Once an attacker has established a foothold inside your domain, their primary objective is to compromise their target as quickly as possible without detection. Whether the target is sensitive data stored on a file server or compromising a Domain Admin account, the attacker must first formulate a plan of attack. This often involves strategic lateral moves throughout the network, slowly increasing privileges at each stop.
BloodHound is a web application that discovers and visualizes attack paths within an Active Directory environment. It can find the quickest path of attack from any account or computer within the domain to the desired target. This can serve as a valuable defensive tool to ensure there are no viable paths to compromise critical accounts and computers within your own Active Directory environment.
Under the covers, BloodHound relies on PowerSploit and the Invoke-UserHunter command to build its attack paths. This will enumerate two critical data sets within an Active Directory domain. First, it builds a map of who has access to what computers, focusing on membership in the Local Administrators group (Local Admin Mapping). Next, it enumerates active sessions and logged on users across domain-joined computers. This data provides the building blocks of an attack plan. Now you know who can access what systems, and what other user credentials will be stored on those systems to be stolen from memory. From there, it’s just a matter of asking the right question and visualizing the attack path.
Collecting the data requires running a PowerShell command to gather the necessary data. This data will be written into CSV files in an output directory.
Once the data is collected it can be imported into the web application for visualization and querying. Here is an example of a domain graph showing attack paths.
There are several pre-built queries that come with BloodHound including finding the shortest path to compromise Domain Admins.
In addition, you can specify your own source and target to map out any possible paths of attacks. This makes planning an attack on a domain as easy as planning a road trip using Google maps.
By entering a source and target machine in the search interface shown below:
A graph displaying all possible attack paths is instantly displayed:
BloodHound is a tremendously useful tool for mapping vulnerabilities within your domain. The simplest way to protect against these types of attacks is to have controls in place for how privileged access to servers is granted. Microsoft provides best practices to follow a tiered administrative model for Active Directory that ensures Domain Admin accounts will be significantly harder to compromise using such methods. In addition to proper upfront security, monitoring authentication and logon activity for abnormalities can expose any attempts to leverage these attack paths.
Here are the other blogs in the series:
To watch the AD Attacks webinar, please click here.
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.