BSides Sofia 2022: AD Reconnaissance Red Team Exercise in Finding Hidden AD Relationships

Hello, my name is Kristian Mladenov and I am on my way to talk to you about something that was a problem for me years ago. But in the end, my life experience so far shows that every one of these things that have made me worry, at some point comes a happy day in which I turn them over and start using them in my interest to work. One of these things is the Active Directory. The presentation was designed as a team presentation by two people. I am Christian Mladenov. My role is to deal with more offensive operations in the company I work for. I had to make the presentation together with my colleague, named Sviatko, with which we

worked in collaboration. We already commented on the Red and Blue team. If I represent the Red team, Tsviatko represents the Blue team and we worked together to see which of the things I do raise alarms in his systems, with which he monitors the infrastructure and how he could get me. And the other two have teaching experience. I shared my knowledge in Sofia University with students. Cviatko also does the same at the Telecommunications University. I was satisfied with the master's degree, while he continues in the direction of a doctoral degree, currently pursuing it. In fact, the instrument we want to talk about, I am in the part of today, is called Bloodhound and initially I will

introduce you to what Bloodhound is and then I will tell you what to do yourself so that to introduce it in your environment, what tricks you need to know in order to use it, what value you can extract from the output of this tool and, accordingly, we will look at how to install it, what it needs and we will look at some conclusions. First, let me ask you: Active Directory - do you use it? Do you have an account in the Active Directory of the organization or the school? Is there anyone who doesn't have one? Raise your hand if you don't have one. Okay, you are relatively few. I'm sorry, it will be harder for you to apply these things, but for everyone else who

even has a basic user account, there are things you can do with this account in your Active Directory and see what secrets it hides. Bloodhound is an app with its own story. First, I will start with a quote. It seems that Microsoft's people are fruitful from the point of view of quotes. Because my quote is that "network defenders think in lists, while attackers think in graphs." For example, for a boot, it is important for all the patches to be passed in the checklist to maintain the audit. The attacker is not interested in the audit, whether it is maintained or not. The attacker is looking for a way between the different systems in the infrastructure and is

trying to reach the treasure, which he is told to look for. And while this mindset is present, while attackers think in graphs, defenders in lists, attackers win. The person who said this, when he said it in 2014, was the head of the Microsoft's 3rd Intelligence Center, and now he is the Vice President, so he seems to understand what the question is. And I think we can trust him too. I will give you an example with the lists that the defenders are fighting with. I do not expect you to read them, they are not made to be read. We have lists with patches, with vulnerabilities, you may have seen them with these red, orange and yellow codes. Asset, lists in which all the patches are

applied, and lists with security controls, which someone told you you should have, but you have not configured them correctly, you are not always sure. On the other hand, Bloodhound, the tool we will talk about, aims to draw a graph. This graph is absolutely unreadable, but it will not be read for the purpose. But it shows you the path between different users, for example, in green, different computers they are logged on, different organizational units, that is, folders in the Active Directory in which these accounts and computers are stored. The goal of the tool is to show you all the paths, not only from the first level, that is, not only who is in which group and, accordingly, to see what privileges this group has, on what

systems, from which systems to which systems you can jump and thus draw your way in the infrastructure that will lead you to the goal you want to achieve. We use the term "derivative admin" or "derivative privileges". These are all the privileges you can find on the way, by gradually compromising the next account, the next machine, etc. Bloodhound itself as an instrument is an instrument that draws objects in the Active Directory, we said users, groups, computers and, accordingly, the level of access they have. and helps you to find hidden and sometimes unthought-of connections between them, which could be a problem during a Red-Theming Assessment. In practice, the tool can be used equally well by both the

red-themed and the blue-themed team, as some just look where to go and others are looking for which doors to close along the way. We are now going through a step from the standard Red Teaming Engagement, the step in which the penetration tester would have to find credentials of the users, if they are not given to him in the beginning. This can be done with monitoring of leaks, with public credentials, phishing campaigns, with adding some passwords, after password spraying, etc. and his other task before he can start the work we are describing at the moment is to enter the network. Therefore, again, some malware can be used, delivered in various ways, some insider can be caught, to implant and give access, the variants are

diverse, but what we need is access to the Domain Controller. And this access is not a special one, not a Remote Desktop, but we are talking about access from LDAP, SMB, RPC, access with which we will actually do all the mapping magic of the users. The collectors with which Bloodhound works are several different. The one that is most recommended is SharpHound. This is a compiled software, it is available as a source code that you can compile yourself, you can take a pre-compiled executable, you can use Powershell with Invoke Bloodhound commandlet, you can use Powershell Empire for command and control, it also has modules inside it to collect information for these interactions in the Active Directory and, accordingly, you have Python

scripts that can do this work, for example, the last one, bloodhound.py. Now, this is not deliberately unreadable, unfortunately, it is not seen better, but I hope you can see at least the points here. In fact, this graph represents the model of the SharpHound work and all its attributes. Take it as cheat sheet, the SharpHound. It has different collection methods, such as, you can tell it, here in the middle is a Not DC Only, I'm a little bit stuck, sorry for that, you can tell it to connect only with a domain controller and to try to make the entire possible mapping from there, or you can tell it not to touch the domain controller and to try to connect only with computers in

the network and to extract all the attributes from there. What are we talking about? We are talking about group policies, domain trusts, containers, groups, access lists, object properties and service principal names. These are service accounts that you should use to work with services in your environment, and not to use generic users. You can see that this group of things, because the points that are under "this" and "only" end up here, these are the attributes that you can collect within a domain controller and you can collect them with an absolutely non-priviliged account. These are the queries that any user account can make and get feedback on LDAP for them. Now, the things you need to collect from the computers, for example, who is a local admin,

who has the right to RDP access, to call DCOM, PS Remote, information about sessions or logon. is information that unfortunately cannot be gathered so naturally and easily in the background, because shortly after Bloodhound and SharpHound were officially introduced, in one of the following updates on Windows 10, the functionalities that the tools use to make this part of the collection is closed for normal users and is left as an option only for privileged users. That is, you need a local admin to complete this form of collection. And actually, the best thing you can do is to start it with SharpHound in many places on the network. and many other ways. This will not be confused with the data collection you do, because you can

collect information from different local computers and different users who are logged in. And, accordingly, after each new set of credentials you can reach, you can repeat the exercise and collect more and more information to be added the application interface and enrich the view and appearance you have over the active directory of yours or those you target, it depends on the scenario you are developing. The analysis you can do with the collected information includes a lot of things, but what I want to focus on and show you more specifically Lateral movement - you can see a short test path between different users. For example, you have managed to find the password of a user in a league and you

want to see, for example, to the CEO or the CFO in the company what is the best way to reach you in the shortest time. And you can see, in any case you don't know, but if this is the user with the skull to which you have credentials, he can become a member of this group. The group is IT in the domain called I am a guest and XIN. This group is an admin of a given computer, on which the victim, who is with a target and even marked with a diamond because it is a high value target, There is a session. Why is there a session? There are methods that we can use from the data from this session, whether it will be

a hash, whether we will be able to extract cached credentials in plaintext. There are many options, but this is just an example for one path from something we have access to, to something we want to target. If we can call this a "side-by-side" movement, we can also do an escalation of privileges. We can try to find where the domain admins have their sessions. Maybe someone should not use their normal machine to browse the Internet, instead of the domain admin account doing his work only for his administrative tasks on special servers. And here we have another example where we have a user that we compromised, which is an admin of a given machine, on which side there is a session of another

user, a member of the domain admins in the domain. And so we can reach the ultimate goal with domain admins. Another thing that We can do it with Bloodhound. We can discover hidden administrative accounts. Hidden administrative accounts are those that do not follow the naming convention in the company that is assigned. For example, the account has the suffix "admin" at the end of its name. For example, someone has put on the normal user the right to manage his own computer, which, for example, the policy in the organization does not allow. We have options to find password reuse, by default, SHARPHOUND maps the attributes of the accounts, such as the password last set. And if we have the presumption that a person with 15 accounts Usually, when

you need to reset your password, the worst practice can be to use the same password on all your accounts. And secondly, when we see that two accounts that are close by name have the same password for the last time, for example, in five minutes, what do you think? Maybe you think that the password is the same, and if you pop one password, this password could give you access to the user's admin account. Another thing that interests us is that we can find service accounts for which the Kerberosting technique can be applied. This is a technique in which, using the Kerberos protocol for domain authentication, we can request from our normal user account a service ticket with which we can request to use a given service provided by the

service account. And here there is a catch that this service ticket, the ticket granting service in the domain, it is not signed, but it is encrypted with the password hash of the service account. And what do we do with this hash? We already have the ticket locally in our machine, We know that in order to decrypt it, we need to know the password hash of this service account. And, accordingly, we can take this thing for our home offline. Or we can use a local GPU instance in the office, or we can take a GPU instance in a cloud and speed up the work of breaking the passwords. It may happen that some of these service accounts is very much in need of a

domain admin to work. This is a favorite scenario, but unfortunately it is a bad practice. What should you have in mind when you launch these tools? Every attempt to launch a sharp hound directly extracted from the GitHub repository of Bloodhound leads to triggering of the antivirus system, because the antivirus or endpoint protection software, the more sophisticated ones, have signatures for this activity, so they immediately catch you. Now here comes my new GolGOT from the university. I didn't compile the code back then, but now I have to compile it if I want it to be unnoticed, so you can use this thing with Coding obfuscation, which you can delete from GitHub and its compilation, which will

not stop you at the first start, while you are being sent for a cloud correlation, new software generated by you and someone understands what is behind it. The second trick we already mentioned is that in order to collect information about the Logon users, that is, who is actively logged in, you need local admin rights of the machines from which you want to collect this information. The third problem is that the session information, which is so difficult to collect, is very fragile in relation to time. In the sense that you can collect it within 1 to 15 minutes after the logon action has taken place. That is, the session collection is made to work in a cycle, that is, for a certain

period of time. You can start it or if you are smart you can set it according to the schedule. For example, in the morning when everyone comes to work or in the afternoon when everyone comes back from lunch and they log in, then you can try to collect the session information. and also some of the graphs that Bloodhound will draw will use this session of information, but it is fragile, in the sense that I can now make an RDP to some machine, but to finish my work, to jump from there and this way, through this machine, to which theoretically my account has an RDP session, it will not be a valid way to compromise the domain. If you want to install it

yourself, what do you need? It works for all large operating systems: Windows, Linux, MacOS. The Bloodhound application itself is written in Java. No, sorry, it's not written in Java. Neo4j is written in Java. This is a graph database that is specifically oriented to keep mappings between objects and the ways in which these objects are connected to each other. You need Bloodhound and some of the collectors that we created. Actually, we didn't create Azure Hound, but I'll tell you why in a moment. As for the technical skills that you need, they are not big. The big technical skills you may need when you want to find a matching version of Python libraries, if you want to use Bloodhound, the Python collector. Because actually everyone of you who

has written something on Python may know what it is like to find the right modules in the right version and I'm not talking about the transition between version 2 and version 3 on Python, I'm talking about transitions between 3.7, 3.8 and so on. This was at least a problem for me, for example, within two hours it is allowed, but it is not something that which is nice, right? But the good news is that once you have everything, from then on you only import data from the collectors and view it. There is nothing more that you need. If you decide to use some of the un-predefined mapping options between between accounts, consumers, machines, etc. you will have to learn

a language called Cypher, which is specifically for Neo4j database. So, I don't think it's difficult. Again, within part 2 you can start writing the right queries. If you want to generate a test environment, you have several options. The first is to build virtual machines, to install a domain controller on them, to install member servers and so on, to create users and so on, but this is slow and requires resources. That's why the Bloodhound creators themselves created the Bloodhound DB Creator Tool. What is the Bloodhound DB Creator Tool? It's a Python script that connects to the Neo4j database and automatically makes users with some connections between them. This is the most painful element to use. If you want to use it, but in

the same environment, it doesn't even need you, if we assume that you import data from your real environment. We have an additional tool called Bad Blood. which can flash your active directory with sample objects. By default it makes 2500 objects with mappings between them and you just need to install one domain controller to flash these objects and from there you start the bedbull which is PowerShell script with the user's rights, which can manipulate the Active Directory and create absolutely everything in it that you need. And additionally you can do Active Directory cloning. That is, if you have a real environment, you can take all the attributes from this real environment, pour them into this Active Directory and start breaking them. And in fact, you don't break the practice,

you explore what the connections are. So, things are relatively safe to do. How does this whole exercise help you? It gives you a better visibility of the connections and configurations you have in the directory. You can discover dangerous rights or you can even see derivative rights that are obtained through membership in different groups. For example, the user is a member of one group, but she joined another group that has some privileges. This is called derivative You can find the hidden administrative accounts, you can see password reuse and accounts whose passwords never reach, you can find and, accordingly, you can improve the rules of Detection and Prevention, such as, for example, using some of the protections that are described

here. The first protection is the use of Honeypot accounts, such as those that have an admin in their name, but are not real admins. Someone who reads the directory will catch them, most likely will try to find more information about them and to steal their password. And if he succeeds, if you see a successful logon event from this user, this means that there are some who should not be in your environment and, accordingly, you can help him to find it and to cut his access. Event ID 4769 from the Windows Event Logo. This is the Event ID that says that a service ticket has been issued. And with this service ticket we said that we can start Kerberosting. It is normal to issue one or two

such tickets, but if you see suddenly a system that executes many such What is the chance that this system will simultaneously use the services provided by all service accounts? It is not a big chance. So this is an alarm that can tell you that something bad is happening. Besides that, the accounts that have service principal names should not be members of the high value groups, that is, they should not be domain admins. Service accounts and domain admins - if possible, no. You can eliminate the use of weak cryptic passwords through group politics. We are talking about NTLM v1. You can stop Link, Local, Multicast, Name, Resolution and so on. These are all means with which the attacker, who has some kind of hashes or tries

to reach such, can reach, having your users for this go to him. this process you are doing with Bloodhound should not be repeated, it should be repeated because the membership in the groups changes, they do not change from day to day, but in a process of a month or two someone can decide that he wants to become an admin without having to. Actually, the list of protections you see, according to them, as I told you, we worked together with Tsviatko, because he, while I was playing to raise noise, he was trying to understand how this noise that I raise can be read and turned into an alarm on which someone to act. And so, in

conclusion, an attacker who has entered our network and already has access to the domain controller, through LDAP or RPC, can do mapping of users, groups, group policy objects and so on in the Active Directory. Once he knows which are the shortest routes to the high value targets, he can use them, but we can also use them to protect these routes. That is, knowing which ones are, we can do monitoring or protection by removing certain groups from other groups if we have such a nested membership of accounts and in this way we can be more prepared. And in practice, every single tool we can use for an attack, we can use for a defense, as we see where the attacker

would go to place traps on his path. What's next? Actually, you saw in the slides a stolen Azure Hound. You might know about the Azure Active Directory, has been available for a long time. But what you need to know about Azure Active Directory as a limitation is that in practice the users of Azure Active Directory do not have the direct right to manage the elements that you have in the subscriptions in Azure. For example, virtual machines, keys and whatever else you can think of, resource groups, these things are not are not mapped down from the Azure Active Directory to Subscription. And in practice we can say that it is not that the tenant contains the subscription, but rather that the subscription has

the trust of the tenant. And at the subscription level, you have to say who is the user of the tenant from the Azure Active Directory or from the Hybrid Active Directory can have rights on the subscription down below. There are currently new checks and graphs that connect different users and services in Azure, so this will be mapped soon. There are already edges in Azure that you can follow, but most of them are subscription-level. In order to work with Azure Hound you need additional commandlets to install, which are "Az" for subscriptions, for Azure functions, and "Azure AD" for Azure AD attributes. The other thing that the developers have announced that they are currently working on is integration with Active Directory Certificate Services. The goal

is to see which of the users are in the Active Directory, what privileges they have within the Certificate Services, and sometimes to have a certificate valid, issued by the certificate authority within the domain. can open the way for low-configuration, and from there the picture that low-configuration can be assembled from the certificate services. The tool Bloodhound itself is an open-source tool, but there is also a subscription, an enterprise version more precisely, which gives you a very easy SMILIME report, so with what problems you have in your environment. But, actually, from version 4.1 of Bloodhound, which is the current one, the developers have decided to merge the Open Source and Enterprise versions as a codebase, so there is no difference between Enterprise

and Open Source. And so, I think I managed to be together for half an hour. You have the word for questions. The question is: Does this product have anything to do with Privileged Access Management? In this case we are talking about user account control in Windows. In practice this is something that privilege access management. This tool does not audit the activities of the sysadmins. It does not audit who is where, what privileges it uses, but only what it has. More specifically, the question here is not... I'm not telling you what the question is. We don't look at the usage, we only look at the configuration. Static, yes. Actually, the only non-static thing is the sessions. Who,

where, what sessions there are. But what he does during these sessions is not an object of verification at the moment. Other questions? Okay. Is there a cloud service? I'm talking about this one, because it's popular and has a large install base and, accordingly, active development. I'm not familiar with its activity for CyberArk, but I know that this product is the result of similar products developed by Microsoft. Actually, the quote I started with for who thinks in graphs and who thinks in graphs comes from a person from Microsoft who was part of the development of a similar or similar product inside Microsoft, but he didn't see such popularity and white world so that everyone of us can pull it out and release it. Most likely, at the moment

I can't remember the name of the tool, but it's not something that is being actively developed. I would like to ask you about a Polish There are such options. What most often stops I didn't repeat the question, sorry. The question is what detections usually raise these tools and how they can be bypassed. The detections are usually related to the number of applications that are sent and the way these applications are then processed. the signature is covered most often. In what type of data structure you record them, why you record them, etc. For the usual detection, you have to diversify the structure in which you record them and to make a rate limit of the applications themselves. The binary itself is

the most important thing, because it detects the base of the signature, so it has to be applied there. Microsoft even has an article on this topic with the ANSI toolset, Anti-Malware Service Interface. If you search for ANSI Bloodhound, you will see what exactly they wrote on the question of detection, in the sense of the basis of what this interface affects. Question? Somewhere else is a question? Okay, if you don't have any questions, thank you for your attention. I hope you will play with this and you will have enough fun.