Operator at
Specter Ops
Tool creator/dev: BloodHound,
EyeWitness, Empire, etc.
Pr...
Will Schroeder
Job: Offensive Engineer at Specter Ops
Tool creator/dev: BloodHound, Veil-
FrameWork, PowerView, PowerUp,
E...
“Defenders think in
lists. Attackers think in
graphs. As long as this
is true, attackers win.”
John Lambert
General Manage...
Prior Work
Heat-ray: Combating Identity Snowball
Attacks Using Machine Learning,
Combinatorial Optimization and Attack
Gra...
BloodHound
• Released at DEF CON 24 in
2016
• Uses graph theory for domain
attack path identification
• Easy data collecti...
BloodHound Basics
Bob Helpdesk Server1
AdminToMemberOf
Source Target
The source belongs to the target group
MemberOf
Source Target
The source is an administrator on the target computer
AdminTo
Source Target
The source computer has the target user logged in on it
HasSession
Bob Server1
AdminTo
Mary Domain Admins
MemberOf
BloodHound Basics
• Who is logged on where?
• Who has admin rights to what computers?
• What users, groups, and computers ...
BloodHound 1.3
The ACL Attack Path Update
Discretionary Access Control Lists
• All securable objects in Windows and
Active Directory have a Security
Descriptor
• Th...
Modeled in the BloodHound Attack
Graph
Helpdesk CptJesus
ForceChangePW
Source Target
The ability to change a user password without knowing the
current password
ForceChangePW
Weaponized by: Set-...
Source Target
The ability to add any other user, group, or computer to a
group.
AddMembers
Weaponized by: Add-DomainGroupM...
Source Target
Full object control over user and group objects
GenericAll
Weaponized by: Add-DomainGroupMember, Set-
Domain...
Source Target
The ability to write any object property value
GenericWrite
Weaponized by: Set-DomainObject or Add-DomainGro...
Source Target
The ability to grant object ownership to another principal
WriteOwner
Weaponized by: Set-DomainObjectOwner
Source Target
The ability to add a new ACE to the object’s DACL
WriteDACL
Weaponized by: Add-DomainObjectACL
Source Target
The ability to perform any “extended right” function
AllExtendedRights
Weaponized by: Set-DomainUserPassword...
Transitive Object Control
Bob Helpdesk Admin
ForceChangePWAddMembers
BloodHound Interface Demo
Transitive Object Control Attack Path
Demo
Get BloodHound:
https://bit.ly/GetBloodHound
Thank You!
Andy Robbins: @_wald0
Rohan Vazarkar: @CptJesus
Will Schroeder: @harmj0y
Specter Ops: @SpecterOps
www.specterop...
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Upcoming SlideShare
Loading in …5
×

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo

3,566 views

Published on

At Paranoia17 we publicly announced the release of BloodHound 1.3 - The ACL Attack Path Update. This update brings securable object control to the fore, based on work by Emmanuel Gras and Lucas Bouillot.

Published in: Technology

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo

  1. 1. BloodHound Teaching a New Dog Even More Tricks
  2. 2. Andy Robbins Job: Adversary Resilience Lead at Specter Ops Tool creator/dev: BloodHound Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress Trainer: Black Hat USA, Black Hat Europe Twitter: @_wald0
  3. 3. Rohan Vazarkar Job: Adversary Resilience Operator at Specter Ops Tool creator/dev: BloodHound, EyeWitness, Empire, etc. Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDE Trainer: Black Hat USA Twitter: @CptJesus
  4. 4. Will Schroeder Job: Offensive Engineer at Specter Ops Tool creator/dev: BloodHound, Veil- FrameWork, PowerView, PowerUp, Empire Presenter: A lot  Trainer: Black Hat USA Twitter: @harmj0y
  5. 5. “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert General Manager, Microsoft Threat Intelligence Center
  6. 6. Prior Work Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs John Dunagan, Alice X. Zheng, Daniel R. Simon, 2008 http://bit.ly/2qG0OvE Active Directory Control Paths Lucas Bouillot, Emmanuel Gras, Geraud de Drouas, 2014
  7. 7. BloodHound • Released at DEF CON 24 in 2016 • Uses graph theory for domain attack path identification • Easy data collection with PowerShell ingestor based on
  8. 8. BloodHound Basics Bob Helpdesk Server1 AdminToMemberOf
  9. 9. Source Target The source belongs to the target group MemberOf
  10. 10. Source Target The source is an administrator on the target computer AdminTo
  11. 11. Source Target The source computer has the target user logged in on it HasSession
  12. 12. Bob Server1 AdminTo Mary Domain Admins MemberOf
  13. 13. BloodHound Basics • Who is logged on where? • Who has admin rights to what computers? • What users, groups, and computers belong to what groups? • With those 3 pieces of information in our database, we can nearly instantly identify any derivative local admin attack path in a domain • For more in-depth explanation, see our DEF CON presentation here: http://bit.ly/2qE6Yx2
  14. 14. BloodHound 1.3 The ACL Attack Path Update
  15. 15. Discretionary Access Control Lists • All securable objects in Windows and Active Directory have a Security Descriptor • The Security Descriptor has a DACL and a SACL • The DACL is populated by Access Control Entries (ACEs), which define what permissions other objects do or do not have against an object
  16. 16. Modeled in the BloodHound Attack Graph Helpdesk CptJesus ForceChangePW
  17. 17. Source Target The ability to change a user password without knowing the current password ForceChangePW Weaponized by: Set-DomainUserPassword
  18. 18. Source Target The ability to add any other user, group, or computer to a group. AddMembers Weaponized by: Add-DomainGroupMember
  19. 19. Source Target Full object control over user and group objects GenericAll Weaponized by: Add-DomainGroupMember, Set- DomainUserPassword
  20. 20. Source Target The ability to write any object property value GenericWrite Weaponized by: Set-DomainObject or Add-DomainGroupMember
  21. 21. Source Target The ability to grant object ownership to another principal WriteOwner Weaponized by: Set-DomainObjectOwner
  22. 22. Source Target The ability to add a new ACE to the object’s DACL WriteDACL Weaponized by: Add-DomainObjectACL
  23. 23. Source Target The ability to perform any “extended right” function AllExtendedRights Weaponized by: Set-DomainUserPassword, Add-DomainGroupMember
  24. 24. Transitive Object Control Bob Helpdesk Admin ForceChangePWAddMembers
  25. 25. BloodHound Interface Demo
  26. 26. Transitive Object Control Attack Path Demo
  27. 27. Get BloodHound: https://bit.ly/GetBloodHound
  28. 28. Thank You! Andy Robbins: @_wald0 Rohan Vazarkar: @CptJesus Will Schroeder: @harmj0y Specter Ops: @SpecterOps www.specterops.io

×