Intro & Background
In 2014, Emmanuel Gras together with Lucas Bouillot presented their function titled “Chemins de contrôle en environement Active Directory” (“Active Directory Control Paths”) at the Symposium sur la sécurité des technologies de l’information et des communications (Symposium on Information together with Communications Technology Security), where they used graph theory together with Active Directory object permissions to response the question, “Who tin forcefulness out snuff it Domain Admin?” I highly recommend checking out their presentation together with whitepaper, which nosotros drew initial inspiration from for the BloodHound project, together with received rattling helpful together with specific information from for our adding object command paths to the BloodHound assault graph.Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y) together with I are rattling proud to denote BloodHound 1.3, which introduces several novel border types based on Active Directory object control. Additionally, Will together with Lee (@tifkin_) have got pose considerable function into developing corresponding PowerShell cmdlets which enable a pentester or ruby teamer to accept wages of these novel edges. We believe that ACL-based assault paths volition exploit an untapped assault landscape inwards Active Directory domains.
What are ACLs?
When nosotros verbalise virtually ACL-based attacks, nosotros are specifically referring to Access Control Entries (ACEs) which populate Discretionary Access Control Lists (DACLs). DACLs reside inside safety descriptors, which reside inside securable objects. For a listing of mutual securable objects, encounter https://msdn.microsoft.com/en-us/library/windows/desktop/aa379557(v=vs.85).aspx. Notably, Active Directory users, groups, together with computers are securable objects. Access Control Entries depict the allowed together with denied permissions for other principals inwards Active Directory against the securable object.
Above: The graphical representation of the safety descriptor for the user “Jeff Dimmock”. Highlighted inwards ruby is the Discretionary Access Control List (DACL), comprised of Access Control Entries (ACEs).The best representative of this is when i object has “full control” over about other object. Consider the “Domain Admins” group, for example. It makes feel that the “Domain Admins” grouping would have got total command over every other object inwards a domain:
Above: The ACE granting the “Domain Admins” grouping full control of the “Jeff Dimmock” user is highlighted inwards red.Now, of course of pedagogy the Domain Admins grouping has total command of every other object inwards Active Directory; however, equally attackers, nosotros are interested inwards how nosotros tin forcefulness out abuse ACEs to gain command of a domain admin or a user or grouping that gets us closer to our target objective. Additionally, the possessor of an object has consummate command (GenericAll equivalent) of the object, regardless of whatever explicit deny ACEs.
Abusable ACEs
This update adds 7 novel edges to the BloodHound assault graph schema, based on direct object-to-object command situations that nosotros have got verified are abusable. Additionally, Will Schroeder (@harmj0y) together with Lee Christensen (@tifkin_) have got pose considerable endeavour into creating easy-to-use PowerShell cmdlets to abuse each associated ACE:- ForceChangePassword: The mightiness to alter the target user’s password without knowing the electrical flow value. Abused amongst Set-DomainUserPassword.
- AddMembers: The mightiness to add together arbitrary users, groups or computers to the target group. Abused amongst Add-DomainGroupMember.
- GenericAll: Full object control, including the mightiness to add together other principals to a group, alter a user password without knowing its electrical flow value, register an SPN amongst a user object, etc. Abused amongst Set-DomainUserPassword or Add-DomainGroupMember.
- GenericWrite: The mightiness to update whatever non-protected target object parameter value. For example, update the “scriptPath” parameter value on a target user object to displace that user to run your specified executable/commands the adjacent fourth dimension that user logs on. Abused amongst Set-DomainObject.
- WriteOwner: The mightiness to update the possessor of the target object. Once the object possessor has been changed to a principal the assailant controls, the assailant may manipulate the object whatever means they encounter fit. Abused amongst Set-DomainObjectOwner.
- WriteDACL: The mightiness to write a novel ACE to the target object’s DACL. For example, an assailant may write a novel ACE to the target object DACL giving the assailant “full control” of the target object. Abused amongst Add-NewADObjectAccessControlEntry.
- AllExtendedRights: The mightiness to perform whatever activity associated amongst extended Active Directory rights against the object. For example, adding principals to a grouping together with forcefulness changing a target user’s password are both examples of extended rights. Abused amongst Set-DomainUserPassword or Add-DomainGroupMember.
Attack Path Planning amongst BloodHound
After completing BloodHound information collection activities (read: yesteryear default, all authenticated users tin forcefulness out read all ACEs on all objects!), nosotros tin forcefulness out usage the BloodHound interface to programme an assault to compromise our target. Let’s accept a human face at an representative based on existent information from a existent environment:
Above: An ACL assault path identified yesteryear BloodHound, where the target grouping is the “Domain Admins” group.In this instance, nosotros have got a relatively low-privileged user on the far left amongst an ACL-only assault path ending upward inwards command of the Domain Admins group. Unfortunately, from an OPSEC perspective, nosotros are forced to perform a password reset against i of the many users inwards the seventh pace of the assault path. Along the way, nosotros may direct to perform password resets on the ii other users nosotros identified; however, nosotros have got other options upward our sleeve equally well, including altering the user’s scriptPath attribute or registering an SPN amongst the target user, equally Will (@harmj0y) outlines inwards his weblog post, “Targeted Kerberoasting”:
Above: Detail of pace 1 of our assault path. The user on the left is a fellow member of the safety grouping inwards the center. That grouping has total command of the user on the right; therefore, so does the user on the left.
Above: Detail of the minute pace inwards the assault path. The user on the left belongs to the grouping inwards the middle. That grouping has both total command via “GenericAll”, together with (redundantly) the “ForceChangePassword” correct against the user on the right.
Above: Detail of the finally ii steps inwards the assault path. The grouping on the left has “ForceChangePassword” correct against several users who all belong to the grouping inwards the middle right. That grouping inwards the middle correct has total command of the grouping on the right, which is the “Domain Admins” group.The second-to-last pace of our assault path requires us to alter an active user’s password. The OPSEC considerations of this activity should non live taken lightly: if an assailant changes a service concern human relationship password, for example, together with the associated actions of that service concern human relationship start to fail, the SOC may live alerted. Or, if nosotros alter the password of an admin user together with that user can’t log on adjacent time, they may suspect that their password was changed yesteryear soul else. Influenza A virus subtype H5N1 corking solution to this would live the mightiness to direct inject NT hashes into the NTDS subsequently nosotros instruct DA, together with reset the user’s password to what it was before; however, I haven’t establish a means to exercise this (@gentilkiwi please!). This volition involve that you lot think the target user’s NTLM hash or plaintext password at about betoken inwards the assault chain, so if you lot can’t exercise that or you lot can’t escalate to domain admin together with fetch the user’s NT hash from their password history inwards NTDS, you’re inwards the domestic dog house.
Another choice would live to alter that user’s password, pin to a machine that user is currently actively logged onto, catch the clear-text password that user used to authenticate to that machine amongst mimikatz, together with reset the user’s password to that value. If done speedily plenty (and if password changes are non closely audited), the user should live none-the-wiser. This is where domain recon is critical. The to a greater extent than you lot know virtually the environment, user behaviors, monitoring capability, etc., the to a greater extent than probable you lot are to live able to execute this pace of the assault path without getting caught.
In the finally pace of the assault path, nosotros gain total command over our target node, the “Domain Admins” group:
Note that having total command over a grouping does *not* automatically give you lot whatever command over users joined to that group. In this instance, the choice nosotros have got is simple: add together an arbitrary principal that nosotros command to the domain admins group. Once the assailant has done this, they may DCSync the krbtgt hash, take away their arbitrary principal from the domain admins group, together with and then prepare their persistence using the krbtgt hash. For to a greater extent than information virtually that, encounter Sean Metcalf’s (@PyroTek3) weblog post, “Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account.”
For a fleck of fun, here’s a video showing the YOLO method of executing this assault path. Because we’re simply manipulating AD objects via LDAP/ADSI, nosotros tin forcefulness out genuinely execute these assault paths amongst considerable speed:
Auditing ACLs amongst BloodHound
Effectively auditing ACLs inwards Active Directory has historically been a confusing, frustrating, together with painfully irksome process. BloodHound right away enables quick, slowly auditing of ACLs, amongst ii of import caveats: first, the exclusively ACLs nosotros collect information on are those that tin forcefulness out live used to accept command of about other object, together with nosotros silent have got about function to exercise on including OUs, GPOs, together with other attacks which tin forcefulness out exercise goodness from misconfigured ACLs to the graph schema. Second, nosotros exclusively ingest “Allow” type ACEs, together with exercise non concern human relationship for effective access equally determined yesteryear how the safety reference monitor reads ACEs inwards canonical order; however, inwards most environments, nosotros have got noticed rattling lilliputian usage of “Deny” type ACEs.By clicking on a grouping node, for example, together with scrolling to the bottom of the grouping information tab, nosotros encounter the “Inbound Object Control” section:
“Explicit Object Controllers” tells us who the starting fourth dimension marker controllers of this object are. Note that this is dissimilar than non-inherited rights, together with may include ACEs which are inherited from rear objects. By click on the number, nosotros tin forcefulness out encounter what those objects are:
“Unrolled Object Controllers” takes every grouping amongst privileges against this object together with unrolls them out, showing the effective principals who have got that correct via safety grouping delegation:
Finally, “Transitive Object Controllers” draws out all the possible assault paths based on the collected ACL data. If in that location is an ACL-only assault path to compromise this object, BloodHound volition detect it for you:
These dissimilar views volition give you lot instant insights on what other objects inwards AD have got the mightiness to gain command of whatever other node.
