A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Here Be Dragons: The Unexplored Land of Active Directory ACLs - Andy Robbins & Will Schroeder & Rohan Vazarkar Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins & Will Schroeder & Rohan Vazarkar
Derbycon 2017

During internal penetration tests and red team assessments, Active Directory remains a key arena for gaining initial access, performing lateral movement, escalating rights, and accessing/exfiltrating sensitive data. Over the years, a completely untapped landscape has existed just below the surface in the form of Active Directory object control relationships. Organizational staff come and go, applications deploy and alter Access Control Entries (ACEs), eventually creating an entire ecosystem of policy exceptions and forgotten privileges. Historically, Access Control Lists (ACLs) have been notoriously difficult and frustrating to analyze both defensively and offensively, something we hope to change. In this talk, we will clearly define the Active Directory ACL attack taxonomy, demonstrate analysis using BloodHound, and explain how to abuse misconfigured ACEs with several new PowerView cmdlets. We will cover real world examples of ACL-only attack paths we have identified on real assessments, discuss opsec considerations associated with these attacks, and provide statistics regarding the immense number of attack paths that open up once you introduce object control relations in the BloodHound attack graph (spoiler alert: it's a LOT). We hope you will leave this talk inspired and ready to add ACL-based attacks to your arsenal, and to defensively audit ACLs at scale in your AD domain.

Andrew Robbins (@_wald0) is the Adversary Resilience lead at Specter Ops. Andy is an active Red Teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous offensive engagements against banks, credit unions, health- care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer. Will Schroeder (@harmj0y) is an offensive engineer and red teamer for Specter Ops. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has spoken at a number of security conferences including ShmooCon, DerbyCon, Troopers, DEF CON, BlueHat Israel, and more on topics ranging from domain trust abuse to advanced offensive tradecraft with PowerShell. Rohan Vazarkar (@CptJesus) is a senior operator and developer for Specter Ops. He has spoken at numerous security conferences including DEF CON, BlackHat, SANS Hackfest, and more. Rohan has lead and supported operations against Fortune 500 companies, federal agencies and clients in the financial, defense, and health-care sectors. He is the co-author of the BloodHound analysis platform and has contributed to other open source projects such as Empire and EyeWitness.

Andy - @_wald0, Will - @harmj0y, Rohan - @CptJesus

Back to Derbycon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast