[PPT] - BloodHound From Red to Blue 1.5 By Scoubi @ScoubiMTL BIO Sr PowerPoint Presentation

SLIDE 1

BloodHound From Red to Blue 1.5

By Scoubi @ScoubiMTL

SLIDE 2

BIO

Sr Security Architect at Bell Canada

Adversary Detection Team Lead Threat Hunting Team Lead

First Presented at BSidesCharm French Canadian

Don’t pronounce ”S” and “H”

BlueTeam Village 1

SLIDE 3

BlueTeam Village 2

Talk at Defcon Make a talk with a mohawk Second presentation this week Present as many talks as @Pyrotek at #HSC Present one more talks than @subTee Present two more talks than @mattifestation No security researcher’s Ego was harmed in the making of this slide!

SLIDE 4

Agenda

Overview of Bloodhound Basics usage of Bloodhound Introduction to Cypher Destroy Attack Paths Report & Automation

BlueTeam Village 3

SLIDE 5

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”

@JohnLaTwC git.io/fpfZ5

BlueTeam Village 4

SLIDE 6

List?

BlueTeam Village 5

SLIDE 7

List?

BlueTeam Village 6

SLIDE 8

Graph?

You Alexis Family Taylor Jordan Friend

BlueTeam Village 7

SLIDE 9

Graph?

AdminTo HasSession

BlueTeam Village 8

SLIDE 10

Overview

BlueTeam Village 9

SLIDE 11

What is BloodHound?

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment

BlueTeam Village 10

SLIDE 12

History of Bloodhound

DEF CON 24 - Six Degrees of Domain Admin

https://youtu.be/Y8qu5NFKyrE

Blackhat 2017 - The Industrial Revolution of Lateral Movement

https://youtu.be/lbJPCnjQxCU

Blackhat 2018 – Arsenal : Bloodhound 2.0

BloodHound is developed by @_wald0, @CptJesus, and @harmj0y.

BlueTeam Village 11

SLIDE 13

What does BloodHound do?

It queries Active Directory Import the data in Neo4j Show relations between objects

BlueTeam Village 12

SLIDE 14

Why use BloodHound?

For Red

Use UI to build attack paths offline Reduce noise on the network

For Blue

Use queries to find “busiest” attack paths Test remediation’s effect on the graph Destroy paths before they are exploited

BlueTeam Village 13

SLIDE 15

The Basics

First Steps

BlueTeam Village 14

SLIDE 16

Ingestors

-CollectionMethod | -C

all | LoggedOn | DConly

-MaxLoopTime
c SessionLoop
-SearchForest

Sharphound -h https://github.com/BloodHoundAD/Sharp Hound

SharpHound Invoke-BloodHound bloodhound-python

BlueTeam Village 15

SLIDE 17

The GUI

BlueTeam Village 16

SLIDE 18

Undocumented Features

Right-Click Edges: CTRL: SHIFT+CTRL+I: Spacebar: “GPO:”: “OU:”: Contextual Help Toggle Labels Console Toggle Spotligh Search GPOs Search OUs

BlueTeam Village 17

SLIDE 19

Graph Database

Neo4j

Download : https://neo4j.com/download-center/#releases Launch : $ neo4j-community-3.4.5/bin/neo4j start Console : http://localhost:7474/

BlueTeam Village 18

SLIDE 20

Graph Database

Neo4j

Download : https://neo4j.com/download-center/#releases Launch : $ neo4j-community-3.4.5/bin/neo4j start Console : http://localhost:7474/

BlueTeam Village 19

SLIDE 21

Graph Database

Neo4j

Download : https://neo4j.com/download-center/#releases Launch : $ neo4j-community-3.4.5/bin/neo4j start Console : http://localhost:7474/

BlueTeam Village 20

SLIDE 22

Intro to Cypher

Learning to run

BlueTeam Village 21

SLIDE 23

Cypher Basics

MATCH Objects : (u:User) u.name Relationship : -[:RelType]-> Path Finding : shortestpath(u)-[*1..]->(g) WHERE RETURN

BlueTeam Village 22

SLIDE 24

Filtering

Explicit Where

BlueTeam Village 23

SLIDE 25

Filtering

Explicit Where

BlueTeam Village 24

SLIDE 26

Filtering

Explicit Where

BlueTeam Village 25

SLIDE 27

Filtering

Explicit Where

BlueTeam Village 26

1 ms 81 ms

SLIDE 28

Improving Queries

BlueTeam Village 27

SLIDE 29

Improving Queries

BlueTeam Village 28

SLIDE 30

Improving Queries

BlueTeam Village 29

SLIDE 31

Improving Queries

BlueTeam Village 30

SLIDE 32

Pro Tip #1

EXPLAIN

execution plan but not run the statement

PROFILE

run the statement and see which

perators are doing

most of the work

BlueTeam Village 31

SLIDE 33

Pro Tip #1

BlueTeam Village 32

SLIDE 34

Pro Tip #1

EXPLAIN MATCH

BlueTeam Village 33

SLIDE 35

Pro Tip #1

PROFILE

BlueTeam Village 34

SLIDE 36

Useful queries you can run

1.1 Are Local Admin 1.2 Shortest path to High Value 1.3 Can RDP to 1.4 Other “bad” Rights 2.1 High Value Accounts 2.2 List all 3.1 User with sessions 3.2 Computer with Admin 3.3 Computer with Sessions 3.4 User with Admin Rights

1. Domain Users

2.Kerberoasting 3.Top 10 X

https://github.com/Scoubi/Blo

dhoundAD-Queries

BlueTeam Village 35

SLIDE 37

Advanced Queries

BlueTeam Village 36

SLIDE 38

Cypher Cheat Sheet

https://neo4j.com/docs/cypher- refcard/current/

BlueTeam Village 37

SLIDE 39

Destroy Paths

BlueTeam Village 38

SLIDE 40

What Are We Trying To Do

Find Busiest Paths Test the effect of the proposed remediation Inform our Domain Admins what change to make

BlueTeam Village 39

SLIDE 41

Controlled Environment

BlueTeam Village 40

SLIDE 42

Create a Problem

Create a link

BlueTeam Village 41

SLIDE 43

Create a Problem

Create a link

BlueTeam Village 42

SLIDE 44

Test New Relation

BlueTeam Village 43

SLIDE 45

Test New Relation

BlueTeam Village 44

SLIDE 46

Two Options

1. Filter out relation

When there is only one relation of that type in the path

2. Deleting the relation

When there is more one relation of that type in the path

BlueTeam Village 45

SLIDE 47

1. Filter Out Relation

BlueTeam Village 46

SLIDE 48

2. Delete a Relation

BlueTeam Village 47

SLIDE 49

Test Remediation

BlueTeam Village 48

OR

SLIDE 50

Test Remediation

BlueTeam Village 49

OR

SLIDE 51

BlueTeam Village 50

SLIDE 52

Everything Wrong? I came here for nothing?

BlueTeam Village 51

SLIDE 53

Against Our Data

BlueTeam Village 52

SLIDE 54

Finding Our Target

BlueTeam Village 53

SLIDE 55

Test result of prosed fix

BlueTeam Village 54

SLIDE 56

Test Result of Prosed Fix

BlueTeam Village 55

SLIDE 57

Test result of prosed fix

BlueTeam Village 56

SLIDE 58

But Why is Filtering Wrong?

BlueTeam Village 57

SLIDE 59

But Why is it Wrong?

BlueTeam Village 58

SLIDE 60

What about deleting the relation?

BlueTeam Village 59

SLIDE 61

Shortest Path DU to DA

BlueTeam Village 60

SLIDE 62

Delete the Relation

BlueTeam Village 61

SLIDE 63

BlueTeam Village 62

SLIDE 64

BlueTeam Village 63

SLIDE 65

The Solution is Easy

BlueTeam Village 64

SLIDE 66

BlueTeam Village 65

SLIDE 67

BlueTeam Village 66

SLIDE 68

From This to This

BlueTeam Village 67

SLIDE 69

Same Query, 2 GUI

BlueTeam Village 68

SLIDE 70

So What Happened!?

A graph is like a map BH will show you only 1 relation It is possible to delete a specific relation “ -[r:RelationName]-> ”

BlueTeam Village 69

SLIDE 71

Back to our regularly scheduled programming

BlueTeam Village 70

SLIDE 72

Pro Tip #2

BlueTeam Village 71

SLIDE 73

Pro Tip #2

BlueTeam Village 72

SLIDE 74

Pro Tip #2

BlueTeam Village 73

SLIDE 75

Pro Tip #2

BlueTeam Village 74

SLIDE 76

Pro Tip #3

BlueTeam Village 75

SLIDE 77

Pro Tip #3

BlueTeam Village 76

SLIDE 78

Pro Tip #3

BlueTeam Village 77

SLIDE 79

Pro Tip #3

BlueTeam Village 78

SLIDE 80

Pro Tip #2

BlueTeam Village 79

SLIDE 81

Pro Tip #4

BlueTeam Village 80

SLIDE 82

Pro Tip #5

BlueTeam Village 81

SLIDE 83

Want to Learn More?

Operationalizing BloodHound's Attack Graph for Defense

https://register.gotowebinar.com/register/5012887211059506187

@SadProcessor

https://insinuator.net/2019/01/2019-year-of-the-blue-dog/ https://insinuator.net/2018/11/the-dog-whisperers-handbook/

BH Slack

bloodhoundgang.herokuapp.com #cypher_queries

BlueTeam Village 82

SLIDE 84

Reporting

Attackers Think in Graph. Management Thinks in Metrics. As long as this is true, Ops suffer.

BlueTeam Village 83

SLIDE 85

BlueTeam Village 84

SLIDE 86

Example of Report

BlueTeam Village 85

SLIDE 87

% of users with path to DA

BlueTeam Village 86

SLIDE 88

% of users with path to DA

BlueTeam Village 87

SLIDE 89

% of users with path to DA

BlueTeam Village 88

SLIDE 90

DA Sessions to NON DC

BlueTeam Village 89

SLIDE 91

DA Sessions to NON DC

BlueTeam Village 90

SLIDE 92

DA Sessions to NON DC

BlueTeam Village 91

SLIDE 93

DA Sessions to NON DC

BlueTeam Village 92

SLIDE 94

Monthly Progression

BlueTeam Village 93

1 5 25 125 625 January Febuary March

Chart Title

List Computers where DOMAIN USERS are Local Admin Shortest Path from DOMAIN USERS to High Value Targets ALL Path from DOMAIN USERS to High Value Targets Find Workstations where DOMAIN USERS can RDP To Find Servers where DOMAIN USERS can RDP To Find all other Rights DOMAIN USERS shouldn’t have Kerberoastable Accounts member of High Value Group List all Kerberoastable Accounts

SLIDE 95

Automation

BlueTeam Village 94

SLIDE 96

Automation

BlueTeam Village 95

SLIDE 97

Automation

BlueTeam Village 96

SLIDE 98

Automation

BlueTeam Village 97

SLIDE 99

Easy to Read Lists

BlueTeam Village 98

SLIDE 100

Alerting

Query Compare Last Results Alert if increase

BlueTeam Village 99

SLIDE 101

Conclusion

BlueTeam Village 100

SLIDE 102

Key Takeaways

Defenders can think in Graph too Cypher is a very flexible language Important to test real impact of remediation Not all queries are worth automating

BlueTeam Village 101

SLIDE 103

Thank You

Blue Team Village @Pyrotek, @TalBeerySec, @Grifter801 @_wald0, @CptJesus

BlueTeam Village 102

SLIDE 104

Links

https://www.slideshare.net/secret/M6 MVXIwAHvz6T https://youtu.be/UWY772iIq_Y

BlueTeam Village 103