SlideShare a Scribd company logo
About Us: Andy
• Job: Adversary Resilience Lead at Specter Ops
• Tool creator/dev: BloodHound
• Presenter: DEF CON, ekoparty, Black Hat Arsenal,
BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress
• Trainer: Black Hat USA, Black Hat Europe, Adversary
Tactics: Red Team Operations
• Twitter: @_wald0
About Us: Rohan
• Job: Director of Technology at Specter Ops
• Tool creator/dev: BloodHound, EyeWitness, Empire,
etc.
• Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV,
BSidesDC, BSidesDE
• Trainer: Black Hat USA
• Twitter: @CptJesus
About Us: Will
• Job: Offensive Engineer at Specter Ops
• Tool creator/dev: BloodHound, Veil-Framework,
PowerView, PowerUp, Empire
• Presenter: Cons on cons on cons
• Trainer: Black Hat USA, Adversary Tactics: Active
Directory, Adversary Tactics: Red Team Operations
• Twitter: @harmj0y
Outline
• Prior Work
• Why care about this?
• ACL Background
• Abuse Primitives
• Finding Misconfigs and Attack Paths
• BloodHound Interface Demo
• Complex ACL Attack Path Demo
Prior Work
Prior Work
• Heat-ray: Combating Identity Snowball Attacks Using Machine
Learning, Combinatorial Optimization and Attack Graphs
John Dunagan, Alice X. Zheng, Daniel R. Simon
http://bit.ly/2qG0OvE
• Active Directory Control Paths
Lucas Bouillot, Emmanuel Gras, Geraud de Drouas
http://bit.ly/1pBc8FN
Prior Work
• Active Directory ACL Scanner
Robin Granberg
http://bit.ly/2faPdkz
• Airbus BTA
Philippe Biondi, Joffrey Czarny
http://bit.ly/2faFFpX
• Several AD ACL related blog posts
Sean Metcalf
https://adsecurity.org/?tag=ad-acls
Why care?
Why care? (part I)
• Lack of awareness of impact from third party
software/sysadmins
• “Misconfiguration debt” from earlier installs, sometimes
since your domain was stood up
• General lack of defender awareness at impact/importance
• Difficulty of auditing (especially at scale)
Why care? (part II)
• Any authenticated user (by default) can enumerate these
DACLs
• Communication in nearly all cases is limited to the DC
• Execution may not require pivoting to other systems at all!
• Completely different forensic profile that most orgs are not
prepared for
ACL Background
ACL Background
• All securable objects in Windows and Active Directory
have a Security Descriptor.
• The Security Descriptor has a DACL and a SACL
• The DACL is populated by ACEs, which define what
permissions other objects do or do not have against
an object.
ACL Background
• Those are just the very basic moving parts of ACLs and
the Windows security model.
• For way more in-depth info, see our 67 page white
paper from Black Hat this year here:
https://specterops.io/assets/resources/an_ace_up_th
e_sleeve.pdf
Abuse Primitives
The ability to change a user password without knowing the
current password
ForceChangePW
Abuse cmdlet: Set-DomainUserPassword
Cleanup method: mimikatz lsadump::setntlm
The ability to add any other user, group, or computer to a
group.
AddMembers
Abuse cmdlet: Add-DomainGroupMember
Cleanup cmdlet: Remove-DomainGroupMember
Full object control over user and group objects
GenericAll
Abuse cmdlets: Add-DomainGroupMember, Set-
DomainUserPassword, Set-DomainObject & Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
mimikatz lsadump::setntlm, Set-DomainObject -Clear
The ability to write any object property value
GenericWrite
Abuse cmdlets: Add-DomainGroupMember Set-DomainObject &
Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
Set-DomainObject -Clear
The ability to grant object ownership to another principal
WriteOwner
Abuse cmdlet: Set-DomainObjectOwner
Cleanup cmdlet: Set-DomainObjectOwner (back to what it was
before)
The ability to add a new ACE to the object’s DACL
WriteDACL
Abuse cmdlet: Add-DomainObjectACL
Cleanup cmdlet: Remove-DomainObjectACL
The ability to perform any “extended right” function
AllExtendedRights
Abuse cmdlets: Add-DomainGroupMember, Set-
DomainUserPassword, Set-DomainObject & Kerberoast
Cleanup cmdlets and method: Remove-DomainGroupMember,
mimikatz lsadump::setntlm, Set-DomainObject -Clear
Finding Misconfigs
and Attack Paths
Finding Attack Opportunities
•How to use PowerView for singular object ACL
inspection – the domain object is a good
candidate here
•How to use SharpHound collector to gather ACLs
for all objects
•How to use BloodHound to find attack paths
Finding Attack Opportunities
• While graph theory is the best approach for modeling the
entire system, one-off analysis can still be useful
• PowerView’s Get-DomainObjectAcl is our go-to for
specific object enumeration and verification of
BloodHound results
• -ResolveGuids helps resolve GUID rights to human
readable form :)
Who can DCSync?
Foreign GPO Edit Rights
SharpHound
•A complete rewrite of the PowerShell Ingestor into
C#
•Lots of new features
•Massive performance increases
•Lots of bugs fixed
•Completely fixed memory usage (200-250mb tops)
SharpHound
•More and better threading!
•Modular stealth enumeration!
•Session Looping
•Caching
•Progress Output! (!!!!!!!!)
•Locale independent Local Admin enumeration
SharpHound – Speed Improvements
SharpHound
•For a full technical write-up and usage guide, see
Rohan’s blog post here:
http://bit.ly/2xVVoVc
Old Ingestor New Ingestor
Special Shoutout
Thank you to all the users in the BloodHound
slack channel participating in the beta. Your help
has been invaluable!
Interface Demo
https://youtu.be/BAEfEdNWij0
Attack Path Demo
https://youtu.be/5USRboxxYUo
Future Work
•More options for taking over computer objects
•Set a temporary fine grained password policy on
a single user to bypass NT history and minimum
age check
•GPOs…soon!
Thank You!
• We are @_wald0, @CptJesus and @harmj0y -
https://www.specterops.io
• Thank you to the BloodHound community for your support, ideas and
beta testing SharpHound. Get BloodHound at
https://bit.ly/GetBloodHound and SharpHound at
http://bit.ly/SharpHound
• Join the BloodHound Slack at
https://bloodhoundgang.herokuapp.com

More Related Content

What's hot

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
n00py1
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 

What's hot (20)

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
BloodHound Unleashed.pdf
BloodHound Unleashed.pdfBloodHound Unleashed.pdf
BloodHound Unleashed.pdf
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 

Similar to Here Be Dragons: The Unexplored Land of Active Directory ACLs

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Andy Robbins
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Scientific Computing - Hardware
Scientific Computing - HardwareScientific Computing - Hardware
Scientific Computing - Hardware
jalle6
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
Denim Group
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
Elasticsearch
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
Felipe Prado
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
Lee C
 

Similar to Here Be Dragons: The Unexplored Land of Active Directory ACLs (20)

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Scientific Computing - Hardware
Scientific Computing - HardwareScientific Computing - Hardware
Scientific Computing - Hardware
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Here Be Dragons: The Unexplored Land of Active Directory ACLs

  • 1.
  • 2. About Us: Andy • Job: Adversary Resilience Lead at Specter Ops • Tool creator/dev: BloodHound • Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress • Trainer: Black Hat USA, Black Hat Europe, Adversary Tactics: Red Team Operations • Twitter: @_wald0
  • 3. About Us: Rohan • Job: Director of Technology at Specter Ops • Tool creator/dev: BloodHound, EyeWitness, Empire, etc. • Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDE • Trainer: Black Hat USA • Twitter: @CptJesus
  • 4. About Us: Will • Job: Offensive Engineer at Specter Ops • Tool creator/dev: BloodHound, Veil-Framework, PowerView, PowerUp, Empire • Presenter: Cons on cons on cons • Trainer: Black Hat USA, Adversary Tactics: Active Directory, Adversary Tactics: Red Team Operations • Twitter: @harmj0y
  • 5.
  • 6. Outline • Prior Work • Why care about this? • ACL Background • Abuse Primitives • Finding Misconfigs and Attack Paths • BloodHound Interface Demo • Complex ACL Attack Path Demo
  • 8. Prior Work • Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs John Dunagan, Alice X. Zheng, Daniel R. Simon http://bit.ly/2qG0OvE • Active Directory Control Paths Lucas Bouillot, Emmanuel Gras, Geraud de Drouas http://bit.ly/1pBc8FN
  • 9. Prior Work • Active Directory ACL Scanner Robin Granberg http://bit.ly/2faPdkz • Airbus BTA Philippe Biondi, Joffrey Czarny http://bit.ly/2faFFpX • Several AD ACL related blog posts Sean Metcalf https://adsecurity.org/?tag=ad-acls
  • 11. Why care? (part I) • Lack of awareness of impact from third party software/sysadmins • “Misconfiguration debt” from earlier installs, sometimes since your domain was stood up • General lack of defender awareness at impact/importance • Difficulty of auditing (especially at scale)
  • 12. Why care? (part II) • Any authenticated user (by default) can enumerate these DACLs • Communication in nearly all cases is limited to the DC • Execution may not require pivoting to other systems at all! • Completely different forensic profile that most orgs are not prepared for
  • 13.
  • 14.
  • 15.
  • 17. ACL Background • All securable objects in Windows and Active Directory have a Security Descriptor. • The Security Descriptor has a DACL and a SACL • The DACL is populated by ACEs, which define what permissions other objects do or do not have against an object.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. ACL Background • Those are just the very basic moving parts of ACLs and the Windows security model. • For way more in-depth info, see our 67 page white paper from Black Hat this year here: https://specterops.io/assets/resources/an_ace_up_th e_sleeve.pdf
  • 24. The ability to change a user password without knowing the current password ForceChangePW Abuse cmdlet: Set-DomainUserPassword Cleanup method: mimikatz lsadump::setntlm
  • 25. The ability to add any other user, group, or computer to a group. AddMembers Abuse cmdlet: Add-DomainGroupMember Cleanup cmdlet: Remove-DomainGroupMember
  • 26. Full object control over user and group objects GenericAll Abuse cmdlets: Add-DomainGroupMember, Set- DomainUserPassword, Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
  • 27. The ability to write any object property value GenericWrite Abuse cmdlets: Add-DomainGroupMember Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, Set-DomainObject -Clear
  • 28. The ability to grant object ownership to another principal WriteOwner Abuse cmdlet: Set-DomainObjectOwner Cleanup cmdlet: Set-DomainObjectOwner (back to what it was before)
  • 29. The ability to add a new ACE to the object’s DACL WriteDACL Abuse cmdlet: Add-DomainObjectACL Cleanup cmdlet: Remove-DomainObjectACL
  • 30. The ability to perform any “extended right” function AllExtendedRights Abuse cmdlets: Add-DomainGroupMember, Set- DomainUserPassword, Set-DomainObject & Kerberoast Cleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
  • 32. Finding Attack Opportunities •How to use PowerView for singular object ACL inspection – the domain object is a good candidate here •How to use SharpHound collector to gather ACLs for all objects •How to use BloodHound to find attack paths
  • 33. Finding Attack Opportunities • While graph theory is the best approach for modeling the entire system, one-off analysis can still be useful • PowerView’s Get-DomainObjectAcl is our go-to for specific object enumeration and verification of BloodHound results • -ResolveGuids helps resolve GUID rights to human readable form :)
  • 36. SharpHound •A complete rewrite of the PowerShell Ingestor into C# •Lots of new features •Massive performance increases •Lots of bugs fixed •Completely fixed memory usage (200-250mb tops)
  • 37. SharpHound •More and better threading! •Modular stealth enumeration! •Session Looping •Caching •Progress Output! (!!!!!!!!) •Locale independent Local Admin enumeration
  • 38. SharpHound – Speed Improvements
  • 39. SharpHound •For a full technical write-up and usage guide, see Rohan’s blog post here: http://bit.ly/2xVVoVc
  • 40. Old Ingestor New Ingestor
  • 41. Special Shoutout Thank you to all the users in the BloodHound slack channel participating in the beta. Your help has been invaluable!
  • 46. Future Work •More options for taking over computer objects •Set a temporary fine grained password policy on a single user to bypass NT history and minimum age check •GPOs…soon!
  • 47. Thank You! • We are @_wald0, @CptJesus and @harmj0y - https://www.specterops.io • Thank you to the BloodHound community for your support, ideas and beta testing SharpHound. Get BloodHound at https://bit.ly/GetBloodHound and SharpHound at http://bit.ly/SharpHound • Join the BloodHound Slack at https://bloodhoundgang.herokuapp.com