Attacking Active Directory Permissions with BloodHound

Attacking Active Directory Permissions with BloodHound

AD Permissions Attack #2: Attacking Permissions with BloodHound

So far in this series, we’ve explored the importance of Active Directory permissions and just how easy it is for attackers to discover vulnerable permissions. Unless an organization has left Domain Admin permissions wide open, perpetrating an attack against Active Directory permissions can get rather complex. A successful attack against Active Directory permissions often needs to tie together many permissions to accomplish the end goal of compromising a target account or group.

To make this process easier and less daunting, we are going to be using BloodHound and the recently added Active Directory Permissions support. I’ve covered BloodHound in the past as a way to perform attack mapping against local Administrator privileges. Today, we’re going to use the same approach to map attacks using Active Directory permissions.

How BloodHound Works with Active Directory Permissions

BloodHound provides penetration testers with the ability to map out attack paths to see how vulnerabilities in their security can let attackers move laterally and elevate privileges. Recognizing the significance of Active Directory permissions, BloodHound now evaluates any sensitive permissions that can give the attacker the ability to elevate their privileges. Those permissions include:

  • Reset Password – The ability to change the password of a user account without knowing their existing password
  • Add Members – Having the ability to add users to a particular group
  • Full Control – You can do anything you want to a user or group
  • Write Owner / Write DACL – The right to change permissions and ownership over an object
  • Write – The ability to write object attributes
  • Extended Rights – This controls various extended rights in one permission, including reset password rights. For a full reference from TechNet, click here

These are the rights that let a user take over another account, or add themselves to a group, to increase their access rights. If you tie many of these rights together, there may be the ability to move from an account with no privileges to an account with Domain Admin rights. BloodHound makes it extremely easy to explore these attack paths. For a more complete overview of the supported permissions by one of the authors of BloodHound, you can read more here.

Collecting Active Directory Permissions

BloodHound comes with a PowerShell script that performs the collection of permissions within the environment. I ran this script in a computer joined to the domain I wanted to gather permissions from. In order to collect Active Directory permissions, you must issue the following command:

Invoke-Bloodhound -CollectionMethod ACLs

This will create a CSV export of all Active Directory permissions that we will then import into the BloodHound web application. Using the Invoke-Bloodhound -CollectionMethod ACLs PowerShell command to create a CSV export of Active Directory permissions to import into BloodHound

Attack Path 1 – Reset Password

The first attack path I explored using BloodHound is the ability reset user passwords. By doing so, you can take over the user’s account and their access. This can be a useful attack, but if the user is actively using their account, they will notice if their password is reset so the attacker may be exposed. One additional check that would be useful to do is evaluating the last logon time for the accounts to see how safe it is to perform a password reset without detection.

The ability to reset a password will show up in BloodHound as an attack path labeled “ForceChangePassword”:Using BloodHound to reset Active Directory user passwords that show up in Bloodhound as an attack path labeled ForceChangePassword

By tying together multiple password resets, it may be possible to go from an unprivileged account to a Domain Admin as illustrated below: Using Bloodhound to reset Active Directory user object passwords with ForceChangePassword to mapping out an attack path to the Domain Admin ACL

Attack Path 2 – Group Membership

The second attack path I explored is using the ability to write members to groups. This approach is more concerning because adding a user to a group will rarely raise any alarms, especially if the group is not a well-known privileged group like Domain Admins. By adding users to groups, an attacker is able to slowly elevate their access until they can ultimately add themselves to the group they are targeting. By knowing how sensitive data is secured within an organization, this target group rarely has to be Domain Admins to successfully perpetrate an attack.

In BloodHound, the ability to change a group will show up in an attack path with the label “AddMember” as shown below: Using BloodHound to add members to Active Directory groups to elevate Active Directory access and gain access to sensitive data

By tying together multiple group membership changes, an attacker can slowly increase their rights until they reach their target. In the below example, you can see how an unprivileged user can become a Domain Admin through group membership changes: Using Bloodhound AddMember right for multiple group membership changes to increase Active Directory rights until gain access to Domain Admins

Attack Path 3 – Change Permissions

The ability to change permissions to an object basically lets you do anything you want. You can give yourself the rights to change a group’s membership, reset a password, or extract valuable information from extended attributes (especially scary if using LAPS).

In BloodHound, the ability to change permissions to an object will show up labeled “WriteDacl”: Using Bloodhound to change Active Directory permissions to an object with WriteDacl to change group membership, reset a password, get attribute info

By tying together multiple permission changes an attacker can again move laterally and elevate their rights as shown below: Using Bloodhound for multiple Active Directory permission changes with WriteDacl to elevate rights and gain access to the Domain Admins ACL

Bringing Together All These Active Directory Permissions Attacks

Typically, an attack against Active Directory permissions will not just use one type of permissions, it may use them all. BloodHound does an excellent job of tying together all these different attack paths. In the example below, I am asking BloodHound how to go from my current unprivileged user Michael to compromise a Domain Admin account. It provides three different, yet equally viable, attack paths using different permissions. Using Bloodhound to perform Active Directory permissions attacks with ForceChangePassword, AddMember, WriteDacl to compromise a Domain Admin account

Protecting Yourself from Active Directory Permission Attacks

If anything, this blog should make you aware of the permission types to be most wary of in your own environment. Over the years, many organizations lose control of their Active Directory permissions. As the company grows and changes, rights no longer needed are usually not removed, creating a risk that attackers take advantage of. These attacks are just as viable as pass-the-hash and vulnerability exploits, but often can be perpetrated without detection because most security teams do not focus here. It all starts by taking a look at your own Active Directory permissions for weaknesses and starting to close down the most glaring problems.

In the next post, we will explore Active Directory Permissions more in-depth by looking at AdminSDHolder and SDProp and how they can be used to create persistence for an attacker.

Here are the other blogs in the series:

Active Directory Permissions Attack #1 – Exploiting Weak Active Directory Permissions with PowerSploit Read Now
Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now

To watch the AD Permissions Attacks webinar, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other