00:00:00.434-->00:00:05.439 >> Alright welcome to track 1. Um, hopefully some of you all are Windows domain admins, 00:00:09.076-->00:00:14.715 because this talk should be interesting to you. You should pay attention. Um, with that, 00:00:14.715-->00:00:19.720 here they are. [applause] >> Thanks Clifton. [applause] So I made sure I got the right mic, 00:00:25.158-->00:00:31.331 can the people in the back here me ok? Awesome, thank you. So we are talking about six degrees of 00:00:31.331-->00:00:35.936 domain admin. If you're not familiar with this phrase, there's a very common, uh, game 00:00:35.936-->00:00:42.175 in like the film geek world called six degrees of Kevin Bacon, where you can take actor, 00:00:42.175-->00:00:48.348 any, uh, director, any movie and just by making six connections, you can find a way to go to 00:00:48.348-->00:00:53.020 Kevin Bacon. I don't know why it's Kevin Bacon, that's what it is. So we have found a way to do 00:00:53.020-->00:00:57.658 that in an Active Directory environment and domain admin is the most obvious target, so 00:00:57.658-->00:01:02.229 that's what we selected. Is there a little bit of feedback? Maybe I should back off a little 00:01:02.229-->00:01:07.234 bit. Ok. About us. My name is Andy Robbins. I've been a professional penetration tester 00:01:11.405-->00:01:15.909 and red teamer for 4 years. I originally cut my teeth in in the financial services industry. 00:01:15.909-->00:01:19.813 Uh, I'd really love to talk to you about ACH files, if you're interested in talking about 00:01:19.813-->00:01:26.620 that. Uh, all three of us work at Veris Group's Adaptive Threat Division. Uh, with that I will 00:01:26.620-->00:01:33.527 pass it over to Rohan. >> Hi, I'm, uh, Rohan Vazarkar. Uh, I'm another, I'm another penetration 00:01:33.527-->00:01:37.464 tester at Veris Group. I've been, uh, doing penetration testing for about two and a half 00:01:37.464-->00:01:41.868 years. I'm working on a lot of opens source projects and I was responsible for the web UI for 00:01:41.868-->00:01:48.842 this one. >> Hi, my name is Will Schroeder, my handle is harmjoy. I'm a researcher at the 00:01:48.842-->00:01:54.014 Adaptive, uh, Threat Division and I've built a good number of our offensive kind of toolset 00:01:54.014-->00:01:58.185 that we've used over the last couple of years. Most notably Partial Empire and also 00:01:58.185-->00:02:04.324 PowerView, which kind of acts as the data collection component for Bloodhound. >> Any PowerView 00:02:04.324-->00:02:09.329 users in the room? Lots of you. Awesome. Yeah, give Will a hand. Give a Wil a hand for PowerView. 00:02:11.665-->00:02:16.670 [applause] >> And also this is their first time at DefCon, so give them a hand too real quick. 00:02:21.341-->00:02:26.513 It's their first time speaking. [applause] >> Alright, let's talk a little bit about the 00:02:26.513-->00:02:31.284 current state of Active Directory. Uh, domain privilege escalation. Uh, first of all I 00:02:31.284-->00:02:35.422 want to, uh, talk about this quote a little bit. This was stated by John Lambert, he's a 00:02:35.422-->00:02:41.228 general manager of Microsoft's Threat Intelligence Center. John said, "Defenders think in lists. 00:02:41.228-->00:02:46.233 Attacks think in graphs. As long as this is true, attackers will win." There's a great blog post, 00:02:49.169-->00:02:54.274 where John goes into some depth about what this concept means effectively. What I hope that we 00:02:54.274-->00:02:58.111 can show is that not only are we going to start thinking in graphs, we're going to start 00:02:58.111-->00:03:04.584 using them practically. To automate a lot of our work. So first of all, with with Active 00:03:04.584-->00:03:09.122 Directory domain privilege escalation. Active Directory is effective effectively 00:03:09.122-->00:03:14.361 ubiquitous. In Shawn Metcalf's talk, he stated that, of the Fortune 500 in the United 00:03:14.361-->00:03:20.567 States, more than 90 or more than 95% of organizations use Active Director. To the people 00:03:20.567-->00:03:25.405 in this room, that's probably a given. But what does that ubiquity actually mean in the 00:03:25.405-->00:03:30.710 real role. In the real world. That ubiquity means that Active Directory is a subject of 00:03:30.710-->00:03:36.283 attention. Not only from defenders, but also from attackers. So that means that 00:03:36.283-->00:03:41.288 there is a lot of time, energy, money, blood, sweat, tears going into learning how to best defend 00:03:45.058-->00:03:50.730 Active Directory environments and also how to attack to them. As penetration testers and red 00:03:50.730-->00:03:56.236 teamers, we have the benefit of every so often getting these nice Easy buttons, that make us 00:03:56.236-->00:04:01.241 look like elite hack sores, because we use the right module to basically do like a point 00:04:01.241-->00:04:06.246 click escalate rights. MS08-067, MS14-068, KiTrapOD, GPP. The list goes on. What's the problem 00:04:11.284-->00:04:16.690 with these Easy buttons? The problem is that they are femoral. They have a tendency to 00:04:16.690-->00:04:23.330 go away. Especially over the past 4 or 5 years, enterprises, at least in the United States, 00:04:23.330-->00:04:26.900 have started paying attention to a lot of the things that people in this room have been saying 00:04:26.900-->00:04:32.405 for a long time. Do patch management. Run vulnerability scanners. Audit the results of 00:04:32.405-->00:04:36.977 those vulnerability scanners. So, those vulnerab- those vulnerability management 00:04:36.977-->00:04:41.715 practices are getting more mature. That means that when you land into an environment and 00:04:41.715-->00:04:47.120 they have that kind of maturity, those Easy buttons may not necessarily be available to you. 00:04:47.120-->00:04:51.324 So let's look at this in a visual way. We have an example of a very simple Active 00:04:51.324-->00:04:56.696 Directory environment, where where we have 16 computers. Now let's say this red computer is 00:04:56.696-->00:05:01.668 kind of our initial access. Maybe it's Cobalt Strike Beacon, maybe it's Meterpreter, maybe 00:05:01.668-->00:05:06.907 we're a malicious insider and we just have access to Active Directory. Bottom line, we have 00:05:06.907-->00:05:13.380 authenticated access to AD. Now thanks to Will's work with PowerView, it's very easy to 00:05:13.380-->00:05:18.518 identify systems that a domain admin has logged onto. In fact, you can typically find out where 00:05:18.518-->00:05:23.490 everybody in the environment has logged onto, which will be very important later. So let's say we 00:05:23.490-->00:05:28.528 identify, this is the box where the domain admin has logged on. Now, this client organization 00:05:28.528-->00:05:31.331 that you're in, they don't have the best patch management. They don't have the best 00:05:31.331-->00:05:36.970 vulnerability management. So you escalate rights on this one initial machine, you dump the 00:05:36.970-->00:05:42.409 NTLM hash for the RID 500 system. They've applied the KB2871997, but they haven't 00:05:42.409-->00:05:46.279 disabled the local admin account. What does that mean for you? That means that all these 00:05:46.279-->00:05:51.284 computers all of a sudden light up and now you have kind of notional administrator access to 00:05:51.284-->00:05:57.257 them. Including, the box that the domain admin has logged onto. So, you use your favorite 00:05:57.257-->00:06:02.195 piv pivot method. Maybe PSExec or WMI. You pivot over to the box the domain admin has logged 00:06:02.195-->00:06:06.633 onto, you wear mimic hats, you get the password, you now have access to the entire 00:06:06.633-->00:06:12.872 environment. Awesome. Who's executed an attach path exactly like that? Like a billion time? 00:06:12.872-->00:06:19.479 Most everybody. Let's take. Let's take a look at a slightly different example. So in this 00:06:19.479-->00:06:23.583 environment the client actually does have proper patch management and vulnerability 00:06:23.583-->00:06:29.055 management programs. So you're not going to be able to find MS08-067. You're not going to 00:06:29.055-->00:06:34.861 find MS14-068. You're not going to find GPP creds. However, in our experience, 99 times out of 00:06:34.861-->00:06:40.300 100, we are able to gain some kind of initial privilege access into an environment. Most 00:06:40.300-->00:06:45.105 typically this actually happens with clear text credentials that are in a file share that anybody 00:06:45.105-->00:06:50.543 who's authenticated to AD can use, can view and read. Uh, logon scripts are probably the 00:06:50.543-->00:06:55.548 most obvious examples. So let's say that we find one of those credentials and, uh, ok so first 00:06:57.751-->00:07:02.188 of all, we found the DA, he was logged on, he's in the sandbox. We use those credentials and we 00:07:02.188-->00:07:07.127 identify systems that we now kind of have, uh, notional or provisional administrator access 00:07:07.127-->00:07:11.531 to. We find these three boxes and we find out who the three people are who are logged onto 00:07:11.531-->00:07:18.138 those systems. Unfortunately for us, none of those people are a domain admin. Additionally, none 00:07:18.138-->00:07:21.775 of those users have administrator rights to the box that the domain admin is logged 00:07:21.775-->00:07:27.314 onto. So we have this kind of missing link that we have to identify. Typically what we do 00:07:27.314-->00:07:33.086 is we could go into this kind of credential dance or what Microsoft referred to in 2009 as 00:07:33.086-->00:07:38.391 an identity snowball attack. So what does that mean? That means that we choose one of these 00:07:38.391-->00:07:44.264 systems to pivot to. You can use manual analysis and try to figure out what system that is, 00:07:44.264-->00:07:48.601 but eventually you're just going to have to guess. So let's say that we pivot to the machine up 00:07:48.601-->00:07:53.239 here in the top left. We get this guys' credential. We do the same thing. We figure out why 00:07:53.239-->00:07:58.244 system this guy has admin rights to. Ok, now we have some new boxes. However, again, not a DA. 00:08:00.547-->00:08:05.452 And again none of those users have admin rights in the system the DA's logged onto. So again, 00:08:05.452-->00:08:10.457 we have to guess. So let's take our best guess and we say that maybe this guy is part of a 00:08:10.457-->00:08:13.893 helpdesk group. That sounds like a pretty good group that probably has some high 00:08:13.893-->00:08:18.898 privilege. So we pivot to this box, run the Mimikatz, get his credential and then we find out, 00:08:21.434-->00:08:26.039 this guy doesn't have any more rights in the environment than what we already have. Hate that. 00:08:26.039-->00:08:30.343 So we have to go back. We have to go back to the system at the top left. We have to make 00:08:30.343-->00:08:34.781 another guess. Let's say we go to this system, we run a Mimikatz again, we get this 00:08:34.781-->00:08:39.652 guys' cred and then lo and behold, who should appear, but the domain admin, in the system 00:08:39.652-->00:08:43.957 that we have this kind of notional administrator privilege to. Now that we've gone two hops 00:08:43.957-->00:08:50.196 away from where we originally started. We pivot to the DA, we run the Mimikatz, now we have 00:08:50.196-->00:08:54.033 admin rights in the entire environment. Who's run an attack path like this? Or who's run a 00:08:54.033-->00:09:00.940 report where credential abuses, uh, using that kind of attack path? A lot of you. Cool. We 00:09:00.940-->00:09:07.180 refer to this attack or this methodology as derivative local administrator. Justin Warner, 00:09:07.180-->00:09:13.186 uh, who on Twitter you can find @6dub, he defines this as the chaining or linking of 00:09:13.186-->00:09:18.191 administrator rights through compromising other privileged accounts. Uh, at MSRC in 2009, 00:09:20.427-->00:09:26.800 Alice Jeng and John Dunnigan put a great white paper, uh, about a method- or a capability that 00:09:26.800-->00:09:31.838 they had called Heat Ray. That goes into very extreme detail about how they kind of 00:09:31.838-->00:09:37.777 understood this process as well. Highly recommend that you go read that white paper. So let's 00:09:37.777-->00:09:42.182 look at this a little bit simpler. Let's say we have this user Bob. Bob has admin rights 00:09:42.182-->00:09:47.187 to PC 1. On PC 1 is this user named Mary who has logged on. Mary has administrator right to 00:09:49.355-->00:09:54.360 PC 2. Bob derives administrator privileges to PC 2 via stealing Mary's credential. Make sense? 00:09:59.532-->00:10:06.172 Cool. How else can this happen? This can also happen with Active Directory group delegation. When 00:10:06.172-->00:10:11.044 you add a user to a group, that user gets all the privileges of that group. When you add a group 00:10:11.044-->00:10:16.149 to a group, that nested group gets all the privileges of that group. Let's say Bob was a 00:10:16.149-->00:10:22.322 member of this group called Help Desk. Help Desk is a member of a group called server admins. 00:10:22.322-->00:10:27.427 Server admins have admin rights to PC 2. See a lot of nodding heads, like this is, this is, 00:10:27.427-->00:10:33.933 pretty good. This is pretty basic stuff. This is what the entire methodology or the entire 00:10:33.933-->00:10:40.440 core of BloodHound is based on. Is this concept of derivative local admin. So derivative local 00:10:40.440-->00:10:45.445 admin...sorry about that. Derivative local admin is an extremely effective attack. But 00:10:50.984-->00:10:57.357 it has some, uh, very serious, uh, setbacks and challenges that we need to be, uh, aware of. 00:10:57.357-->00:11:01.661 First of all its extremely time consuming and it's extremely tedious work. If you've gone 00:11:01.661-->00:11:07.033 through the process of manually, uh, going through this method, uh, you understand this very 00:11:07.033-->00:11:12.038 well. You have, uh, uh, uh, a a complexity override essentially of where each step you go, the 00:11:15.275-->00:11:22.215 the analysis steps you have to do grow, uh, exponentially. Uh, it's not comprehensive. So, 00:11:22.215-->00:11:28.521 imagine the difference between taking a report to your client or the client getting a report 00:11:28.521-->00:11:34.060 from a pen test firm. Imagine the difference between reading this is one attack path that we 00:11:34.060-->00:11:38.731 identified in your environment. Versus here are all of the attack paths in your 00:11:38.731-->00:11:45.238 environment. Ok? Next you have limited situational awareness. You may not even understand, you 00:11:45.238-->00:11:49.008 may not have the ability to understand what kind of privilege you currently have in 00:11:49.008-->00:11:52.912 whatever user context you're running in. Finally, the last thing I will say is, did you 00:11:52.912-->00:11:58.885 even need DA? If your target is like an HR system, it's gonna be simple to escalate the DA and 00:11:58.885-->00:12:03.156 then go back down to the system that you actually need. But you may not even had to go through 00:12:03.156-->00:12:08.895 this rigmarole of escalating DA in the first place. Alright, we're going to talk about graph 00:12:08.895-->00:12:13.900 theory and I'm going to take a drink of water real quick. Graph theory has been the missing 00:12:18.571-->00:12:24.744 link, uh, in this process, uh, that has been keeping us from automating the entire process. I 00:12:24.744-->00:12:28.715 highly recommend you look at the history of graph theory with Leonhard Euler using it to 00:12:28.715-->00:12:33.453 disprove or to prove that there was no solut- no solution to the seven bridges of königsberg 00:12:33.453-->00:12:38.091 problem. Super interesting stuff. We're also going to look at the, uh, design of our attack 00:12:38.091-->00:12:43.930 graph. So the basic elements of a graph, first of all a graph is not necessarily just a visual 00:12:43.930-->00:12:49.936 thing. A graph is a a construct of a discreet branch of mathematics called graph theory. 00:12:49.936-->00:12:54.941 So in a graph, you have vertices or nodes. Vertices are used to represent a basic individual 00:12:56.943-->00:13:01.781 element of the system that you're representing. If this is Google Maps, then a vertex may 00:13:01.781-->00:13:06.786 represent a city or an intersection. Edges are used to represent relationships between 00:13:09.922-->00:13:15.261 these vertices. If Seattle, Washington is a vertex and Portland, Oregon is a vertex, 00:13:15.261-->00:13:20.767 then Interstate 5 could be thought of as an edge that connects those two cities. 00:13:20.767-->00:13:27.206 Finally, paths, the most crucial part of graphs. Paths are used to connect otherwise disparate 00:13:27.206-->00:13:32.145 nodes, regardless of how far away they are from each other. This is where the key difference 00:13:32.145-->00:13:37.150 between a graph and a relational database comes into play. Uh, which we'll talk about later. 00:13:39.419-->00:13:43.289 Here's a visual way to look at the same thing. So here's a very simple graph. We have two 00:13:43.289-->00:13:48.161 vertices and we have an edge. This is a directed edge or it's one way. You can think of it as 00:13:48.161-->00:13:53.566 one way street. You go to vertex, you can go from vertex 1 to vertex 2, but you can't go 00:13:53.566-->00:13:58.571 the other way. Paths. Can you see a path from vertex 1 to vertex 4? Yeah. Is there a path 00:14:02.875-->00:14:08.548 from vertex 3 to vertex 4? No. Because you'd have to go the wrong way across a directed 00:14:08.548-->00:14:13.553 edge. So after a lot of false starts, we finally landed on a a tack graph design that works. 00:14:16.823-->00:14:23.229 And here's how it looks. The vertices are used to represent users, groups, computers and 00:14:23.229-->00:14:29.402 domains in Active Directory. The edges identify the relationships between those. So this means 00:14:29.402-->00:14:34.407 admin rights, group membership, user sessions and domain trusts. Finally, paths always lead 00:14:38.077-->00:14:44.984 toward escalating rights. Period. Always. This makes writing our path finding queries 00:14:44.984-->00:14:51.924 very, very simple. Again let's look at this visually. Like I said, users, we have two users 00:14:51.924-->00:14:57.029 in this graph, Bob and Mary. Groups. We have two groups in this graph. IT admins and domain 00:14:57.029-->00:15:02.969 admins. Computers. We have one computer. Server 1. First let's identify group memberships. We 00:15:02.969-->00:15:09.242 find out that Bob is a member of this group called IT admins. We find out that Mary is a member 00:15:09.242-->00:15:14.380 of this group called domain admins. Next, we figure out privilege. Who has admin rights, 00:15:14.380-->00:15:19.619 where. This group called IT admins has administrator rights on this computer called server 00:15:19.619-->00:15:25.525 1. Finally, let's find out where people are logged on. We find out that Mary is logged onto 00:15:25.525-->00:15:30.530 computer 1 or put another way, computer 1 has a session for this user. Is there a path from 00:15:32.665-->00:15:37.670 Bob to domain admins? Yeah. Bob is a member of IT admins, IT admins has rights to computer 00:15:40.173-->00:15:45.745 server 1. Server 1 has Mary logged on. She's a domain admin. We've got our path. This is the 00:15:45.745-->00:15:50.750 core fundamental concept for BloodHound. Let's put this very simply. In order to use a graph, 00:15:53.085-->00:15:58.090 you need to populate it with data. What data do we need? Who's logged on, where? Who has 00:16:00.326-->00:16:05.331 admin rights, where? What users and groups are part of what groups? That's it. That's all we 00:16:07.667-->00:16:12.271 need. Will is going to take over now and he's going to talk about how we actually do this data 00:16:12.271-->00:16:17.276 collection. >> Cool. Alright, so I'm going to go over some stealthy data collection with 00:16:23.850-->00:16:28.855 Power View. I'll let you guys read this quote. This was, uh, extremely kind of weird for me, 00:16:31.290-->00:16:36.662 we obviously do not advocate the malicious usage of our tool sets, but you know, uh, what can 00:16:36.662-->00:16:41.801 you do. So we have our little puppet, Phineas Fisher up there. So PowerView, we saw some 00:16:41.801-->00:16:47.907 PowerView users in the audience. PowerView is a power shell 2.0 compatible domain and network 00:16:47.907-->00:16:53.279 situational awareness tool. I started writing this a couple of years ago to automate a lot of 00:16:53.279-->00:16:58.284 the offensive and some defensive trade craft that we execute on engagements. It's completely 00:16:58.284-->00:17:02.822 self-contained. It's a single PS1 power shell script, it can be loaded into memory, there's 00:17:02.822-->00:17:08.761 no external dependencies. Nothing has to be added to the machine. PowerView collects the 00:17:08.761-->00:17:14.200 data that BloodHound is built on. What's really cool is that in most cases, you do not need 00:17:14.200-->00:17:18.204 any kind of elevated domain access to gather this information. And I'll go over 00:17:18.204-->00:17:22.808 the different components here in a second. So just as a domain authenticated user. You do need 00:17:22.808-->00:17:27.914 a session like that. But no privileges at all, just in domain users, the parent group, 00:17:27.914-->00:17:31.384 you can collect a huge amount of information through Active Directory through a couple of 00:17:31.384-->00:17:37.590 different ways. So, Andy mentioned the three components of information we needed. The 00:17:37.590-->00:17:43.095 first is, who's logged on, where? We refer to this as user hunting. So the main function in 00:17:43.095-->00:17:46.899 PowerView that does this is Invoke-UserHunter. It was one of the first one's written. It's an 00:17:46.899-->00:17:52.772 extremely common one that people tend to run. It utilizes a couple of 132 API calls under 00:17:52.772-->00:17:57.476 the hood. The most useful being NetSessionEnum to where you can point these functions remote 00:17:57.476-->00:18:03.582 systems and figure out who has sessions established with that remote box. Again not having to 00:18:03.582-->00:18:07.186 have administrative rights in the remote system. So you can run this against a main 00:18:07.186-->00:18:13.159 controller or file server and get a really nice mapping about who's logged in where. There's 00:18:13.159-->00:18:17.663 also a stealth option. By default, Invoke-UserHunger will enumerate all machines in the 00:18:17.663-->00:18:22.335 domain and run these enumeration actions against every single machine. This can be extremely 00:18:22.335-->00:18:28.441 noisy in some context in anyone's doing internal network based monitoring, but it gives 00:18:28.441-->00:18:33.446 us a more complete data set. With Stealth, we use a couple tricks to where we enumerate all 00:18:33.446-->00:18:38.050 user objects and we try to pull out properties that may indicate highly trafficked file servers. 00:18:38.050-->00:18:42.254 Something like profile path and collect all those things in and run a NetSessionEnum against 00:18:42.254-->00:18:48.561 each system. So it's much faster, but we don't get quite as accurate data. Next, who can 00:18:48.561-->00:18:54.567 admin what? This is the craziest thing to me. I I love this. So as an unprivileged user, we can 00:18:54.567-->00:19:00.239 enumerate the members of a local group on a remote machine without needing administrator 00:19:00.239-->00:19:04.043 privileges on that remote machine. I didn't, there was a couple tools out there that did 00:19:04.043-->00:19:08.314 this, I I weaponized it up in PowerView and we use this function specifically on almost 00:19:08.314-->00:19:12.118 every single engagement. There's two ways you can do this, you can use the WinNT service 00:19:12.118-->00:19:16.789 provider, which is a remnant of NT domain deployment. You can also use this particular 00:19:16.789-->00:19:22.028 NetLocalGroup members call, just point it to remote server and it happily gives you back who the 00:19:22.028-->00:19:28.401 members of local administrator are. Their domain SID, whether they're a group or a user. The 00:19:28.401-->00:19:33.406 function in PowerView that does this is GetNetLocalGroup. You just pass an IP, a NetBIOS name 00:19:33.406-->00:19:38.210 or a computer name. If you would like to use the API call, you can do the dash API flag by 00:19:38.210-->00:19:44.683 default it does the Win32 provider. We also have a kind of different new kind of method to 00:19:44.683-->00:19:51.357 do this, to gather the same information. So I worked last year with Shawn Metcalf about 00:19:51.357-->00:19:55.761 how to kind of structure this approach. Group policy objects are just collections of settings 00:19:55.761-->00:20:00.199 that are applied to computers. One of, some of these settings are who are in the local 00:20:00.199-->00:20:03.736 administrators group for a particular machine. This is either through restricted groups 00:20:03.736-->00:20:09.675 or group policy preferences. GPOs are linked to OUs and sites. So if we enumerate all 00:20:09.675-->00:20:13.913 the GPOs and we numerate all the other domain containers and do a little bit of, uh, correlation 00:20:13.913-->00:20:18.951 magic in the back end. We can get a mapping of who can administer what machines through 00:20:18.951-->00:20:23.923 GPO object modification. Now this is not gonna be as accurate, because you're not 00:20:23.923-->00:20:29.662 touching every machine and you're not, so if somebody specifically adds a local user 00:20:29.662-->00:20:34.333 to a machine it won't show up in this method. But what's really cool in this approach is that 00:20:34.333-->00:20:38.337 you're only communicating with the domain controller through LDAP. You're not seeing sending 00:20:38.337-->00:20:45.044 a single packet to any other machine. The PowerView function to this is Find-GPOLocation, be 00:20:45.044-->00:20:50.349 default it will just give you a nice raw mapping of everyone who can administer what machines 00:20:50.349-->00:20:55.354 through group policy correlation. The last part. Who's in what groups. This is 00:20:58.290-->00:21:01.894 the easiest, we just enumerate all the groups through LDAP and pull out all the members of 00:21:01.894-->00:21:06.932 each. PowerView is just getting that group piped to getting that member. This is the PowerShell 00:21:06.932-->00:21:11.103 pipeline. What's really neat about this is it will pass fully serialized objects between all 00:21:11.103-->00:21:14.673 the different functions you're running. So it's super super easy, we do some kind of 00:21:14.673-->00:21:20.713 variation of this in almost every engagement as well. And that's it! So let's bring it all 00:21:20.713-->00:21:25.784 together. There's a customized version of PowerView that is integrated with BloodHound. It 00:21:25.784-->00:21:30.823 has all the stock PowerView command lets along with a couple of extra features. Get tack 00:21:30.823-->00:21:35.728 BloodHoundData will automate the gathering of PowerView data on a domain. By default it will only 00:21:35.728-->00:21:39.665 gather the data on the current domain, but it will get the trust group memberships and all 00:21:39.665-->00:21:42.935 the things that we talked about. There's a lot of different targeting options. If you want 00:21:42.935-->00:21:47.840 to use Stealth, there's dash stealth and things like that. You then take that function and 00:21:47.840-->00:21:53.145 you pipe it to one of two export functions. Export-BloodHoundData will export all those custom 00:21:53.145-->00:21:58.217 objects, um, package them up with cypher queries for Neo4j which is what it uses on the 00:21:58.217-->00:22:03.289 backend and then shuttle everything off to the Neo4j batch RESTful API ingestion 00:22:03.289-->00:22:08.961 interface. So if the collection machine can breach the analysis machine, whether on the same 00:22:08.961-->00:22:13.599 domain or through something like a reverse port forward, which we have done in the field and it 00:22:13.599-->00:22:18.971 does work, then you can just shoot the stuff straight into Neo4j and then BloodHound 00:22:18.971-->00:22:23.209 without touching disk. If you can't reach the analysis server for some reason, you can pipe 00:22:23.209-->00:22:29.481 that Get tack BloodHound data to export BloodHound CSV, which will take all the same, all the 00:22:29.481-->00:22:35.554 same custom objects and export them into a 3 or 4 different kind of custom CSV file, we have 00:22:35.554-->00:22:41.360 a particular format which we've documented. The CSV files can then be ingested offline into 00:22:41.360-->00:22:46.365 the BloodHound analysis interface. Ok, now Rohan's gonna go through a live demo for 00:22:50.869-->00:22:55.875 BloodHound. >> Alright, so uh-oh. I'm not I'm not trying to hide it from you, I promise. 00:23:13.726-->00:23:18.731 Gonna mirror the screen. Alright, perfect. So when you first fire up the BloodHound UI, 00:23:32.344-->00:23:37.116 you're presented with one of our favorite views, which is what are the domain admins inside the 00:23:37.116-->00:23:41.086 environment you're in and who are the members of these do- these groups. Generally 00:23:41.086-->00:23:45.257 speaking, when we're in in, uh, assessment we tend to target domain admins a lot as we talked 00:23:45.257-->00:23:49.528 about earlier. Uh, they pretty much have keys to the kingdom and usually whatever target 00:23:49.528-->00:23:54.967 we're going after, one of them's going to be able to get to it. Any node that is in the 00:23:54.967-->00:23:59.271 environment can be autocompleted using the search bar up here. So it'll help you find stuff you 00:23:59.271-->00:24:06.145 need. We're going to actually start with a user. Any user you click on is going to present you 00:24:06.145-->00:24:09.748 with a bunch of information about that user here. So the first thing we can see is first 00:24:09.748-->00:24:14.953 degree membership. These are all the groups that a user is part of by default. The next thing 00:24:14.953-->00:24:19.058 you can see is unrolled group membership. Now a lot of times this is actually kind of a pain 00:24:19.058-->00:24:23.162 to enumerate properly. Especially when groups get really really nested like the 00:24:23.162-->00:24:28.167 one you see here. The next thing we can look at is group delegated admin rights. If this 00:24:30.369-->00:24:34.606 user was added to the local admins of any machine explicitly, that would be here. 00:24:34.606-->00:24:38.510 But because we're not, we're just gonna look here. This is every single system that this 00:24:38.510-->00:24:42.981 user has access to based on their group membership. Now to keep the graph a little bit more 00:24:42.981-->00:24:47.353 readable, we do a lot of collapsing of nodes, so if you can see there's an 87 next to 00:24:47.353-->00:24:52.358 domain admins node here. Slow down alright. There are 87 other computers [laughter]. I can't 00:24:57.029-->00:25:03.235 slow down sorry. There are 87 computers that are folded into the domain admins group. Now if 00:25:03.235-->00:25:07.306 we displayed all these, the graph, as it gets bigger and bigger, takes longer and longer 00:25:07.306-->00:25:11.744 to lay out. So this is more a performance thing. Any node that is collapsed in you can actually 00:25:11.744-->00:25:15.647 expand by right clicking on it and hitting expand. Which I'm not going to do, 'cause it will 00:25:15.647-->00:25:21.687 totally break graph. So in this in this, uh, one more thing you can look at is derivative local 00:25:21.687-->00:25:26.458 admin rights, which is what we were talking about earlier. Now this graph here is showing from 00:25:26.458-->00:25:30.863 our user, any path that this user can take to get to any other computer in the 00:25:30.863-->00:25:35.300 environment, whether it's through group membership, through local admin rights or 00:25:35.300-->00:25:40.939 sessions of users that are logged into computers which you have admin rights to. Now 00:25:40.939-->00:25:44.543 navigating this graph can be a little difficult and there's a lot of nodes here, so we 00:25:44.543-->00:25:49.014 introduce the feature called Spot Light. Using Spot Light, you can search the gra- the 00:25:49.014-->00:25:52.785 graph you're currently on for any nodes. So we're going to look for this research group 00:25:52.785-->00:25:57.289 here. Whenever you click on the Spot Light it'll zoom in on the nodes so you know where it is on 00:25:57.289-->00:26:01.293 the graph and it'll pull up all the information on the left so you can start interacting with 00:26:01.293-->00:26:06.298 it. Move it around, here you go. So there you go. It's the node. Ooooo. You can ask BloodHound to 00:26:10.636-->00:26:15.207 give you who the direct members of any group are, you can see there are 4 more that are folded 00:26:15.207-->00:26:19.678 here. You can expand this and you'll see that these are users. Next thing you can ask 00:26:19.678-->00:26:24.349 BloodHound to give you is the unrolled group members of the group. As groups start getting 00:26:24.349-->00:26:29.354 nested, it becomes more and more difficult to find, uh, who the real members are. So BloodHound 00:26:29.354-->00:26:34.927 makes it really easy to do that. You can also ask BloodHound what direct administration rights a 00:26:34.927-->00:26:40.899 group has. So we expand this, you can see there's 28 different computers that this group has 00:26:40.899-->00:26:46.405 direct admin to. Just like with a user, you can calculate derivative local admin rights. 00:26:46.405-->00:26:50.976 Uh, it'll use wherever you start and it will try any path it can find to any other node in the 00:26:50.976-->00:26:55.981 domain. Another really handy feature we have is sessions. Uh, using this, you can ask 00:26:58.750-->00:27:03.422 BloodHound to tell you where every single user that is a part of either the group or subgroups 00:27:03.422-->00:27:07.759 is logged in. A lot of times when you're on an assessment, you know that there's a specific 00:27:07.759-->00:27:12.931 group that users belong to and that group is where you're can targeting your crown jewels. 00:27:12.931-->00:27:17.202 Let's say it's an HR group and you're trying to access their information. With BloodHound you 00:27:17.202-->00:27:21.907 can ask, where are all the HR members logged in? And it it'll give you every single computer 00:27:21.907-->00:27:27.679 that it has a session for. Now on this group we're going to find ourselves a computer, uh 00:27:27.679-->00:27:34.253 SQL 2. We'll pretend like this is something cool here. You can ask BloodHound who the explicit 00:27:34.253-->00:27:40.526 admins for a computer are. These are first degree admins, so if you run NET Local Group 00:27:40.526-->00:27:45.631 Administrator on a system, this is the output you'd get. You can also unroll the admins on a 00:27:45.631-->00:27:51.904 computer. In this particular case, there are 6 groups that have local admin in the system, 00:27:51.904-->00:27:56.942 however, once you unroll it, it becomes 51 users with administrative rights. As Active 00:27:56.942-->00:28:01.713 Directory demands expand and they keep getting more and more things inside of them. Groups 00:28:01.713-->00:28:07.352 can get nested, uh, you can easily lose track of who's admin on a system, Because of nested 00:28:07.352-->00:28:11.523 groups just continuing to obscure what you're looking for. >> One thing I would add to that 00:28:11.523-->00:28:16.328 is this example is showing an order of magnitude difference between who is explicitly 00:28:16.328-->00:28:20.632 defined as an admin on this system versus who gains admin rights through these nested 00:28:20.632-->00:28:25.037 groups. And that kind of difference in an order of magnitude, we see as very very 00:28:25.037-->00:28:30.976 common on almost every assessment that we go into. >> You can ask BloodHound to give 00:28:30.976-->00:28:34.646 you the sessions for computer you can ask who's logged onto there. It's extra information 00:28:34.646-->00:28:40.185 that's always handy. And just like with a group or a user, you can ask BloodHound to calculate 00:28:40.185-->00:28:45.791 the derivative of local admin rights. Provided you started from that computer. Now getting 00:28:45.791-->00:28:50.762 into one of the most powerful features of BloodHound. We're gonna talk about path finding. 00:28:50.762-->00:28:55.734 BloodHound provides you the ability to find the path between any one node and any other node 00:28:55.734-->00:29:00.439 provided that path exists in your database. So just to give give you guys an example to 00:29:00.439-->00:29:05.444 start. We're gonna pick a user, uh, J. Druin and we're gonna ask BloodHound to take us to the 00:29:05.444-->00:29:10.449 domain admin group. Now, watch, go, walking through this path, J. Druin is a member of a group 00:29:12.884-->00:29:17.556 information technology. Information Technology has local admin rights to all these 00:29:17.556-->00:29:23.228 systems here. Each one of those systems has a user session for a domain admin, so if you jumped 00:29:23.228-->00:29:28.300 these systems and Mimikatz, you would have password for a domain admin. Now that's a, that's a 00:29:28.300-->00:29:33.772 cool example, but let's let's amp it up a little bit. We're gonna take this user J. Nickel 00:29:33.772-->00:29:38.977 at external dot local and we're actually going to ask BloodHound to take us to domain admins at 00:29:38.977-->00:29:45.183 internal dot local. Now, internal dot local and external dot local are two different 00:29:45.183-->00:29:50.889 domains in the same forest. So if you follow this path, our user is a member of a group, 00:29:50.889-->00:29:55.761 which is a member of another group. Which gets us admin rights to several systems. We 00:29:55.761-->00:30:00.632 can steal a session from one of those systems and get a different group membership. That 00:30:00.632-->00:30:06.872 takes us to another system with a user in external dot local, however, the next hop, is in the 00:30:06.872-->00:30:11.143 internal dot local domain. Despite the fact that we're dumping a trust boundary between 00:30:11.143-->00:30:16.114 two two domains, BloodHound just is using the data available to it and it has no problem 00:30:16.114-->00:30:20.719 enumerating these paths. No matter how complicated the path is, if the path exists 00:30:20.719-->00:30:25.924 BloodHound will be able to enumerate that path properly. >> So one, one thing that I would 00:30:25.924-->00:30:29.828 add to that, a common question that we've been getting over the past week, when we're probably 00:30:29.828-->00:30:35.133 demoing BloodHound for the first time, is with, uh, regard to scalability. So we went into an 00:30:35.133-->00:30:40.038 environment that had 200-->000 computers, Windows workstations and servers. They had about 00:30:40.038-->00:30:45.277 90-->000 users, they had about 75-->000 groups. Tracking all that information manually is just not 00:30:45.277-->00:30:50.282 possible. So they also had more than 75 domains, I would say, in a forest of varying degrees of 00:30:52.884-->00:30:59.324 trust. With the Stealth option that Will talked about with ingestion it took about 20 to 30 00:30:59.324-->00:31:04.262 minutes to collect all of the information we needed from this this global enterprise to 00:31:04.262-->00:31:09.668 identify attack paths. Doing the query with Neo4j in a graph database is just as fast as what 00:31:09.668-->00:31:14.706 you're seeing here. In that environment I'm talking about with 200-->000 computers, more 00:31:14.706-->00:31:20.245 than 75 domains, BloodHound found us an attach path to go from this one smi- this tiny 00:31:20.245-->00:31:25.083 little domain that was relatively insecure to this very high security domain where our 00:31:25.083-->00:31:31.123 actual objective was across 6 domain trust boundaries, taking advantage of users that had 00:31:31.123-->00:31:37.195 relatively low privilege, like 4 machines that they were admins on. But it just so happened that 00:31:37.195-->00:31:42.033 one of those machines had a user that gave us more more privilege in the environment until we got 00:31:42.033-->00:31:47.038 to what we needed. Uh, the [applause] Thanks. [applause] >> Thank you. Uh, one additional 00:31:54.546-->00:31:58.150 thing that I would say is I mentioned the Stealth option took about 30 minutes, if you're 00:31:58.150-->00:32:04.456 going to do non-Stealth and you're actually touching each system one time, that ingestion 00:32:04.456-->00:32:09.461 takes between 24 and 36 hours. For that level of environment - 200-->000 systems. >> Alright, so 00:32:13.398-->00:32:16.902 just demonstrating some more stuff that we've built in to make this even easier to use for 00:32:16.902-->00:32:21.606 everybody, we have several pre-built queries that you can access through the UI. Uh, there 00:32:21.606-->00:32:25.410 are some really good ones here. Like finding the user with the most sessions. Let's go ahead 00:32:25.410-->00:32:31.049 and identify which user is logging way way way too much. In this particular case, it's 00:32:31.049-->00:32:36.087 Antivirus. Which is sort of OK, but if I get that account, I'm going to be pretty happy. You 00:32:36.087-->00:32:41.193 can also find the computer with the most sessions. This is demonstrating things that tend 00:32:41.193-->00:32:46.431 to be used a lot such as IT jump boxes or terminal servers. These are high value targets that if 00:32:46.431-->00:32:51.436 you compromise them, you're very likely you're gonna get a large set of credentials. You can also 00:32:54.573-->00:32:59.978 hit control here to show all the node labels. Or you can hide them all. Or you can just show 00:32:59.978-->00:33:03.882 the default. Uh, these are just, these are just display options to help you whenever you're 00:33:03.882-->00:33:08.253 showing these two other people. Another thing that was added very recently, and when I say 00:33:08.253-->00:33:13.258 recently, I mean last night, was the ability to query any user in a domain of your choice and find 00:33:16.261-->00:33:20.765 what foreign group relationships they have in other domains. Historically this has been a 00:33:20.765-->00:33:27.505 very tedious and time consuming task. So in this particular case, query internal dot local 00:33:27.505-->00:33:34.212 domain, we're given three users, that are members of groups in the external dot local domain. 00:33:34.212-->00:33:39.818 Another query we can do and this is one of our favorites, is find shortest paths to domain admins. 00:33:39.818-->00:33:44.890 When you click on this, you get a selection, which domain admin group do you want to use? So 00:33:44.890-->00:33:50.495 let's say we wanted to use internal dot local. What you're seeing here on this graph is 00:33:50.495-->00:33:56.501 every single possible path that BloodHound can find to go from any node in that domain up to 00:33:56.501-->00:34:01.139 the domain admins group. Now when we're talking about earlier showing all the paths to your 00:34:01.139-->00:34:05.010 client, this is what we're talking about here. It's really great, because you can look at 00:34:05.010-->00:34:09.547 high value targets that if you remediated would actually cut off a lot of points, for 00:34:09.547-->00:34:14.853 example, this node here you can see has several connections out to it. If you were to go and 00:34:14.853-->00:34:20.892 lock down that computer, you significantly reduce the attack servers of that domain. Now, any 00:34:20.892-->00:34:25.664 graph that you generate in BloodHound can be exported either to json or an image. Uh, 00:34:25.664-->00:34:29.868 you can export it to json and load that into other graph tools or you can re-import it back 00:34:29.868-->00:34:34.372 into BloodHound if you have some particular graphs you like saved. You can export it into an 00:34:34.372-->00:34:38.910 image through that directly in your out brief. It's great value to show your clients. It looks 00:34:38.910-->00:34:45.317 really, really cool and everybody likes pretty pictures, so. As Will was talking about 00:34:45.317-->00:34:50.055 earlier, you can export all the BloodHound data instead of directly through the database, 00:34:50.055-->00:34:55.193 through the CSV ingestion here. When you click this, you can just pop, give it a file, and, 00:34:55.193-->00:34:59.965 uh, it'll ingest everything the same way as if it was from the PowerShell script itself. This 00:34:59.965-->00:35:03.902 is great for a lot of situations, where for whatever reason, your hosts that you're 00:35:03.902-->00:35:07.405 running your ingestion from can't talk back to your database. Let's say there's 00:35:07.405-->00:35:12.210 really good firewall rules. Uh, you can just download the CSVs directly from the host and throw 00:35:12.210-->00:35:18.350 them into the web interface and you're good to go, just like before. I think that's the whole 00:35:18.350-->00:35:23.355 demo. [applause] >> Thank you. So we have 10 minutes left, uh, one thing that I would like to 00:35:37.068-->00:35:40.972 briefly touch on that we skipped is kind of the architecture of BloodHound because there are 00:35:40.972-->00:35:46.244 some very important other open source projects that BloodHound relies on. First of all 00:35:46.244-->00:35:53.218 Linkurious.js is the open source and free version of Linkurious. If you are developing a web 00:35:53.218-->00:35:57.022 front end like this, an interface of B over J, Linkurious is where you want to 00:35:57.022-->00:36:01.059 go. It's built on top of sigma so you have all these things kind of abstracted away from you 00:36:01.059-->00:36:05.230 that are otherwise kind of difficult. If you're not a JavaScript expert. Secondly, 00:36:05.230-->00:36:10.402 it's compiled with electrons, so it is cross platform. Uh and then most importantly we rely on 00:36:10.402-->00:36:15.407 Neo4j as our graph database. Uh and then obviously it's fed by the PowerShell ingest-or. So, 00:36:17.809-->00:36:23.048 um, this is the part that Rohan's been waiting for. >> Alright, let's do, let's do 00:36:23.048-->00:36:28.053 this. So we have here the, uh, BloodHound Repository, which to this moment has been private 00:36:33.324-->00:36:36.995 and, uh, we're just gonna go ahead and YOLO this right now. [applause] Uh, oh, this is bad. 00:36:36.995-->00:36:42.000 I'm gonna have to login to GitHub. I just ruined everything. Andy why didn't you 00:37:00.118-->00:37:05.123 make me check this. It's ok. This is why I use two factor, right? >> Yeah, so while Rohan 00:37:14.933-->00:37:19.938 is doing this, the license that we are releasing this under is GPLv3. >> No, I'm good. I'm not 00:37:24.976-->00:37:29.981 afraid of these people. >> Uh, once we get done with this [laughter] Ok, here we go. >> 00:37:33.418-->00:37:38.423 Alright and there we go. [applause] It's public, I promise. >> So we have a nice 00:37:47.966-->00:37:53.004 easy link. Get your phone out, take a picture. bit dot lee forward slash get bloodhound, 00:37:53.004-->00:37:58.443 uh, you can find me on Twitter, again my name is Andy Robbins. My handle on Twitter is at 00:37:58.443-->00:38:03.381 underscore waldo with a zero. Rohan, oh go back, sorry, sorry. >> There you go. >> Alright, 10, 00:38:07.852-->00:38:12.857 9, 8, 7, 6, 5, 4, 3, 2, 1. Get it from your neighbor. Socialize, professional network. 00:38:18.129-->00:38:24.035 Meet somebody, please. My name is Andy Robbins, you can find me at underscore Waldo with a zero. 00:38:24.035-->00:38:28.506 Rohan Vazarkar you can find him on Twitter at Captain Jesus. Will Schroeder, you're already 00:38:28.506-->00:38:33.511 following him on Twitter at Harm Joy with a zero. Thank you very much. [applause] >> By the way, 00:38:40.318-->00:38:44.489 we decided to be really nice to you and we have pre-compiled binaries for every OS and 00:38:44.489-->00:38:49.494 architecture, so. [applause] >> So I think we have 5 minutes for questions and this gentleman is 00:38:51.996-->00:38:58.403 first. Can you speak into the mic, I don't know if it's on. There you go, we're good. >> The 00:38:58.403-->00:39:03.942 big one is you have Get-Session. So it's. >> Get like, get right in there, yeah, >> Big one is 00:39:03.942-->00:39:09.380 you have Get-Session, so live data, they have to be logged in to see the path. >> Ok, Ok, so 00:39:09.380-->00:39:14.285 his question was with user session information. You got a second question as well. >> Tied 00:39:14.285-->00:39:20.258 into that, so you have current sessions to do your jump. You have your current session to do 00:39:20.258-->00:39:26.264 your jump. Logged in users. What about pass the hash of a local admin hash to jump, does 00:39:26.264-->00:39:32.971 BloodHound take that, or local hash match to domain? Where you can take matching hash and jump. 00:39:32.971-->00:39:37.675 >> Ok, so his question is with user session information. When we're collecting user session 00:39:37.675-->00:39:44.249 data, the user needs to have a valid session that is, uh, currently like, uh, with, uh a 00:39:44.249-->00:39:50.088 domain controller or a file share. Um, so you you may find yourself re-collecting user 00:39:50.088-->00:39:55.460 session information, uh, frequently, because of the the the, the nature of how that 00:39:55.460-->00:40:01.699 works. Your second question was with local accounts, with RID500, with past the hash, 00:40:01.699-->00:40:07.572 right now, we are only tracking domain accounts. We are not tracking local accounts at all, 00:40:07.572-->00:40:12.844 uh, but we put that in, in the future. >> Does it jump from local up to domain with matching 00:40:12.844-->00:40:16.948 hash? >> Oh, his, oh ok, so also the question of like reused passwords from like a local 00:40:16.948-->00:40:23.521 admin that has a same password or NTLM hash is a DA. We're also not tracking that as well. Uh, 00:40:23.521-->00:40:28.459 you should check out a project called auto Dane from SensePost. Uh, that may have what you're 00:40:28.459-->00:40:34.098 looking for. Yeah, thank you. Thank you for the question. >> Hi, do you account for stuff 00:40:34.098-->00:40:39.404 like, uh, LAPS being rolled out into the environment. >> So, the question was do we account for 00:40:39.404-->00:40:44.876 LAPS being passed out, being distributed through the environment? Uh, that we also do 00:40:44.876-->00:40:49.881 not account for, so any kind of credential, uh, sharing, like in systems or, uh, as a matter of 00:40:52.383-->00:40:56.654 fact, a better answer to your question, is this was born out of a necessity to bypass laps 00:40:56.654-->00:41:01.459 protections. Because we couldn't pass the hash of a local admin account, we had to rely on 00:41:01.459-->00:41:07.498 domain user level accounts. >> And I'll also say that, we have a couple going forward we want 00:41:07.498-->00:41:13.471 to integrate. One of those will be Active Directory ACL enumeration and auditing. So, it 00:41:13.471-->00:41:18.776 will automatically in a few months when we finish extending the schema, we will ingest all 00:41:18.776-->00:41:23.114 Active Directory ACLs into the graph and everything will be integrated. So you might be able 00:41:23.114-->00:41:28.286 to tell, who has read access to the password attribute for laps and then integrate that into the 00:41:28.286-->00:41:34.192 attack graph. >> Awesome thank you. >> Thanks for the question. Hey. >> Thanks guys, um, how are 00:41:34.192-->00:41:39.797 you handling how this stuff changes over time. Right, so the date. >> Ok, so the question is 00:41:39.797-->00:41:44.802 how do we handle this data as it changes over time. Excellent question. So we treat, uh, local 00:41:46.871-->00:41:52.310 admin privileges and group memberships as relatively static information. But it doesn't 00:41:52.310-->00:41:57.148 change that much day to day. User session information, we treat as relatively dynamic. So 00:41:57.148-->00:42:03.154 in our Wiki, we provide guidance on how you can re-ingest just session information. 00:42:03.154-->00:42:08.760 Additionally, we're planning on adding temporal information to the user session edges. So what 00:42:08.760-->00:42:13.431 that means is if you're an incident handler and you want to go back and you say, we had an 00:42:13.431-->00:42:18.803 initial breach on March 16th, I can tell BloodHound, go back to March 16th, tell me, from this 00:42:18.803-->00:42:23.207 computer, to every other system in the environment, based on the currently logged on users that I 00:42:23.207-->00:42:28.980 could get info for. Show me what, from patient zero, what was possible and so that I can 00:42:28.980-->00:42:34.285 clearly define my investigate scope. That brings me to another point is that, um, from the 00:42:34.285-->00:42:38.856 offensive side this is really cool and we like it a lot. What's really cool is the 00:42:38.856-->00:42:44.929 defensive applications. And so over the next six months to the next year, uh, we're gonna be 00:42:44.929-->00:42:50.435 focusing primarily, almost exclusively on defensive applications like that. Thanks. 00:42:50.435-->00:42:54.605 >> So more and more often, the, uh, people that I'm popping end up using Macs, so while 00:42:54.605-->00:42:58.643 obviously their computers aren't joined at the domain, many times they have valid LDAP 00:42:58.643-->00:43:02.180 credentials, is there a way I can use those valid LDAP credentials with BloodHound 00:43:02.180-->00:43:07.185 somehow. >> Uh, yes. Um, so in our Wiki, we have a section about data ingestion with other 00:43:09.921-->00:43:15.893 tools. So, right now we're talking with, uh, Bite Bleeder, the author of Crack Map Exec, 00:43:15.893-->00:43:19.964 uh, to get support for other tools like that. So if you're in OSx, if you're in Linux, you 00:43:19.964-->00:43:22.934 want to collect information, you don't want to be running in PowerShell or running on 00:43:22.934-->00:43:27.004 Windows, uh, we're planning on getting that in there as well. We have developer notes about 00:43:27.004-->00:43:31.142 the CSV format and how to actually get info into the neo predict graph database. And 00:43:31.142-->00:43:36.013 we're gonna have to leave in just a second. Thanks for the question. How much time do we 00:43:36.013-->00:43:42.653 have? [applause] >> One more, one more question. >> Great, what are the top three things 00:43:42.653-->00:43:47.291 you can use defense to help, you would tell everybody to do. >> So your question was, what are 00:43:47.291-->00:43:53.965 the top three things, BloodHound can do for defense? So I would say that, uh, number one would 00:43:53.965-->00:43:59.003 be mitigating the attack baths that rely on derivative local admin. So in the Microsoft white 00:43:59.003-->00:44:02.940 paper, they, the product that they're describing, the MSRC developed is called Heat Ray. 00:44:02.940-->00:44:07.078 They use graph theory and they also use machine learning to give an IT admin a list of like, 00:44:07.078-->00:44:10.715 here are the ten changes that you can make in the environment that will most efficiently 00:44:10.715-->00:44:15.920 eliminate the largest number of attack paths, based on credential abuse. Uh, secondly, 00:44:15.920-->00:44:21.759 I would say, one of the major benefits is a more clear and easy understanding of the nested 00:44:21.759-->00:44:27.932 group memberships and how those relate to to local administrator privileges. Uh and then number 00:44:27.932-->00:44:32.803 three, let's let's talk offline. We have to go, thank you again. [applause]