After getting the environment installed, the next step involves collecting data from the target environment. Collecting data can be done with a regular Domain User account, but information may be unable to be collected from more modern operating systems. To avoid this, I recommend using a privileged account to get the most accurate picture of available attack surface.
However, it is useful to run the tool from different user contexts and network locations to validate the available attack surface in multiple breach scenarios. There are two main ways to collect data with BloodHound, which will use underlying PowerShell functionality to gather the following items from Active Directory:. BloodHound will then go out to each computer object enumerated from Active Directory and query the following information about the local system:.
The two different ingestors to collect all of this data are either a PowerShell script or an executable that can both be found here and ran with the command below executable example shown to produce a zip archive:. Back at our BloodHound console in the Kali virtual machine, we can upload data by clicking the appropriately named Upload Data button. Before uploading any data, ensure that the database does not have any current entries.
If there are current entries, select the Clear Database option and confirm that the data should be removed. Once the database is clear, perform the Upload Data action on the zip archive generated in the previous step.
Once the data is uploaded, numbers should be populated in the database. To show the queries that are already configured to run against the analyzed data, select the Queries option within the BloodHound console. To maintain best practices and a good security posture, the results of this query should look something like the screen capture below, where the individual green icon users are Active Directory user accounts that have Domain Admin privileges represented by the yellow icon.
A potentially less desirable result of this query would have security groups nested within the Domain Admins group and contain many more than the 8 Domain Admins above.
While the first query may not have many action items due to the limited Domain Admins group membership, anything that resembles more complex trust relationships within the Domain Admins group indicates that an entitlement review of the Domain Admins group should be performed to ensure only employees of the company who need to administer the Active Directory domain are a member of this group with their privileged account.
All other accounts that do not service or maintain the functionality of the domain should be removed from this group. This query will take all the information provided and display possible paths that a threat actor could exercise to gain a high level of privilege within an environment. Above we see the same objects where the group of yellow objects are Active Directory security groups, the red monitors are Active Directory computer objects, and the green objects are Active Directory user accounts.
However, in this instance, they are laid out in a fashion which has three key pieces of information:. Now that we know what the objects and the lines between objects mean, we can begin deriving actions that we can take to eliminate trust relationships between objects that result in an unintended path for privilege escalation. It is critical that privileged credentials are treated like an attack surface, which means that the more places a credential is used the higher the likelihood for the credential to be compromised.
By instructing users to use a privileged account only where necessary, the overall exposure of the credentials can be limited. Additionally, architecting Active Directory permission structures to avoid the usage of the Domain Admin groups for purposes other than administering a domain should also be in place role based access security groups should be established for this purpose and should also deny logon rights to Domain Admins.
From this scenario, we can derive the following actions items to improve our security posture:. What we find between parentheses indicates the nodes, and between square brackets the relationship. We are therefore looking for a node n of type User having a relationship r of type MemberOf to a node g of type Group.
Here, we want to return the whole pattern assigned to the p variable. We could have decided to only list the different groups without displaying the relationships or the users. We just need to return the g nodes.
This mode allows you to have a dark and classy interface, which is super nice. You do not know how to use the GenericAll link? During your penetration test, you will compromise hosts, users, groups. If you are trying to compromise a particular node, you can now request the shortest attack path from the nodes you have already compromised. If you do not want to display certain paths because there are relationships that you cannot exploit, or because you do not have the time, or any other reason, you can decide to uncheck the relationships you do not want to use so that they no longer appear in your queries.
To do this, simply click on the filter button to the right of the search bar, and check or uncheck the edges that you want. There are a few shortcuts that can be useful when using BloodHound. During data collection, your computer was part of the collected hosts and you do not want to see it?
On the contrary, another user is connected on this machine? Once the data has been imported into BloodHound, it is not frozen. You can modify it as you wish, either by right-clicking on an object or relationship to delete it, or by right-clicking in the background to add a node or relationship.
Finally, the same team that developed BloodHound also released some tools to create statistics out of a BloodHound extraction. They are available on their Github , including the bloodhoundanalytics. Here is an example taken from Wald0 tweet , which shows a PowerBI dashboard using the template provided on the Github.
A talk was made at BSides by the three authors in to introduce BloodHound. The authors of the tool are also present on the dedicated Slack server.
There is a large community present on this Slack ready to welcome you and answer your questions. There is even a french channel! Join our community to see this answer! Unlock 1 Answer and 8 Comments. Andrew Hancock - VMware vExpert.
See if this solution works for you by signing up for a 7 day free trial. What do I get with a subscription? With your subscription - you'll gain access to our exclusive IT community of thousands of IT pros. We can't always guarantee that the perfect solution to your specific problem will be waiting for you. If you ask your own question - our Certified Experts will team up with you to help you get the answers you need. Who are the certified experts? How quickly will I get my solution?
0コメント