This presentation was given at Blue Hat IL in 2017

1. The Travelling Pentester
Diaries of the Shortest Path to
Compromise

2. About Me
I am Will Schroeder
Job: “Offensive Engineer” at Veris Group’s ATD
Co-Founder: Veil-Framework, PowerView, PowerUp,
Empire/Empyre, BloodHound
Trainer: Black Hat USA 2014-2017
Other: Microsoft PowerShell/CDM MVP
Twitter: @harmj0y

3. The Bloodhound Gang
Rohan Vazarkar
Job: Pentester at Veris Group’s ATD
Tool creator/dev: BloodHound, Python
EmPyre
Presenter: BSides, Black Hat Arsenal, DEF
CON
Trainer: Black Hat USA 2016-2017
Twitter: @CptJesus
Andy Robbins
Job: Pentest lead at Veris Group’s ATD
Tool creator/dev: BloodHound
Speaker: BSides, ISSA International, Black
Hat Arsenal, DEF CON
Trainer: Black Hat USA 2016-2017
Twitter: @_wald0

4. tl;dr

5. Offensive
Background

6. Our (Current) Ops
◇“Assume breach” approach
◇Lots of Active Directory and offensive
PowerShell
◇Defenses are getting better- we’ve had to
evolve!

7. “Fundamentally, if someone wants to
get in, they’re getting in…accept that.
What we tell clients is: Number one,
you’re in the fight, whether you
thought you were or not. Number two,
you almost certainly are penetrated.”
Michael Hayden
Former Director of NSA & CIA
Microsoft Enterprise Cloud Red Teaming Whitepaper

8. “Defenders think in lists.
Attackers think in graphs.
As long as this is true,
attackers win.”
John Lambert
GM, Microsoft Threat Intelligence Center

9. Group:
IT
Admins
User:
Bob
Computer:
Server1
User:
Mary
Group:
Domain
Admins
User:
Alice

10. BloodHound
◇Automates the attack path
analysis process
◇Components:
￭ PowerShell ingestor
￭ neo4j backend
￭ Cross-platform electron
app front end
◇Open source and
BSD 3-clause
licensed!

11. BloodHound Attack
Graph Design
Vertices represent
users, groups,
computers, and
domains
Edges identify
group
memberships,
admin rights, user
sessions, and now
ACL relationships
Paths always lead
toward escalating
rights. Always.

12. Who’s Logged in Where?
aka “user-hunting”
NetSessionEnum/NetWkstaUserEnum
Attacker
DC

13. Who’s Logged in Where?
“Stealth” user-hunting
Attacker
DC
File
Server
NetSessionEnum sessions
sessions

14. Who’s Logged in Where?
Defenses

15. Who’s Logged in Where?
Defenses

16. Who Can Admin What?

17. Who Can Admin What?
PowerView

18. Who Can Admin What?
Defenses
“Windows 10 had introduced an option to control the
remote access to the SAM, through a specific registry
value. On Windows Anniversary update (Windows 10
Version 16074) the default permissions were changed to
allow remote access only to administrators.”

19. Who Can Admin What?
GPO Edition
Restricted
Groups
Group
Policy
Preferences
Group
Policy
Object
OU/site/
domain
Contains
Server
WorkstationLocal
Admins

20. Who’s in What Groups?
◇Enumerate all groups and extract the
members of each
◇PowerView:
￭ Get-DomainGroup | Get-DomainGroupMember
◇BloodHound:
￭ Just pulls the member for all group objects

21. Active Directory
DACLs

22. Previous DACL Work
https://www.sstic.org/media/SSTIC2014/SSTIC-actes/chemins_de_controle_active_directory/SSTIC2014-Slides-
chemins_de_controle_active_directory-gras_bouillot.pdf

23. ◇Offline (ntds.dit) and some online DACL
collection capabilities
◇Backend neo4j database allows for
control flow discovery
◇Code released at
https://github.com/ANSSI-FR/AD-control-
paths
Previous DACL Work

24. Who Has Rights Over
What Objects?
◇By default, any user can enumerate all
DACLs for all objects in the domain
￭ Through .NET methods or by specifying
ntsecuritydescriptor in the LDAP query props
◇PowerView: Get-DomainObjectACL
◇BloodHound enumerates just the control
relationships we care about

25. Computer:
Server1
User:
Mary
User:
Alice
ForceChangePassword
Group:
IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOwner
AllExtendedRights

26. Computer:
Server1
Group:
Exchange
Admins
User:
Alice
AddMembers
Group:
IT
Admins
GenericWrite
GenericAll
WriteDACL
WriteOwner
AllExtendedRights

27. ◇Default Rights
￭ GenericAll - ALL THE RIGHTS
￭ GenericWrite - write all object properties
￭ WriteDacl - modify the DACL for the object
￭ WriteOwner - modify an object owner
￭ WriteProperty Self-Membership/Script-Path –
modify group membership/user script path
◇Extended Rights
￭ User-Force-Change-Password
BloodHound
Currently Collected ACLs

28. ◇DS-Replication-Get-Changes-All
◇Modification rights to GPC-File-Sys-Path
for GPOs
◇“Kerberoastable” accounts
◇Read rights to ms-MCS-AdmPwd
BloodHound
Future Collected ACLs

29. BloodHound
(Short) Demo

30. Case Studies
(in Failure)
Details have been changed to
protect the innocent ;)

31. Case #1
1. Service binary rotated the local admin
passwords monthly
2. .NET coded, predictable algorithm based on the
date and hostname, no salt
3. Pulled apart app, build weaponized code, had
admin access to every gold image system
4. Performed the ‘credential shuffle’ by hand with
PowerView, took about 2 weeks
Local Passwords Are Hard

32. Case #2
1. Kerberoasted 2 services accounts, allowing for
access to a handful of systems
2. BloodHound analysis determined one user
logged into one system we controlled had direct
access to 5 systems, but derivative access to
hundreds
3. Bonus: all user accounts had reversible
encryption set
4. Elevated, hopped down the chain, DCSynced to
recover ultimate target’s plaintext, grabbed the
objective
Kerberos is Hard As Well

33. Case #3
1. VULNERABLE SERVICE on terminal-type
machines, allowed elevation
2. All terminal servers had the same (and enabled)
local admin account
3. No formal trust, but correlated similar accounts
between the two accessible domains
4. Developed GPO correlation technique on the
engagement to hop to 2 cross-network targets
5. Group Policy Preferences in cross-network
target, allowed compromise to a handful of
machines
GPP and GPOs and extra SIDs, Oh My

34. Case #3
6. Quick escalation to elevated domain rights
7. DCSynced to recover krbtgt of child domain
8. Hopped to child domain controller to build a
Golden Ticket with extra SIDs
9. Injected and was able to hop up the trust and
DCSync the corporate root domain
GPP and GPOs and extra SIDs, Oh My

35. Sniffing Out ACLs with BloodHound
Case #4

36. Sniffing Out ACLs with BloodHound
Case #4

37. How it Could Have
Been Prevented
LAPS
https://technet.microsoft.com/en-us/mt227395.aspx

38. How it Could Have
Been Prevented
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access

39. How it Could Have
Been Prevented
◇Managed service accounts
◇ATA
◇SAMRi10 / NetCease
◇Credential Guard
◇Red Forest Architecture
◇PowerUp
◇GET RID OF GPP
◇Separate forests to enforce trust
◇Centralized logging/analysis
◇Increased endpoint telemetry

40. How it Could Have Been Prevented
DACLs
¯_(ツ)_/¯

41. How We
Get Caught
Our Biggest Pain Points

42. PowerShell Logging
◇INSTALL V5!
https://www.crowdstrike.com/blog/investigating-powershell-command-
and-script-logging/

43. Endpoint Telemetry
◇Command line logging is a huge pain
￭ Many many attacker toolsets end up calling shell
commands
◇Mining things like process tree traces at
scale can give enormous insight
◇Windows Defender ATP, Sysmon, etc.

44. Closing Thoughts

45. Thank You!
@harmj0y
will [at] harmj0y.net
blog.harmj0y.net