This document provides an overview of the BloodHound tool for analyzing Active Directory environments. It describes what BloodHound is, how it works, its history and updates. It also covers various ingestors for collecting AD data, the Cypher query language, and tips for using BloodHound including finding high value principals, attacking groups and computers, and common post-exploitation techniques.
At Paranoia17 we publicly announced the release of BloodHound 1.3 - The ACL Attack Path Update. This update brings securable object control to the fore, based on work by Emmanuel Gras and Lucas Bouillot.
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
This document summarizes a presentation about domain privilege escalation in Active Directory environments. It discusses how attackers can escalate privileges by chaining together access to various privileged accounts through derivative local administrator rights. It introduces the concepts of attack graphs and how the BloodHound tool uses graph theory and data collected from PowerView to map out all the potential privilege escalation paths in a domain. PowerView is presented as a stealthy method to collect the situational awareness data on users, groups, computers and permissions that BloodHound relies on to generate and analyze the attack graph.
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
This document discusses BloodHound, a tool that uses graph databases and analysis to help analyze complex privilege relationships within Active Directory environments. It describes how traditionally these types of analyses were done manually, which was tedious and ineffective for anything but small environments. BloodHound collects data on users, groups, computers and privileges through LDAP and other queries, and then constructs a graph database to allow for easy visualization and identification of attack paths. This helps both offensive and defensive teams more easily understand privilege escalation risks and harden their environments.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
At Paranoia17 we publicly announced the release of BloodHound 1.3 - The ACL Attack Path Update. This update brings securable object control to the fore, based on work by Emmanuel Gras and Lucas Bouillot.
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
This document summarizes a presentation about domain privilege escalation in Active Directory environments. It discusses how attackers can escalate privileges by chaining together access to various privileged accounts through derivative local administrator rights. It introduces the concepts of attack graphs and how the BloodHound tool uses graph theory and data collected from PowerView to map out all the potential privilege escalation paths in a domain. PowerView is presented as a stealthy method to collect the situational awareness data on users, groups, computers and permissions that BloodHound relies on to generate and analyze the attack graph.
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
This document discusses BloodHound, a tool that uses graph databases and analysis to help analyze complex privilege relationships within Active Directory environments. It describes how traditionally these types of analyses were done manually, which was tedious and ineffective for anything but small environments. BloodHound collects data on users, groups, computers and privileges through LDAP and other queries, and then constructs a graph database to allow for easy visualization and identification of attack paths. This helps both offensive and defensive teams more easily understand privilege escalation risks and harden their environments.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.
This document provides an overview of Kubernetes and attacking Kubernetes clusters for penetration testers. It begins with introductions to containers, Kubernetes, and setting up a local Kubernetes cluster. It then covers a threat model for Kubernetes and describes an attacker's workflow against a cluster, including discovery, vulnerability testing, exploitation, and persistence. Specific attacks demonstrated include API server authorization testing, discovering exposed etcd and internal services, container escapes, and Helm Tiller privilege escalation. Resources for further learning are also provided.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.
1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries.
2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest.
3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
This document discusses using Microsoft's System Center Configuration Manager (SCCM) for both offensive and defensive purposes. It introduces PowerSCCM, a PowerShell toolkit for interacting with SCCM. PowerSCCM can be used to create malicious applications and deploy them to targeted collections of machines. It also provides cmdlets for hunting for compromised users and systems. The document recommends tuning SCCM for improved host-based security monitoring and inventory capabilities. It provides examples of using SCCM data for incident response and hunting activities on the network.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
This document summarizes information about three individuals - Andy, Rohan, and Will - who work at Specter Ops creating security tools like BloodHound. It provides details on their jobs, tool development experience, conference presentations, training experience, and Twitter accounts. It then outlines abuse primitives that can be exploited through misconfigurations in Active Directory object ACLs. Finally, it demonstrates how to use tools like PowerView, SharpHound, and BloodHound to find misconfigurations and attack paths in Active Directory.
This document discusses techniques for hunting down target users on Windows domains after gaining initial access. It begins by outlining existing tools like psloggedon.exe and netsess.exe that can detect logged-in users but typically require administrator privileges. It then explores using domain data sources and PowerShell with tools like PowerView to profile and locate target users throughout the domain without administrator privileges. Various PowerShell commands like Invoke-UserHunter, Invoke-UserView, and Invoke-UserEventHunter are demonstrated for efficiently finding sessions and events associated with target users.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.
1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries.
2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest.
3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
This document discusses using Microsoft's System Center Configuration Manager (SCCM) for both offensive and defensive purposes. It introduces PowerSCCM, a PowerShell toolkit for interacting with SCCM. PowerSCCM can be used to create malicious applications and deploy them to targeted collections of machines. It also provides cmdlets for hunting for compromised users and systems. The document recommends tuning SCCM for improved host-based security monitoring and inventory capabilities. It provides examples of using SCCM data for incident response and hunting activities on the network.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
As more corporations adopt Google for providing cloud services they are also inheriting the security risks associated with centralized computing, email and data storage outside the perimeter. In order for pentesters and red teamers to remain effective in analyzing security risks, they must adapt techniques in a way that brings value to the customer.
In this presentation we will begin by demonstrating adaptive techniques to crack the perimeter of Google Suite customers. Next, we will show how evasion can be accomplished by hiding in plain-sight due to failures in incident response plans. Finally, we will also show how a simple compromise could mean collateral damage for customers who are not carefully monitoring these cloud environments.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
Fuzzing softwares for bugs - OWASP SeasidesOWASPSeasides
The document discusses different types of software fuzzing techniques. It provides an overview of the fuzzing process, which involves generating test cases, feeding them to the target program, monitoring for crashes, saving any crash cases, and repeating. It then describes two main types of fuzzing: mutation-based using tools like AFL, and generation-based using techniques like Domato. The document demonstrates mutation-based fuzzing on tcpdump using AFL. It provides steps to set up AFL and tcpdump, generate test cases, run AFL in parallel, and analyze any crashes found.
MariaDB best practices for user and permissions management, secrets storage, SSL, encryption at rest, and more. Includes an overview of MariaDB most advanced security features. Webinar organised in December 2023.
Everybody in our team knows how to create stable and scalable software products. But in this case, we are using Docker... and it really helps us to concentrate on development and spend more time on code review & tests instead of troubleshooting issues with servers.
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Pierre Mavro
This document discusses using Traefik as an ingress controller on Kubernetes to route traffic to applications running on a Kubernetes cluster. It provides details on Traefik's features like load balancing, SSL termination, and integration with Let's Encrypt for automatic SSL certificate management. It also describes how the presenter's company MySocialApp uses Traefik on their Kubernetes infrastructure, including configuration with annotations, support for high availability, and using Consul for storage and distributed locking. The document offers advice on dealing with Let's Encrypt rate limiting and using a CDN like Cloudflare to help mitigate those issues in a production environment.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
This document discusses best practices for organizing code and setting up architecture for larger frontend projects with multiple developers. It covers choosing technology stacks, code organization, coding guidelines, responsive design approaches, performance optimization, and workflows.
Scaling up and accelerating Drupal 8 with NoSQLOSInet
Drupal 8 can scale well and serve pages fast to many users, especially by offloading parts of the work load from the main SQL database to NoSQL solutions.
This presentation describes the strategies and technologies usable to achieve such gains, including specific configuration, contributed modules and custom coding strategies.
An Introduction to Redis for .NET Developers.pdfStephen Lorello
Redis is an in-memory data structure store that can be used as a database, cache, or message broker. It supports various data structures like strings, hashes, lists, sets, sorted sets, streams and geospatial indexes. Redis is single-threaded, runs on a single server, and is very fast. It provides different deployment modes like standalone, sentinel-based replication for high availability, and clustering for horizontal scaling. The StackExchange.Redis client is recommended for .NET developers to connect and interact with Redis.
Beyond Wordcount with spark datasets (and scalaing) - Nide PDX Jan 2018Holden Karau
The document discusses Apache Spark Datasets and how they compare to RDDs and DataFrames. Some key points:
- Datasets provide better performance than RDDs due to a smarter optimizer, more efficient storage formats, and faster serialization. They also offer simplicity advantages over RDDs for things like windowed operations and multi-column aggregates.
- Datasets allow mixing of functional and relational styles more easily than RDDs or DataFrames. The optimizer has more information from Datasets' schemas and can perform optimizations like partial aggregation.
- Datasets address some of the limitations of DataFrames, making it easier to write UDFs and handle iterative algorithms. They provide a typed API compared to the untyped
This document discusses tools and best practices for measuring and improving Drupal performance. It introduces benchmarking and profiling tools like Apache Bench, Yslow, and XHProf. It then outlines easy optimizations like enabling caching, compressing files, and database configuration. More advanced techniques include opcode caching, reverse proxying, clustering, and offloading search. The presentation aims to provide a broad overview of performance topics and spur discussion.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
This document summarizes the EyeWitness tool for automated network discovery and host identification. It discusses the typical assessment lifecycle, initial discovery and recon steps using Nmap and Nessus, and the need to automate analysis of large lists of web servers. The development of EyeWitness is described, from an initial proof of concept to version 2.0, which improved modularity, added protocol support, signature-based categorization and the ability to resume incomplete scans. Future work may include additional modules, protocols, and optical character recognition.
AWS Big Data Demystified #1: Big data architecture lessons learned Omid Vahdaty
AWS Big Data Demystified #1: Big data architecture lessons learned . a quick overview of a big data techonoligies, which were selected and disregard in our company
The video: https://youtu.be/l5KmaZNQxaU
dont forget to subcribe to the youtube channel
The website: https://amazon-aws-big-data-demystified.ninja/
The meetup : https://www.meetup.com/AWS-Big-Data-Demystified/
The facebook group : https://www.facebook.com/Amazon-AWS-Big-Data-Demystified-1832900280345700/
Continuous Deployment of Front-end JavaScript with StriderCD, Github and Sauc...niallo
This document summarizes StriderCD, an open source continuous delivery platform that is customizable, easy to use, and easy to host. Key points include:
- StriderCD is an open source continuous integration/delivery platform similar to TravisCI or Jenkins.
- It is customizable through an extensible NPM plugin system and customizable front-end, worker processes, and integrations.
- It is easy to set up new projects, integrates with GitHub, and auto-detects configurations when possible.
- It can be easily run locally or deployed to platforms like Heroku. Commercial support is also available from FrozenRidge.
Talk given on BalCCon 2013 by Vlatko Kosturjak: Wonderful world of (distributed) SCM or VCS. Ripping and extracting useful info from CVS, Subversion (SVN) and GIT repositories publicly exposed on the web.
This document discusses optimizing a WordPress installation for performance. It recommends using Nginx as a reverse proxy cache in front of Apache and PHP to cache both logged-in and logged-out content. It achieved near elimination of problems, doubled network throughput, halved memory usage, and allowed disabling of plugins by caching everything. Results included atom feeds increasing in speed from 6 requests/second to over 7000 requests/second.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
4. What is BloodHound?
● Released in 2016 at DEF CON 24 by Veris Group’s
ATD Team
○ @_wald0 - Andy Robbins
○ @CptJesus - Rohan Vazarkar
○ @harmj0y - Will Schroeder
● Uses Graph Theory
○ Vertices (Nodes) - Objects like Users, Groups,
Computers, etc
○ Edges (Relationships) - Relationships between objects
○ Paths - Connecting Objects for Privilege Escalation
● Ingestor
○ Collects data from Active Directory and saves
JSON data
● Backend database
○ Neo4j graph database - stores nodes and
relationship data
○ Uses Cypher query language
● Frontend application
○ JavaScript/HTML application for drawing graphs,
importing data, and performing queries
5. A Brief History
● All About derivative local admin
○ Who is Admin to What?
○ Who is Logged on Where?
https://wald0.com/?p=68
https://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-a
dmin-bloodhound-at-def-con-24
https://www.sixdub.net/?p=591 (Broken Link)
https://sixdub.medium.com/derivative-local-admin-cdd09445aac8
https://i1.wp.com/wald0.com/wp-content/uploads/2016/08/Screen-Shot-2016-08-29-at-6.31.37-PM.png
6. BloodHound 1.3 - The ACL Attack Path Update
● Completely game changing
● Tons of new attack paths
● https://wald0.com/?p=112
https://i0.wp.com/wald0.com/wp-content/uploads/2017/05/TransitiveControllers.png
7. BloodHound 1.5 - The Container Update
● Added Objects/Edges for Containers and GPOs
● https://posts.specterops.io/bloodhound-1-5-the-container-update-fdf1ed2ad9da
https://miro.medium.com/max/720/0*OcD5QlwNIcp_wAru.png
8. Ingestors
● AD Explorer Snapshot
○ https://github.com/c3c/ADExplorerSnapshot.py
○ Pro: AD Explorer is a Microsoft Signed Binary
○ Con: Only collects “DCOnly” information
○ More network intensive
● ldif2bloodhound
○ https://github.com/SySS-Research/ldif2bloodhound
○ Convert an LDIF file to JSON files ingestible by
BloodHound
○ LDIF file created with ldapsearch
○ Equivalent to DCOnly
● SilentHound
○ https://github.com/layer8secure/SilentHound
○ One LDAP query: (objectClass=*)
● Ldapdomaindump to BloodHound
○ Updated ldapdomaindump converter (BH 4.0)
○ https://github.com/blurbdust/ldd2bh
● SharpHound
○ https://github.com/BloodHoundAD/SharpHound
○ The gold standard, use it if you can
○ Supports session looping
○ Cons: AV = big mad
● BloodHound.py
○ https://github.com/fox-it/BloodHound.py
○ Almost just as good
○ Sometimes has memory issues on large orgs
○ Python
● RustHound
○ https://github.com/OPENCYBER-FR/RustHound
○ Pro: Single Executable, no dependencies
○ Con: Missing some core functionality, such as session
collection
12. Cypher Query Breakdown
MATCH p=shortestPath((n
{owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ReadLAPSPasswor
d|Contains|ReadGMSAPassword*1..]->(m:Group {name:"DOMAIN ADMINS@DOMAIN.COM"})) WHERE NOT n=m RETURN p
MATCH searches for nodes and RETURN defines the data returned from the query. WHERE (NOT) is adding constraints to the query.
p, n, m – Variables p is the result of the shortestPath function, n,m are variables that represent nodes.
Group – Node label. in BloodHound think of this as the node type: Group, Computer, User, OU, etc.
[:TYPE*minHops..maxHops] – Relationship types can be defined inside of a relationship arrow (-->, <--, --).
{key:value} – Node properties.
Learn Cypher - Dog Whisper Handbook: https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
14. Neo4j Bulk Mark Owned/High Value
Mark Owned:
MATCH (n {name:'<NAME@DOMAIN.COM>'}) SET n.owned=true;
Mark High Value:
MATCH (n {name:'<NAME@DOMAIN.COM>'}) SET n.highvalue=true;
15. Relationship Types / AD ACL Implications
• GenericAll/GenericWrite/Owns -> User
• GenericAll/Owns -> Computer
• AllExtendedRights -> Computer
• GenericWrite -> Computer
• GenericAll/GenericWrite -> Group
• WriteDacl -> Any
- Change Password, Targeted Kerberoast, Shadow Credentials*
- Read LAPS/GMSA Password, RBCD*, Shadow Credentials*
- Read LAPS/GMSA Password
- RBCD*, Shadow Credentials*
- Add/Change Membership
- Grant any of the above permissions
● Shadow Credentials requires Server 2016 Domain Functional Level and ADCS
● Resource Based Constrained Delegation Requires Server 2012 Functional Level
18. Attacking Groups
● Add/Change Group Membership
○ Net.exe Commands
○ PowerView's Add-DomainGroupMember
○ https://github.com/FuzzySecurity/StandIn (C#)
○ Net (Samba) and/or pth-toolkit
○ Python Based Tools
■ https://www.n00py.io/2020/01/managing-active-directory-groups-from-linux/
■ https://github.com/PShlyundin/ldap_shell
■ https://github.com/CravateRouge/bloodyAD
■ https://github.com/aniqfakhrul/powerview.py
■ https://github.com/zblurx/acltoolkit
19. Attacking Groups
● Leverage BloodHound/Neo4j to find groups with admin to computers
MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE NOT
n.admincount RETURN p
MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE not
n.admincount RETURN DISTINCT n.name
23. Attacking GPOs
● Adding Scheduled Task
○ https://github.com/X-C3LL/GPOwned
○ https://github.com/Hackndo/pyGPOAbuse
○ PowerView’s New-GPOImmediateTask
○ https://github.com/FSecureLABS/SharpGPOAbuse
● Creating Local Users
○ https://github.com/FuzzySecurity/StandIn
○ Use Remote Server Administration Tools (RSAT)
○ Group Policy Management Editor
● Probably a bunch of other ways, lots of things you can configure via GPO
24. Attacking Domain
● If you have GenericAll, AllExtendedRights, or
DS-Replication-Get-Changes-All + DS-Replication-Get-Changes:
○ DCSync
■ Impacket secretsdump.py
■ Mimikatz lsadump::dcsync
● If you have Owns or WriteDACL:
○ PowerView's Add-DomainObjectAcl
○ https://github.com/n00py/DCSync
○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/PShlyundin/ldap_shell
● If you have WriteOwner:
○ PowerView's Set-DomainObjectOwner
○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/PShlyundin/ldap_shell
25. ADCS - Certipy
● Certipy is a tool for abusing/exploiting ADCS
● Supported BloodHound ingestible output since version 2.0
○ Uses GPO objects to represent certificates in “Old BloodHound” mode
○ Forked GUI uses new vertices to represent CAs and Certificate templates
https://research.ifcr.dk/certipy-2-0-bloodh
ound-new-escalations-shadow-credentials-
golden-certificates-and-more-34d1c26f0dc
6
https://research.ifcr.dk/certipy-4-0-esc9-es
c10-bloodhound-gui-new-authentication-a
nd-request-methods-and-more-7237d8806
1f7
https://miro.medium.com/max/720/1*3RCynhxvuArY-6X2xWEqQg.png
26. Using BloodHound - Tips and Tricks
● Mark every compromised computer or user “Owned”.
○ Possible to automatically assign this with CrackMapExec and Cobalt Strike
■ https://github.com/NinjaStyle82/cme2bh (deprecated)
■ cme smb <ip> -u <user> -p <password> -M bh_owned
■ https://github.com/waffl3ss/bloodpath
■ https://github.com/Coalfire-Research/Vampire
● Run queries from Owned to High Value.
MATCH p=shortestPath((g {owned:true})-[*1..]->(n
{highvalue:true})) WHERE g<>n return p
● Use built-in filters to narrow to specific relationship types.
○ For example: fill out the filter checkboxes, then run “Shortest Paths to Domain Admins from
Owned Principals”
● query, and copy pasta what’s inside the square brackets.
● Use allShortestPaths if you think ShortestPath is showing you a bad relationship/edge.
(Shortest path only shows one relationship type)
27. High Value: Principals With DCSync Rights
● Find Objects with DCSync (built-in queries)
MATCH p=()-[:DCSync|AllExtendedRights|GenericAll]->(:Domain
{name: "DOMAIN.LOCAL"}) RETURN p
MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name:
"DOMAIN.LOCAL"}) WITH n1,u MATCH
(n1)-[:MemberOf|GetChangesAll*1..]->(u) WITH n1,u MATCH p =
(n1)-[:MemberOf|GetChanges|GetChangesAll*1..]->(u) RETURN p
● Set them all as High Value
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(:Domain
{name: "DOMAIN.LOCAL"}) SET n.highvalue=True
MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name:
"DOMAIN.LOCAL"}) WITH n1,u MATCH
(n1)-[:MemberOf|GetChangesAll*1..]->(u) WITH n1,u MATCH p =
(n1)-[:MemberOf|GetChanges|GetChangesAll*1..]->(u)
SET n1.highvalue=True
28. Tip: Adding Admin Groups to High Value
● Groups not marked as “High Value” already, but have the Admin Count Flag
MATCH p = (g:Group {admincount: True}) WHERE NOT EXISTS(g.highvalue)
OR g.highvalue = False RETURN g
● Groups that do NOT have the Admin Count flag, but do allow local admin to computers
MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE NOT n.admincount
RETURN p
29. High Value: Groups That Can Reset Passwords
● Groups that can change user passwords, sorted by the amount of users
MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN m
MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN DISTINCT
m.name, COUNT(m.name) ORDER BY COUNT(m.name) DESC
30. High Value: Unconstrained Delegation
● Find all computers that can perform unconstrained delegation but are not DCs.
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS
WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH
(c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN
domainControllers RETURN c2
● Exploit with Rubeus.exe monitor (Windows)
● https://github.com/dirkjanm/krbrelayx (Python)
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
31. High Value: Azure AD Connect
● Synchronization service that keeps Active Directory and Office 365 in sync
● Under a default set-up, an account is created with DCSync permissions
○ MSOL_[HEX]
● This account plaintext password can be extracted from the AD Connect Server
○ https://blog.xpnsec.com/azuread-connect-for-redteam/
○ https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
● If you have access to Azure, you can find it under Azure Active Directory Connect Health -> Sync
Services -> Azure Active Directory Connect Servers
● MSOnline Powershell Module:
(Get-MsolCompanyInformation).DirSyncClientMachineName
32. High Value: Azure AD Connect
● Find Azure AD Connect servers and mark them as high value
MATCH (n:User) WHERE n.name STARTS WITH "MSOL" RETURN
split(n.description,' ')[15]
MATCH (u:User)WHERE u.name STARTS WITH "MSOL" WITH split(u.description, "
")[15] AS word UNWIND word AS w MATCH (c:Computer)WHERE c.name STARTS
WITH w RETURN c
● Note: This finds servers created with defaults, but there may be more, look for computers with
names like “azure”, “sync”, “AAD”, etc.
33. High Value: Cert Publishers
● Find all computers in the Cert Publishers group.
MATCH p=(n:Group)<-[:MemberOf*1..]-(m) WHERE n.name =~ "CERT
PUBLISHERS.*" RETURN p
● Pwn a CA -> Golden Certificate!
○ https://github.com/ly4k/Certipy#golden-certificates
○ https://pentestlab.blog/2021/11/15/golden-certificate
● SCCM Servers?
○ Provide “Updates” to High Value Targets
● https://github.com/Mayyhem/SharpSCCM
MATCH (n) WHERE n.name CONTAINS "SCCM" RETURN n UNION MATCH (n)
WHERE n.description CONTAINS "SCCM" RETURN n
34. Tip: Computers Admin to Other Computers
MATCH p =
(c1:Computer)-[r1:AdminTo]->(c2:Computer)
RETURN p UNION ALL MATCH p =
(c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[
r3:AdminTo]->(c4:Computer) RETURN p
● Coerced authentication from one computer another
● SMB Signing must NOT be enforced
1. Printerbug/Coercer
2. Impacket Ntlmrleayx.py
3. Dump SAM/LSA
● Common to see on Exchange, SCCM, and SQL Servers
35. Tip: Outbound Object Control
● If all your owned users seem truly useless, try these queries to see if they can do
ANYTHING at all:
MATCH p = (g:User {owned: True})-[r]->(n) WHERE r.isacl=true RETURN p
MATCH p = (g1:User {owned:
True})-[r1:MemberOf*1..]->(g2:Group)-[r2]->(n) WHERE r2.isacl=true
RETURN p
36. Tip: LAPS non-enabled Computers for Lateral
Movement
If a computer has LAPS non-enabled, does it potentially share a password with a high-value
computer?
Do any high-value computers have LAPS non-enabled?
MATCH (c:Computer {haslaps:False}) WHERE c.highvalue=True RETURN c
Do any of our owned accounts have paths to computer nodes with LAPS non-enabled?
MATCH p=shortestpath((u
{owned:true})-[:MemberOf|AdminTo|Owns|AllExtendedRights|GenericAll|Gen
ericWrite|ReadLAPSPassword|AddKeyCredentialLink*1..]->(c:Computer
{haslaps:false})) RETURN p
37. Tip: Extending BloodHound
● There are some open source tools which can expand the data in available in BloodHound
● Max - https://github.com/knavesec/Max
○ Can set a list users/computers as owned or high value
● Add-spns
○ Adds the HasSPNConfigured relationship to objects
in the database
● Add-spw
○ Create SharesPasswordWith relationships
○ Visualizes local admin re-use
Note: Custom Edges will not show up on built-in queries
https://whynotsecurity.com/blog/max2/
38. Post-Ex: Shared Password Analysis
● Takes NTDS output and generates shared
password clusters
● Can be imported to BloodHound, creates new
edges (and thus new paths)
● Excellent at visualizing password sharing issues
https://github.com/SySS-Research/hashcathelper
https://github.com/SySS-Research/hashcathelper/blob/main/doc/bloodhound_clusters.png
39. Post-Ex: CrackHound
● Allows you to add plaintext passwords to BloodHound, post-compromise
● Search out additional paths via weak passwords
○ What users with a cracked password are members of high value groups?
○ What users with weak passwords have VPN access?
○ What Kerberoastable users were cracked?
○ What users with a weak password have a path to Domain Admin?
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0xl:,'.........',,:oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0dl:;,,,,;;;::::::;;;,''',:okKWMMMMMWWWNWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNXWMMMMMMMMMMWXkl;,,;::ccccccccccccccccccc;. .,collcccc:ccldOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWNOl:dXMMMMMMMMW0o;',:cc;..':cccccccccccccccccc:. ..',;::::::;,,;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNOl' .lNMMMMMMMMXo'';:ccc:. ':cccccccccccccccccc:'.',:cccc::ccccccc:,,oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMKc. .oNMMMMMMWXx;';:ccccc:,. ..';:cccccccc:ccccccccccc:;'...;cccccccc;':0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMX: .oNMMMMWKxc'.':ccccccccc;. ..',,'..';:ccccccccc:, .;cccccccc:';OWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. .cONMNKkl;. .:ccccccccccc;. .,::cccccccccc;. .;cccccccc:',kWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. 'dkdc,. .:ccccccc:;,,,. .,cccccccccccccc' .,::cccccc:''dNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMXo. .''. .';:cccccc:,. .;ccccccccccccc:,. ...':cccc:,'cxkk0NMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKxdodk0Oc'';:cccccccc:,. .ox; .;ccccc:::c:;'... .....';;'....:ONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0;.;cccccccccc:,. 'kWMXo. .:ccccc:,.... .','......';xWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK:.;cccccccccc:' ;0WMMM0, ..''',,,;;;,'... 'lc. .,;:;''',,'... .oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKkl' .;:ccc:;;,,'. .oXMMMMWo .......,::::::;,'...dWWO, ':ccc;,,;;...''...;OWMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNd. .,:c;',:. .:kXWMMMMMW0l;,,;;;.............,;.'kWW0; ':cc:'. .;:;,'......oNMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo. .....'''.;0WKx:. .:xKWMMMMMMMWWNNXd. .;o; .::.;KMMK: .,:ccc,. ';,.. .. ;KMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo. ':loodkXMMMMWXOo;. .:OWMMMMMMMMWk. .;d00kc. .,.:KMMXc.,:ccc:. .;:,,'. ';,..;0WMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMKc ,xXWMMMMMMMMMMMMMMNOl. '0MMMMMMMWk. ;ONMK: ,OMMNl.,:cccc, ..,;cc,..:c:,.,dKWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMWO, .oXMMMMMMMMMMMMMMMMNo'. cXMMMMMMNx. .lXMMX: :0MMXl.,ccccc;. .;c:;;:cc::,''oNMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMKc. .xWMMMMMMMMMMMMMMMMKc. .lXMMMMMWKc. .,dNMMMNx;.',ckNMWK:.;ccccc:' .';:ccc:,... ;XMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWo. .coxKMMMMMMMMMMMMMMk. 'xNMMMMMMX: ckONMMMMMWNNWWMWXd'.;cccccc;..;. ..';:,','. .dWMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMX: ...;0MMMMMMMMMMMMMW0doloxKWMMMMMMNo. .:KMMMMMMMWXkl'..;cccccc:'.oN0, ..';;,,',. .dWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWKc. .'.',.;0MMMMMMMMMMMMMMMMMMMMMMMMMMMXc ;0MMMMMXo,.',,;::::::;,.;KNk, ....,:;,;'....kMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMXl....'..'.,kWMMMMMMMMMMMMMMMMMMMMMMMMMMMXl.........'dWMMMM0:.',,,,,,,,,,'':OWXc..,,;;,;,,;,':O00NMMMMMMMMMMMMMMMMMMMMMMMMMM
https://www.trustedsec.com/blog/expanding-the-hound-introducing-plaintext-field-to-compromised-accounts/
https://github.com/trustedsec/CrackHound
40. A Slide For the Blue Team
Turning BloodHound Data into useful lists:
● Max: Domain Password Audit Tool
○ https://whynotsecurity.com/blog/max3/
○ Password audit enriched with BloodHound data
● PlumHound - BloodHound Report Engine
○ https://github.com/PlumHound/PlumHound
● Cypheroth
○ Spreadsheets!
○ https://github.com/seajaysec/cypheroth
● WatchDog
○ https://github.com/SadProcessor/WatchDog
○ https://insinuator.net/2019/10/blue-hands-on-bloodhound/
● PingCastle
○ https://www.pingcastle.com