Scribd Logo
Upload

Welcome to Scribd!

  • Mapping Active Directory Using Bloodhound: Blue Team Edition

    Uploaded by

    Faton
    71 views26 pages

    Original Title

    BloodHound Mapping

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    71 views26 pages

    Mapping Active Directory Using Bloodhound: Blue Team Edition

    Uploaded by

    Faton

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    MAPPING ACTIVE

    DIRECTORY USING
    BLOODHOUND
    BLUE TEAM EDITION
    SPEAKER

    IAN BARTON
    Senior Consultant

    § Incident Responder for CrowdStrike Services


    § Loves DFIR, Splunk, and board games

    § Proud member of the Blue Team

    © 2019 CROWDSTRIKE
    SPEAKER

    NICK BINDEMAN
    Consultant

    § Loves BloodHound almost as much as Pippa


    § Proud member of the Red Team

    © 2019 CROWDSTRIKE
    AGENDA

    § W H AT I S B L O O D H O U N D ?
    § BLOODHOUND CRASH
    COURSE
    § GO BLUE TEAM!

    © 2019 CROWDSTRIKE
    ASK YOURSELVES

    How many privileged What is the easiest Who has the


    accounts exist in AD? path for an adversary advantage in your
    to obtain privileged environment?
    credentials? - Adversary or Admin?

    © 2019 CROWDSTRIKE
    “Defenders think in lists.
    Attackers think in graphs. John Lambert
    As long as this is true, Distinguished Engineer, Microsoft Threat
    attackers win." Intelligence Center
    @JohnLaTwC

    © 2019 CROWDSTRIKE
    ENTER: BLOODHOUND
    BLOODHOUND

    § Active Directory enumeration and


    analysis toolset
    § Utilizes graph theory to show often
    unintended relationships in AD
    § Three main components:
    § Data ingestor
    § Neo4j database
    § BloodHound client

    © 2019 CROWDSTRIKE
    DATA INGESTOR
    § Used to collect data from Active Directory and individual hosts in an environment
    § Queries are performed via:
    § LDAP
    § SMB RPC
    § Official ingestor from the BloodHound developers
    § Written in C#, but also has a PowerShell script which can execute without writing a binary
    to disk

    The PowerShell version will be blocked by Falcon if “Suspicious


    PowerShell Scripts and Commands” is enabled in the prevention policy

    © 2019 CROWDSTRIKE
    EXAMPLE DATA COLLECTED

    Common Fields: Name, SID, Access Control Entries

    User: Computer: Group:


    § Password Change Date § Service Principal Names § Members
    § Password Not Required § Local Admins
    § Operating System

    © 2019 CROWDSTRIKE
    RELATIONSHIP TYPES

    Schema: ACL: Host Specific:


    § MemberOf § GenericAll § CanRDP
    § Owns § AllExtendedRights § HasSession
    § AdminTo

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    § Local client written in Electron


    (cross-platform compatibility)
    § Connects to a Neo4j
    database
    § Shows individual nodes
    (users, groups, computers,
    etc.) and the relationships
    between them

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    Shortest paths to Domain Admin

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    Explicit Admins

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    Unrolled Admins

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    © 2019 CROWDSTRIKE
    BLOODHOUND CLIENT

    © 2019 CROWDSTRIKE
    NEO4J CONSOLE

    General User Information

    © 2019 CROWDSTRIKE
    UNINTENDED EFFECTIVE PERMISSIONS

    MemberOf

    Bob
    r Of IAM Admins
    e
    M emb

    AdminTo

    Server Domain
    Admins Controller
    © 2019 CROWDSTRIKE
    BLOODHOUND FOR
    THE BLUE TEAM

    © 2019 CROWDSTRIKE
    BENEFITS FOR THE BLUE TEAM

    Analyze your environment Get visibility into Make the adversary’s


    beyond the endpoint effective permissions life harder
    CASE STUDIES

    § Incident Response § IT Hygiene § RTBT


    § Adversary obtained § Multiple users with § Blue team utilized
    Domain Admin cross-domain BloodHound data to
    credentials
    pollination understand why the
    § Number of user red team was
    accounts § Domain users with
    RDP access to crucial targeting key systems
    compromised
    servers § Both teams
    § Created a
    consolidated list of § Service accounts with coordinated to find
    users and computers more admin access flaws in current AD
    in AD than Domain Admins configuration
    MODELING CHANGES IN AD

    § Relationships can be created and deleted in order to test changes in AD


    § Can answer several crucial questions:
    § If I allow a certain group RDP access to a server, will it lesson our overall security
    posture?
    § How many users can achieve domain admin before and after I remove
    misconfigurations?

    © 2019 CROWDSTRIKE
    MODELING CHANGES IN AD

    100% 12 5%
    Of users can achieve CanRDP Paths removed Of users can achieve
    Domain Admin from Domain Users Domain Admin after
    changes are made

    © 2019 CROWDSTRIKE
    FURTHER READING

    § BloodHound From Red to Blue 1.5 - https://www.slideshare.net/secret/M6MVXIwAHvz6T


    § Queries from Scoubi (Red to Blue 1.5) - https://github.com/Scoubi/BloodhoundAD-
    Queries/blob/master/BH%20Red2Blue.txt
    § BloodHound: Intro to Cypher - https://blog.cptjesus.com/posts/introtocypher
    § BloodHound Cypher Cheatsheet - https://hausec.com/2019/09/09/bloodhound-cypher-
    cheatsheet/
    § JohnLaTwC Thinking in Graphs - https://git.io/fpfZ5
    § Icons provided by the Open Security Architecture:
    http://www.opensecurityarchitecture.org/cms/library/icon-library

    © 2019 CROWDSTRIKE
    THANK YOU.
    ANY QUESTIONS?
    © 2019 CROWDSTRIKE

    You might also like