AD Attack #2 – Local Admin Mapping
Once an attacker has established a foothold inside your domain, their primary objective is to compromise their target as quickly as possible without detection. Whether the target is sensitive data stored on a file server or compromising a Domain Admin account, the attacker must first formulate a plan of attack. This often involves strategic lateral moves throughout the network, slowly increasing privileges at each stop.
BloodHound is a web application that discovers and visualizes attack paths within an Active Directory environment. It can find the quickest path of attack from any account or computer within the domain to the desired target. This can serve as a valuable defensive tool to ensure there are no viable paths to compromise critical accounts and computers within your own Active Directory environment.
How BloodHound Works
Under the covers, BloodHound relies on PowerSploit and the Invoke-UserHunter command to build its attack paths. This will enumerate two critical data sets within an Active Directory domain. First, it builds a map of who has access to what computers, focusing on membership in the Local Administrators group (Local Admin Mapping). Next, it enumerates active sessions and logged on users across domain-joined computers. This data provides the building blocks of an attack plan. Now you know who can access what systems, and what other user credentials will be stored on those systems to be stolen from memory. From there, it’s just a matter of asking the right question and visualizing the attack path.
Collecting BloodHound Data
Collecting the data requires running a PowerShell command to gather the necessary data. This data will be written into CSV files in an output directory.
Visualizing and Querying BloodHound Data
Once the data is collected it can be imported into the web application for visualization and querying. Here is an example of a domain graph showing attack paths.
Running Queries in BloodHound
There are several pre-built queries that come with BloodHound including finding the shortest path to compromise Domain Admins.
In addition, you can specify your own source and target to map out any possible paths of attacks. This makes planning an attack on a domain as easy as planning a road trip using Google maps.
By entering a source and target machine in the search interface shown below:
A graph displaying all possible attack paths is instantly displayed:
Protecting Against BloodHound
BloodHound is a tremendously useful tool for mapping vulnerabilities within your domain. The simplest way to protect against these types of attacks is to have controls in place for how privileged access to servers is granted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures Domain Admin accounts will be significantly harder to compromise using such methods. In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths.
Here are the other blogs in the series:
- AD Attack #1 – Performing Domain Reconnaissance (PowerShell) Read Now
- AD Attack #3 – NTDS.dit Extraction (VSSAdmin, PowerSploit, and Hashcat) Read Now
- AD Attack #4 – Stealing Passwords from Memory (Mimikatz) Read Now
To watch the AD Attacks webinar, please click here.