AD Permissions Attack #2: Attacking Permissions with BloodHound
So far in this series, we’ve explored the importance of Active Directory permissions and just how easy it is for attackers to discover vulnerable permissions. Unless an organization has left Domain Admin permissions wide open, perpetrating an attack against Active Directory permissions can get rather complex. A successful attack against Active Directory permissions often needs to tie together many permissions to accomplish the end goal of compromising a target account or group.
To make this process easier and less daunting, we are going to be using BloodHound and the recently added Active Directory Permissions support. I’ve covered BloodHound in the past as a way to perform attack mapping against local Administrator privileges. Today, we’re going to use the same approach to map attacks using Active Directory permissions.
How BloodHound Works with Active Directory Permissions
BloodHound provides penetration testers with the ability to map out attack paths to see how vulnerabilities in their security can let attackers move laterally and elevate privileges. Recognizing the significance of Active Directory permissions, BloodHound now evaluates any sensitive permissions that can give the attacker the ability to elevate their privileges. Those permissions include:
- Reset Password – The ability to change the password of a user account without knowing their existing password
- Add Members – Having the ability to add users to a particular group
- Full Control – You can do anything you want to a user or group
- Write Owner / Write DACL – The right to change permissions and ownership over an object
- Write – The ability to write object attributes
- Extended Rights – This controls various extended rights in one permission, including reset password rights. For a full reference from TechNet, click here
These are the rights that let a user take over another account, or add themselves to a group, to increase their access rights. If you tie many of these rights together, there may be the ability to move from an account with no privileges to an account with Domain Admin rights. BloodHound makes it extremely easy to explore these attack paths. For a more complete overview of the supported permissions by one of the authors of BloodHound, you can read more here.
Collecting Active Directory Permissions
BloodHound comes with a PowerShell script that performs the collection of permissions within the environment. I ran this script in a computer joined to the domain I wanted to gather permissions from. In order to collect Active Directory permissions, you must issue the following command:
Invoke-Bloodhound -CollectionMethod ACLs
This will create a CSV export of all Active Directory permissions that we will then import into the BloodHound web application.
Attack Path 1 – Reset Password
The first attack path I explored using BloodHound is the ability reset user passwords. By doing so, you can take over the user’s account and their access. This can be a useful attack, but if the user is actively using their account, they will notice if their password is reset so the attacker may be exposed. One additional check that would be useful to do is evaluating the last logon time for the accounts to see how safe it is to perform a password reset without detection.
The ability to reset a password will show up in BloodHound as an attack path labeled “ForceChangePassword”:
By tying together multiple password resets, it may be possible to go from an unprivileged account to a Domain Admin as illustrated below:
Attack Path 2 – Group Membership
The second attack path I explored is using the ability to write members to groups. This approach is more concerning because adding a user to a group will rarely raise any alarms, especially if the group is not a well-known privileged group like Domain Admins. By adding users to groups, an attacker is able to slowly elevate their access until they can ultimately add themselves to the group they are targeting. By knowing how sensitive data is secured within an organization, this target group rarely has to be Domain Admins to successfully perpetrate an attack.
In BloodHound, the ability to change a group will show up in an attack path with the label “AddMember” as shown below:
By tying together multiple group membership changes, an attacker can slowly increase their rights until they reach their target. In the below example, you can see how an unprivileged user can become a Domain Admin through group membership changes:
Attack Path 3 – Change Permissions
The ability to change permissions to an object basically lets you do anything you want. You can give yourself the rights to change a group’s membership, reset a password, or extract valuable information from extended attributes (especially scary if using LAPS).
In BloodHound, the ability to change permissions to an object will show up labeled “WriteDacl”:
By tying together multiple permission changes an attacker can again move laterally and elevate their rights as shown below:
Bringing Together All These Active Directory Permissions Attacks
Typically, an attack against Active Directory permissions will not just use one type of permissions, it may use them all. BloodHound does an excellent job of tying together all these different attack paths. In the example below, I am asking BloodHound how to go from my current unprivileged user Michael to compromise a Domain Admin account. It provides three different, yet equally viable, attack paths using different permissions.
Protecting Yourself from Active Directory Permission Attacks
If anything, this blog should make you aware of the permission types to be most wary of in your own environment. Over the years, many organizations lose control of their Active Directory permissions. As the company grows and changes, rights no longer needed are usually not removed, creating a risk that attackers take advantage of. These attacks are just as viable as pass-the-hash and vulnerability exploits, but often can be perpetrated without detection because most security teams do not focus here. It all starts by taking a look at your own Active Directory permissions for weaknesses and starting to close down the most glaring problems.
In the next post, we will explore Active Directory Permissions more in-depth by looking at AdminSDHolder and SDProp and how they can be used to create persistence for an attacker.
Here are the other blogs in the series:
Active Directory Permissions Attack #1 – Exploiting Weak Active Directory Permissions with PowerSploit Read Now
Active Directory Permissions Attack #3 – Persistence using AdminSDHolder and SDProp Read Now
Active Directory Permissions Attack #4 – Unconstrained Delegation Permissions Read Now
To watch the AD Permissions Attacks webinar, please click here.
Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.