Discover and read the best of Twitter Threads about #BloodHound

Most recents (17)

🧵Hilo con los estrenos de @NetflixES para 2023

Quizás voy algo tarde pero aquí quedan recopilados ;)

👇🏼👇🏼👇🏼👇🏼👇🏼
#Jung_E (Netflix)
🎞️ Peli
📅 20/01
📃 SciFi
👥 #KimHyunJoo y #KangSooYeon
Distopía sobre un futuro en el que el planeta es inhabitable y sólo viven aquellos que están en un refugio artificial, donde hay una guerra
#LoveToHateYou (Netflix)
📅 10/02
📃 Romcom
👥 #KimOkVin y #TeoYoo
Ella es una abogada a la q no le interesa el amor ni perder contra un hombre. Él un hombre con éxito entre las mujeres pero q no confía en ellas.
Read 26 tweets
Problem: you want to collect data with AzureHound but you can't use simple username/password because your user:

❌ - Requires MFA
❌ - Can't auth due to a CAP
❌ - Is a guest/federated user in the target tenant

Solution: refresh tokens! Sounds scary and new? They're EASY: 🧵
There are MANY ways to get your hands on a refresh token, but I think by far the simplest is by using the OAuth 2.0 device code flow.

Sounds complicated but it's a very easy three-step process:
Step 1: initialize a device code authentication flow with this very simple POST request.

Note the "user_code" and "verification_url" we get back:
Read 6 tweets
From initial access to Global Admin with #BloodHound and BARK.

In this thread let's walk, step by step, through an example attack path based on real configurations we've seen in real environments:
There are MANY ways to achieve initial access into AzureAD. For this example we will go with something simple: we were able to phish a user and get their username and clear text password.

This user has no MFA/CAP restrictions - we'll discuss how to deal with these later.
We now want to collect data with AzureHound. We'll clone the repo, inspect the source code, then build the binary ourselves:

$ git clone github.com/BloodHoundAD/A…
$ cd AzureHound
$ go build .
Read 22 tweets
Oh by the way, here are some cypher queries for #Bloodhound to find all kinds of Kerberos delegations
// Unconstrained Delegation
MATCH (c {unconstraineddelegation:true}) return c

// Constrained Delegation (with Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c
// Constrained Delegation (without Protocol Transition)
MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return c

// Resource-Based Constrained Delegation
MATCH p=(u)-[:AllowedToAct]->(c) RETURN p
Read 3 tweets
Una herramienta que permite explorar las relaciones entre usuarios/grupos (ACL) en un #ActiveDirectory para saber si hay algo mal configurado:

Adalanche by @lkarlslund
github.com/lkarlslund/ada…

No tenía ni idea que se pudiesen dibujar estas cosas :-/

#CiberSeguridad
A partir de aquí, se puede revisar la información sobre ataques a un #ActiveDirectory recopilados por @pentest_swissky en su repositorio de GitHub:

github.com/swisskyrepo/Pa…

#CiberSeguridad
Otra herramienta similar a #Adalanche es #BloodHound que también utiliza la teoría de grafos para establecer las relaciones entre los objetos (usuarios, grupos, etc.) en un #ActiveDirectory:

github.com/BloodHoundAD/B…

#CiberSeguridad
Read 4 tweets
In the upcoming #BloodHound 4.1 release, we are introducing 3 new edges. Let me explain why this is actually more impactful than it may sound: 🧵
Let's say you have a basic graph with 3 nodes all connected to each other (this is called a Strongly Connected Graph). We'll call these nodes 1, 2 and 3:
How many possible paths are there? We can determine that by searching through non-cyclic trees originating from each node. For example, if we start at 1, we can visit 2 then 3, or 3 then 2:
Read 19 tweets
Let's talk about tiered administration in AzureAD:

- What it starts with
- How it can be violated
- What you can do about that

In 10 tweets or less. Go:
1/ There are three default admin roles that belong to Tier Zero in AzureAD:

Global Admin
Priv. Role Admin
Priv. Auth Admin

Everything IN tier zero is tier zero. Everything ELSE is not tier zero has has no business controlling anything IN tier zero.
2/ These admin roles aren't of much use if you don't grant them to anyone. Let's grant a service principal the Global Admin role:
Read 11 tweets
Thread:

It was @JohnLaTwC who famously said:

“Attackers think in graphs. Defenders think in lists. As long as this is true, attackers win.”

If you’ve seen more than one of my talks, you might think I’m contractually obligated to include this quote in every talk I do.
This quote means a lot to me. A LOT. Graph theory, to me, almost seems like it was invented solely for the information security field. Its purpose and reach is obviously waaaaaaay further than our field, but…
… we have BARELY scratched the surface of what’s possible with applied graph theory in information security. The core feature of #BloodHound is finding the shortest path between two nodes. The algorithm this is based on was first published in 1959.
Read 13 tweets
Three of the most common issues #BloodHoundEnterprise finds, their impacts, and how you can use FOSS #BloodHound to find and fix these issues yourself, today: 🧵
Issue #1: Domain Controller object ownership. This issue is *extremely* common and *extremely* dangerous when looking at attack path possibilities this opens up. This is also *extremely* easy to fix.
In FOSS #BloodHound, run this query using the "raw query" bar at the bottom:

MATCH (g:Group)
WHERE g.objectid ENDS WITH '-516'
MATCH p = (n:Base)-[:Owns]->(c:Computer)-[:MemberOf*1..]->(g)
RETURN p
Read 17 tweets
It's time to stop ignoring prevention. A thread:
Point #1: Red teamers know how year after year the same tools and methodologies can be used to take over almost any organization running Active Directory. Sometimes even the same exact attack path steps find their way into reports year after year.
We shouldn't be satisfied with doing the same attacks against our clients for years (even decades) and collecting paychecks - what exactly is the point of all this tailchasing if things aren't getting better?
Read 11 tweets
(1/n) The other day, @JulioUrena asked a great question in the BloodHound Slack:

"How can I determine which Group Policies apply to members of a certain group?"

We can use #BloodHound to answer this question, but I want to explain the moving pieces here as well
(2/n) Group Policy can't be applied directly to security groups, except when using SID filtering and linking the Group Policy correctly. SID filtering on GPOs is not very common, so #BloodHound doesn't currently model that.

We can still use #BloodHound to figure this out though
(3/n) Take for example this security group -- real data so labels are hidden (left CTRL in BloodHound GUI). This group has 7 users in it, but because it has a group added to it...
Read 8 tweets
I am thrilled to announce #BloodHoundEnterprise, which will be released in Summer of 2021!

Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…

A thread of major points about BloodHound Enterprise: Image
Once an attacker has access to Active Directory, it's virtually guaranteed they can find an attack path resulting in the compromise of a Tier 0 asset (Domain Admin). Owning Tier 0 means owning AD. Owning AD means owning the organization, all its data, users, processes, etc.
The scale, availability, and growth of those attack paths has exposed an enormous gap in how we try to secure Active Directory today. Organizations try (and fail) to fill that gap with technologies, products, and processes.
Read 9 tweets
The hardest targets I faced while pentesting/red teaming all had one thing in common: mature, funded, and empowered vuln/patch management programs.

The hardest of all combined vuln/patch management with least privilege enforcement - and inspired the creation of #BloodHound.
Are patch/vuln management and least privilege enforcement sexy? No.

Are they easy? Hell no.

Are they worth the initial and continued investment? Absolutely yes.
The best teams have processes for pretty easily dealing with things like Zerologon. They hear about the new scary vuln, understand its impact, test patch deployment to a subset of affected systems, then deploy to all affected systems, and audit patch deployment/effectiveness.
Read 8 tweets
(1/9) My first pentest job was at a company called TrustCC - little-known then and since purchased. We had a tradition whenever got DA: horrible, awful, cringe-worthy puns.
(2/9) We would send internal emails that were half celebratory, half instructive, explaining how we got DA in that particular client environment. But the email subject was REQUIRED to be a pun based on the client name.
(3/9) So if the client was "Sunny Hills Bank", the email subject might be "Walking on the Sunny (Hills Bank) Side of the Street: Path to DA #1".
Read 9 tweets
1/n Domain trust boundaries are not, of course, security boundaries; however many organizations effectively treat them as such. #BloodHound's attack graph tells the real story of how isolated our domains are from each other. Take this simple 3-domain forest for example.
2/n The domain trust map is pretty simple. Domain 1 is trusted by Domain 2, and Domain 2 is trusted by Domain 3. (This is real, anonymized data). So principals in Domain 1 can query Domain 2 or 3 for information, but no privileges are implied by default. Image
3/n With #BloodHound we can easily find the shortest attack paths from "Domain Users" in Domain 1 to "Domain Admins" in Domain 3. Pretty easy attack path, and very common situation in the real world: Image
Read 7 tweets
1/n - Here's how #BloodHound can help you determine whether you are vulnerable to PrivExchange by @_dirkjan:

Find the domain head object in the BloodHound GUI, click the number next to "First Degree Controllers". See whether an Exchange security group is present:
2/n - Unroll this view by clicking the number next to "Unrolled Controllers" to see the real number of users and computers with control of the domain head
3/n - "WriteDacl" on the domain head is extremely dangerous, as @_dirkjan outlined in his blog, but Exchange servers often have way, WAY more privileges than this. Click an Exchange server and see the real count of domain objects it has control of
Read 5 tweets
(1/2) One common strategy is to isolate sensitive accounts into certain OUs. Consider this: we have two OUs, "Normal Accounts" and "Sensitive Accounts". Are there attack paths from the normal accounts to the sensitive accounts? Image
(2/2) With some cypher magic and #BloodHound's visualizations, we can discover, analyze, measure, and start to remediate those attack paths. Check out these attack paths from a real environment. Image
Of course, OUs aren't the only "groups" of nodes we can find attack paths between. Domains, geographic locations, business entities, subsidiaries, or a combination of any of those. It's crucial for defenders to enumerate, analyze, and mitigate such attack paths.
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!