Which Bloodhound might you ask?
No not the Dog…
But the following program in Kali Linux:
Just a slightly different picture and meaning.
Cobaltstrike has tested with it and this is his explanation:
“BloodHound is a tool to analyze and understand Active Directory Trust Relationships. For an offensive practitioner, this tool can highlight the hops you might take to reach a goal within a network. For a defensive practitioner, this tool is gold as it can show you the most likely paths an attacker might take. It’s a good exercise to decide which of these trust paths needs to exist and which you can eliminate.”
Once setting up Bloodhound and Neo4J (used to create a graphical representation) you can then review your users in Active Directory. what is the most important attribute of your users in Active Directory? Permissions. What can a user access with their permission?
“Defenders think in lists.
Attackers think in graphs
As long as this is true attackers will win “
John Lambert quote , he is with Microsoft Threat Intelligence.
What is going to happen is what is called as an Identity snowball attack. We want to learn what users have privileges that allow us to gain more privileges.
The following images are from a youtube video of Andy Robbins, Will Schroeder, and Rohan Vazarkar – six degrees of Domain Admin
In Bloodhound: Vertices represent individual elements of a system (uses, groups, computer, domain)
Edges: generically represent relationship between vertices( group membership, admin rights, user session, domain trusts)
paths point toward escalating rights – always(compromising a system or user).
So the idea is to find users that lead you to domain admin user accounts or their privileges.
Powerview is also useful ( a pure PowerShell v2.0+ domain/network situational awareness tool… Which bloodhound is built upon. With this tool bloodhound can collect data and does not need elevated privileges for collection methods.
- Get-NetSession sessions w remote user
- Get-NetLoggedOn/Get-LoggedOnLocal – who is looged on to what machine.
Who can admin what?
We can enumerate members of a local group on a remote machine without admin privilieges
- The WinNT service provider or NetLocalGroupGroup-ComputerName IP [-API]
- GPOs can set local admins
- GPOs are applied to OUs/Sites
- correlation is equal to local admin information through communication with a DC
- Who is in What Groups
- Get-NetGroup| Get-Netgroupmember
Instead of doing these commands manually via PowerView, Bloodhound does it graphically.
Here are 2 examples from the youtube video:
I believe this is test data, but from a large environment (200k computers) so there were a few large graphs. The 2 examples I chose from video are groups and certain users, computers broken out. The key is one can find a few specific computers and users that one has to infiltrate to then quickly get domain admin access. I.e. Identity snowball attack.
This tool is worth the time to learn and understand to make sure your environment is not easy to escalate and take over.
Contact Us to discuss.