1.
About Us: Andy
• Job: Adversary Resilience Lead at Specter Ops
• Tool creator/dev: BloodHound
• Presenter: DEF CON, ekoparty, Black Hat Arsenal,
BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress
• Trainer: Black Hat USA, Black Hat Europe, Adversary
Tactics: Red Team Operations
• Twitter: @_wald0

2.
About Us: Rohan
• Job: Director of Technology at Specter Ops
• Tool creator/dev: BloodHound, EyeWitness, Empire,
etc.
• Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV,
BSidesDC, BSidesDE
• Trainer: Black Hat USA
• Twitter: @CptJesus

3.
About Us: Will
• Job: Offensive Engineer at Specter Ops
• Tool creator/dev: BloodHound, Veil-Framework,
PowerView, PowerUp, Empire
• Presenter: Cons on cons on cons
• Trainer: Black Hat USA, Adversary Tactics: Active
Directory, Adversary Tactics: Red Team Operations
• Twitter: @harmj0y

4.
Outline
• Prior Work
• Why care about this?
• ACL Background
• Abuse Primitives
• Finding Misconfigs and Attack Paths
• BloodHound Interface Demo
• Complex ACL Attack Path Demo

5.
Prior Work

6.
Prior Work
• Heat-ray: Combating Identity Snowball Attacks Using Machine
Learning, Combinatorial Optimization and Attack Graphs
John Dunagan, Alice X. Zheng, Daniel R. Simon
http://bit.ly/2qG0OvE
• Active Directory Control Paths
Lucas Bouillot, Emmanuel Gras, Geraud de Drouas
http://bit.ly/1pBc8FN

7.
Prior Work
• Active Directory ACL Scanner
Robin Granberg
http://bit.ly/2faPdkz
• Airbus BTA
Philippe Biondi, Joffrey Czarny
http://bit.ly/2faFFpX
• Several AD ACL related blog posts
Sean Metcalf
https://adsecurity.org/?tag=ad-acls

8.
Why care?

9.
Why care? (part I)
• Lack of awareness of impact from third party
software/sysadmins
• “Misconfiguration debt” from earlier installs, sometimes
since your domain was stood up
• General lack of defender awareness at impact/importance
• Difficulty of auditing (especially at scale)

10.
Why care? (part II)
• Any authenticated user (by default) can enumerate these
DACLs
• Communication in nearly all cases is limited to the DC
• Execution may not require pivoting to other systems at all!
• Completely different forensic profile that most orgs are not
prepared for

11.
ACL Background

12.
ACL Background
• All securable objects in Windows and Active Directory
have a Security Descriptor.
• The Security Descriptor has a DACL and a SACL
• The DACL is populated by ACEs, which define what
permissions other objects do or do not have against
an object.

13.
ACL Background
• Those are just the very basic moving parts of ACLs and
the Windows security model.
• For way more in-depth info, see our 67 page white
paper from Black Hat this year here:
https://specterops.io/assets/resources/an_ace_up_th
e_sleeve.pdf

14.
Abuse Primitives

15.
The ability to change a user password without knowing the
current password
ForceChangePW
Abuse cmdlet: Set-DomainUserPassword
Cleanup method: mimikatz lsadump::setntlm

16.
The ability to add any other user, group, or computer to a
group.
AddMembers
Abuse cmdlet: Add-DomainGroupMember
Cleanup cmdlet: Remove-DomainGroupMember

17.
Full object control over user and group objects
GenericAll
Abuse cmdlets: Add-DomainGroupMember, Set-
DomainUserPassword, Set-DomainObject & Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
mimikatz lsadump::setntlm, Set-DomainObject -Clear

18.
The ability to write any object property value
GenericWrite
Abuse cmdlets: Add-DomainGroupMember Set-DomainObject &
Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
Set-DomainObject -Clear

19.
The ability to grant object ownership to another principal
WriteOwner
Abuse cmdlet: Set-DomainObjectOwner
Cleanup cmdlet: Set-DomainObjectOwner (back to what it was
before)

20.
The ability to add a new ACE to the object’s DACL
WriteDACL
Abuse cmdlet: Add-DomainObjectACL
Cleanup cmdlet: Remove-DomainObjectACL

21.
The ability to perform any “extended right” function
AllExtendedRights
Abuse cmdlets: Add-DomainGroupMember, Set-
DomainUserPassword, Set-DomainObject & Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
mimikatz lsadump::setntlm, Set-DomainObject -Clear

22.
Finding Misconfigs
and Attack Paths

23.
Finding Attack Opportunities
•How to use PowerView for singular object ACL
inspection – the domain object is a good
candidate here
•How to use SharpHound collector to gather ACLs
for all objects
•How to use BloodHound to find attack paths

24.
Finding Attack Opportunities
• While graph theory is the best approach for modeling the
entire system, one-off analysis can still be useful
• PowerView’s Get-DomainObjectAcl is our go-to for
specific object enumeration and verification of
BloodHound results
• -ResolveGuids helps resolve GUID rights to human
readable form :)

25.
Who can DCSync?

26.
Foreign GPO Edit Rights

27.
SharpHound
•A complete rewrite of the PowerShell Ingestor into
C#
•Lots of new features
•Massive performance increases
•Lots of bugs fixed
•Completely fixed memory usage (200-250mb tops)

28.
SharpHound
•More and better threading!
•Modular stealth enumeration!
•Session Looping
•Caching
•Progress Output! (!!!!!!!!)
•Locale independent Local Admin enumeration

29.
SharpHound – Speed Improvements

30.
SharpHound
•For a full technical write-up and usage guide, see
Rohan’s blog post here:
http://bit.ly/2xVVoVc

31.
Old Ingestor New Ingestor

32.
Special Shoutout
Thank you to all the users in the BloodHound
slack channel participating in the beta. Your help
has been invaluable!

33.
Interface Demo

34.
https://youtu.be/BAEfEdNWij0

35.
Attack Path Demo

36.
https://youtu.be/5USRboxxYUo

37.
Future Work
•More options for taking over computer objects
•Set a temporary fine grained password policy on
a single user to bypass NT history and minimum
age check
•GPOs…soon!

38.
Thank You!
• We are @_wald0, @CptJesus and @harmj0y -
https://www.specterops.io
• Thank you to the BloodHound community for your support, ideas and
beta testing SharpHound. Get BloodHound at
https://bit.ly/GetBloodHound and SharpHound at
http://bit.ly/SharpHound
• Join the BloodHound Slack at
https://bloodhoundgang.herokuapp.com