Professional Documents
Culture Documents
DIRECTORY USING
BLOODHOUND
BLUE TEAM EDITION
SPEAKER
IAN BARTON
Senior Consultant
© 2019 CROWDSTRIKE
SPEAKER
NICK BINDEMAN
Consultant
© 2019 CROWDSTRIKE
AGENDA
§ W H AT I S B L O O D H O U N D ?
§ BLOODHOUND CRASH
COURSE
§ GO BLUE TEAM!
© 2019 CROWDSTRIKE
ASK YOURSELVES
© 2019 CROWDSTRIKE
“Defenders think in lists.
Attackers think in graphs. John Lambert
As long as this is true, Distinguished Engineer, Microsoft Threat
attackers win." Intelligence Center
@JohnLaTwC
© 2019 CROWDSTRIKE
ENTER: BLOODHOUND
BLOODHOUND
© 2019 CROWDSTRIKE
DATA INGESTOR
§ Used to collect data from Active Directory and individual hosts in an environment
§ Queries are performed via:
§ LDAP
§ SMB RPC
§ Official ingestor from the BloodHound developers
§ Written in C#, but also has a PowerShell script which can execute without writing a binary
to disk
© 2019 CROWDSTRIKE
EXAMPLE DATA COLLECTED
© 2019 CROWDSTRIKE
RELATIONSHIP TYPES
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
Explicit Admins
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
Unrolled Admins
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
© 2019 CROWDSTRIKE
BLOODHOUND CLIENT
© 2019 CROWDSTRIKE
NEO4J CONSOLE
© 2019 CROWDSTRIKE
UNINTENDED EFFECTIVE PERMISSIONS
MemberOf
Bob
r Of IAM Admins
e
M emb
AdminTo
Server Domain
Admins Controller
© 2019 CROWDSTRIKE
BLOODHOUND FOR
THE BLUE TEAM
© 2019 CROWDSTRIKE
BENEFITS FOR THE BLUE TEAM
© 2019 CROWDSTRIKE
MODELING CHANGES IN AD
100% 12 5%
Of users can achieve CanRDP Paths removed Of users can achieve
Domain Admin from Domain Users Domain Admin after
changes are made
© 2019 CROWDSTRIKE
FURTHER READING
© 2019 CROWDSTRIKE
THANK YOU.
ANY QUESTIONS?
© 2019 CROWDSTRIKE