Attack Mapping with BloodHound

Attack Mapping with BloodHound

AD Attack #2 – Local Admin Mapping

Once an attacker has established a foothold inside your domain, their primary objective is to compromise their target as quickly as possible without detection. Whether the target is sensitive data stored on a file server or compromising a Domain Admin account, the attacker must first formulate a plan of attack. This often involves strategic lateral moves throughout the network, slowly increasing privileges at each stop.

BloodHound is a web application that discovers and visualizes attack paths within an Active Directory environment. It can find the quickest path of attack from any account or computer within the domain to the desired target. This can serve as a valuable defensive tool to ensure there are no viable paths to compromise critical accounts and computers within your own Active Directory environment.

How BloodHound Works

Under the covers, BloodHound relies on PowerSploit and the Invoke-UserHunter command to build its attack paths. This will enumerate two critical data sets within an Active Directory domain. First, it builds a map of who has access to what computers, focusing on membership in the Local Administrators group (Local Admin Mapping).  Next, it enumerates active sessions and logged on users across domain-joined computers. This data provides the building blocks of an attack plan. Now you know who can access what systems, and what other user credentials will be stored on those systems to be stolen from memory. From there, it’s just a matter of asking the right question and visualizing the attack path.

Collecting BloodHound Data

Collecting the data requires running a PowerShell command to gather the necessary data. This data will be written into CSV files in an output directory.

Example of PowerShell command to get BloodHound data

Visualizing and Querying BloodHound Data

Once the data is collected it can be imported into the web application for visualization and querying. Here is an example of a domain graph showing attack paths.

Visual of BloodHound attack graph demonstrating how to get to systems and what credentials can be stolen to get there.

Running Queries in BloodHound

There are several pre-built queries that come with BloodHound including finding the shortest path to compromise Domain Admins.

BloodHound Pre-Built Analytics Queries like 'Find all Domain Admins' and 'Find Shortest Paths to Domain Admins'

In addition, you can specify your own source and target to map out any possible paths of attacks. This makes planning an attack on a domain as easy as planning a road trip using Google maps.

By entering a source and target machine in the search interface shown below:

Mapping an attack path with BloodHound using a source and target system.

A graph displaying all possible attack paths is instantly displayed:

Mapping the attack path from source to target with BloodHound

Protecting Against BloodHound

BloodHound is a tremendously useful tool for mapping vulnerabilities within your domain. The simplest way to protect against these types of attacks is to have controls in place for how privileged access to servers is granted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures Domain Admin accounts will be significantly harder to compromise using such methods. In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths.

Here are the other blogs in the series:

  • AD Attack #1 – Performing Domain Reconnaissance (PowerShell) Read Now
  • AD Attack #3 – NTDS.dit Extraction (VSSAdmin, PowerSploit, and Hashcat) Read Now
  • AD Attack #4 – Stealing Passwords from Memory (Mimikatz) Read Now

To watch the AD Attacks webinar, please click here.

Jeff Warren is STEALTHbits’ Vice President of Product Management. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.

Leave a Reply

Your email address will not be published. Required fields are marked *