Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
View analytic
Wednesday, August 3 • 14:00 - 15:00
Six Degrees of Domain Admin - Using BloodHound to Automate Active Directory Domain Privilege Escalation Analysis

Sign up or log in to save this to your schedule and see who's attending!

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but to date, established methodology dictates a manual and often tedious process of gathering credentials, analyzing new systems we now have admin rights on, pivoting, and repeating this process until reaching our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may neither be the only, nor the shortest, path we could have taken to achieve elevated privileges.

By combining the concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. For example, Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data.

The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.

Speakers
avatar for Andy Robbins

Andy Robbins

Offensive Network Services Lead, Veris Group LLC
Andy Robbins (@_wald0) is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at... Read More →
avatar for Will Schroeder

Will Schroeder

Security Researcher, Adaptive Threat Division, Veris Group, LLC
Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for Veris Group’s Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red... Read More →


Wednesday August 3, 2016 14:00 - 15:00
Breaking Ground Florentine A