About Us: Andy• Job: Adversary Resilience Lead at Specter Ops
• Tool creator/dev: BloodHound
•Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesSeattle, ISSA Intl, ISC2 World Congress
• Trainer: Black Hat USA, Black Hat Europe, Adversary Tactics: Red Team Operations
• Twitter: @_wald0
About Us: Rohan• Job: Director of Technology at Specter Ops
• Tool creator/dev: BloodHound, EyeWitness, Empire, etc.
•Presenter: DEF CON, ekoparty, Black Hat Arsenal, BSidesLV, BSidesDC, BSidesDE
• Trainer: Black Hat USA
• Twitter: @CptJesus
About Us: Will• Job: Offensive Engineer at Specter Ops
• Tool creator/dev: BloodHound, Veil-Framework, PowerView, PowerUp, Empire
•Presenter: Cons on cons on cons
• Trainer: Black Hat USA, Adversary Tactics: Active Directory, Adversary Tactics: Red Team Operations
• Twitter: @harmj0y
Outline• Prior Work
• Why care about this?
• ACL Background
• Abuse Primitives
• Finding Misconfigs and Attack Paths
• BloodHound Interface Demo
• Complex ACL Attack Path Demo
Prior Work
Prior Work• Heat-ray: Combating Identity Snowball Attacks Using Machine
Learning, Combinatorial Optimization and Attack GraphsJohn Dunagan, Alice X. Zheng, Daniel R. Simonhttp://bit.ly/2qG0OvE
• Active Directory Control PathsLucas Bouillot, Emmanuel Gras, Geraud de Drouashttp://bit.ly/1pBc8FN
Prior Work• Active Directory ACL Scanner
Robin Granberghttp://bit.ly/2faPdkz
• Airbus BTAPhilippe Biondi, Joffrey Czarnyhttp://bit.ly/2faFFpX
• Several AD ACL related blog postsSean Metcalfhttps://adsecurity.org/?tag=ad-acls
Why care?
Why care? (part I)• Lack of awareness of impact from third party
software/sysadmins
• “Misconfiguration debt” from earlier installs, sometimes since your domain was stood up
• General lack of defender awareness at impact/importance
• Difficulty of auditing (especially at scale)
Why care? (part II)• Any authenticated user (by default) can enumerate these
DACLs
• Communication in nearly all cases is limited to the DC
• Execution may not require pivoting to other systems at all!
• Completely different forensic profile that most orgs are not prepared for
ACL Background
ACL Background•All securable objects in Windows and Active Directory
have a Security Descriptor.
• The Security Descriptor has a DACL and a SACL
• The DACL is populated by ACEs, which define what permissions other objects do or do not have against an object.
ACL Background• Those are just the very basic moving parts of ACLs and
the Windows security model.
• For way more in-depth info, see our 67 page white paper from Black Hat this year here:
https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
Abuse Primitives
The ability to change a user password without knowing the
current password
ForceChangePW
Abuse cmdlet: Set-DomainUserPasswordCleanup method: mimikatz lsadump::setntlm
The ability to add any other user, group, or computer to a
group.
AddMembers
Abuse cmdlet: Add-DomainGroupMemberCleanup cmdlet: Remove-DomainGroupMember
Full object control over user and group objects
GenericAll
Abuse cmdlets: Add-DomainGroupMember, Set-DomainUserPassword, Set-DomainObject & KerberoastCleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
The ability to write any object property value
GenericWrite
Abuse cmdlets: Add-DomainGroupMember Set-DomainObject & KerberoastCleanup cmdlets and method: Remove-DomainGroupMember, Set-DomainObject -Clear
The ability to grant object ownership to another principal
WriteOwner
Abuse cmdlet: Set-DomainObjectOwnerCleanup cmdlet: Set-DomainObjectOwner (back to what it was before)
The ability to add a new ACE to the object’s DACL
WriteDACL
Abuse cmdlet: Add-DomainObjectACLCleanup cmdlet: Remove-DomainObjectACL
The ability to perform any “extended right” function
AllExtendedRights
Abuse cmdlets: Add-DomainGroupMember, Set-DomainUserPassword, Set-DomainObject & KerberoastCleanup cmdlets and method: Remove-DomainGroupMember, mimikatz lsadump::setntlm, Set-DomainObject -Clear
Finding Misconfigs
and Attack Paths
Finding Attack Opportunities
•How to use PowerView for singular object ACL inspection – the domain object is a good candidate here
•How to use SharpHound collector to gather ACLs for all objects
•How to use BloodHound to find attack paths
Finding Attack Opportunities
•While graph theory is the best approach for modeling the entire system, one-off analysis can still be useful
• PowerView’s Get-DomainObjectAcl is our go-to for specific object enumeration and verification of BloodHound results
• -ResolveGuids helps resolve GUID rights to human readable form :)
Who can DCSync?
Foreign GPO Edit Rights
SharpHound
•A complete rewrite of the PowerShell Ingestor into C#
•Lots of new features
•Massive performance increases
•Lots of bugs fixed
•Completely fixed memory usage (200-250mb tops)
SharpHound
•More and better threading!
•Modular stealth enumeration!
•Session Looping
•Caching
•Progress Output! (!!!!!!!!)
•Locale independent Local Admin enumeration
SharpHound – Speed Improvements
SharpHound
•For a full technical write-up and usage guide, see Rohan’s blog post here:
http://bit.ly/2xVVoVc
Old Ingestor New Ingestor
Special Shoutout
Thank you to all the users in the BloodHound slack channel participating in the beta. Your help has been invaluable!
Interface Demo
https://youtu.be/BAEfEdNWij0
Attack Path Demo
https://youtu.be/5USRboxxYUo
Future Work
•More options for taking over computer objects
•Set a temporary fine grained password policy on a single user to bypass NT history and minimum age check
•GPOs…soon!
Thank You!
• We are @_wald0, @CptJesus and @harmj0y -https://www.specterops.io
• Thank you to the BloodHound community for your support, ideas and beta testing SharpHound. Get BloodHound at https://bit.ly/GetBloodHound and SharpHound at http://bit.ly/SharpHound
• Join the BloodHound Slack at https://bloodhoundgang.herokuapp.com