惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
博客园 - 【当耐特】
Microsoft Azure Blog
Microsoft Azure Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
Cloudbric
Cloudbric
The Register - Security
The Register - Security
小众软件
小众软件
PCI Perspectives
PCI Perspectives
G
Google Developers Blog
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
TaoSecurity Blog
TaoSecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
F
Full Disclosure
N
Netflix TechBlog - Medium
博客园_首页
Last Week in AI
Last Week in AI
A
Arctic Wolf
B
Blog RSS Feed
J
Java Code Geeks
C
Cybersecurity and Infrastructure Security Agency CISA
I
InfoQ
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
MyScale Blog
MyScale Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Jina AI
Jina AI
有赞技术团队
有赞技术团队
S
Schneier on Security
L
Lohrmann on Cybersecurity
P
Privacy & Cybersecurity Law Blog
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
Security Latest
Security Latest
Vercel News
Vercel News
博客园 - 司徒正美
Webroot Blog
Webroot Blog
Hacker News: Ask HN
Hacker News: Ask HN
A
About on SuperTechFans

Company Updates Archives - SpecterOps

SpecterOps and OpenAI: Helping to Build a New Security Frontier with Daybreak SpecterOps Selected for OpenAI’s Trusted Access for Cyber Program Introducing BloodHound Scentry: Accelerate Your Identity Attack Path Management Practice with Expert Guidance Fueling the Fight Against Identity Attacks Life at SpecterOps Part II: From Dream to Reality Life at SpecterOps: The Red Team Dream Final Steps to BloodHound Enterprise for Government— FedRAMP High Compliance BloodHound Community Edition: A New Era Introducing BloodHound 4.3 — Get Global Admin More Often Introducing BloodHound 4.2 — The Azure Refactor War In Ukraine Announcing Azure in BloodHound Enterprise AWS ReadOnlyAccess: Not Even Once The Attack Path Management Manifesto “Voting is not only our right — it is our power.” — Loung Ung SpecterOps Badge Life A Push Toward Transparency Announcing Our Formal Partnership with Palantir Introducing the Adversary Resilience Methodology — Part Two Introducing the Adversary Resilience Methodology — Part One Raphael’s Thoughts: SpecterOps acquires MINIS
Introducing BloodHound 4.0: The Azure Update
Andy Robbins · 2020-11-20 · via Company Updates Archives - SpecterOps

Intro and Background

We released BloodHound in 2016. Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update.

This release is authored by myself (Andy Robbins), Rohan Vazarkar, and Ryan Hausknecht, with special thanks to Will Schroeder and Lee Christensen.

This release wouldn’t be possible without prior work from several individuals and teams, in particular when it comes to understanding the architecture of Azure and the relevant configuration-based attack primitives available in that system. At the forefront of research into Azure attacks is Karl Fosaaen and his team at NetSPI. In addition, there are several individuals and pieces of prior work to acknowledge:

Leron Gray’s Stormspotter

Sean Metcalf’s Azure research and writings

Jake Karnes and Ryan Gandrud’s writings on the NetSPI blog

Dirk-Jan Mollema’s ROADtools and writings

Tal Maor’s AzureADLateralMovement

When doing our own research, we especially learned a lot from work shared by the following folks:

Michael Niehaus

Oliver Kieselbach

Jos Lieben

Elli Shlomo

New: Azure Attack Paths

We are introducing 10 new node types with this release: tenants, Azure users, Azure security groups, Apps, Service Principals, Subscriptions, Resource Groups, Virtual Machines, Devices and Key Vaults:

We’re also introducing 14 new edges that cover attack primitives against the new node types.

These new nodes and edges mean finding attack paths that include Azure abuses. You may find an attack path that starts at a low-privilege Azure user and ends with having Global Admin rights against the tenant, or an attack path that ends at a VM hosted in Azure that you’re trying to get access to. Many of the real attack paths we’ve observed in real tenants abuse apps and service principals. In this example, we escalate to Global Admin from a low-privilege user by way of owning an app which runs as a privileged service principal:

One feature of Azure makes this release even more exciting: Azure AD Connect. Azure AD Connect allows organizations to synchronize principals from on-prem domains up into an Azure tenant. It also allows on-prem users to be added to cloud groups, to have Azure admin roles, to own Azure apps and service principals, and to have control of AzureRM objects like Virtual Machines and Key Vaults.

Additionally, Hybrid AD Join enables tenant-to-on-prem attack paths. These configuration possibilities mean that you can also find attack paths that start in on-prem AD, go up into Azure, and then go back down into on-prem AD to get access to your objective — sometimes where an attack path within on-prem AD didn’t exist! To that end, this release supports ingestion from SharpHound and the new data-collector, AzureHound, into the same database.

For the complete list of new edges and attack primitives, see the updated BloodHound docs.

Refreshed GUI

The BloodHound GUI has been completely refreshed while maintaining the familiar functionality and basic design. Credit for the updated design goes to Liz Duong.

Above: The updated BloodHound GUI in dark mode, showing shortest attack paths to control of an Azure tenant.

We’ve made a few functional updates to the GUI as well, beyond upload and analysis of Azure data. The upload progress modal has been updated to list out all uploaded items in a similar way to what you see in Google Chrome:

Above: The updated Upload Progress modal in light mode

New Data Collector: AzureHound

AzureHound is the new data collector for BloodHound, and it specifically collects data from an Azure tenant and subscriptions that trust that tenant. AzureHound and SharpHound collect data from different sources, but their output is totally compatible with each other: you can import AzureHound data and SharpHound data into the same database.

By default, any user that can authenticate to an Azure tenant can collect information about admin roles, users, groups, apps, automation accounts, devices, and service principals. But by default, users do not have the ability to read information about subscriptions or anything within them:

Using AzureHound is very simple. First, open a new PowerShell prompt as admin, install Microsoft’s Azure modules, and authenticate to your target tenant:

Then dot-source AzureHound and use its Invoke-AzureHound cmdlet to start the data collection:

AzureHound will collect data from the tenant and all subscriptions your user can read, then output a zip with all the data. You can then simply drag-and-drop this zip into the BloodHound GUI to upload and ingest the data into the database.

How long the data collection process takes depends on how large the tenant is. We’ve tested AzureHound out in tenants varying in size from about 9,000 users, to 105,000 users, to over 240,000 users. This chart shows how long AzureHound took to run in each tenant:

Auditing Azure with BloodHound

There are many, many roles in Azure. You can grant a principal the ability to read logs, read billing data, add users to groups, etc. — but only particular roles actually grant abusable privileges. That last one, for example, is abusable: if someone adds themselves to a group, they may abuse privileges already held by that group. Similar to SharpHound, AzureHound only collects abusable roles against abusable objects — we filter out everything else that can’t be used to take over another object.

Let’s take a look at a VM, for example. In the BloodHound GUI, we can search for the VM we’re interested in just by typing its display name:

Here, click on the computer in the auto-suggestion dropdown, or hit enter. Then, click the computer in the graph drawing area, which will bring up the node info tab:

If we click on “First Degree Execution Rights”, we can see the 3 principals that have the ability to execute code as the SYSTEM user on this VM:

Under “Inbound Object Control”, we can see there are 9 principals with group-delegated control of this VM, meaning that while they may not be able to execute code as SYSTEM on the VM, they can grant themselves the ability to do so:

For example, the Administrator user on the far left belongs to the CLOUDHELPDESKGROUP security group, which itself has been added to the MY SECURITY GROUP group, which owns the VM. Interestingly, an on-prem security group with an on-prem user also owns this VM. This is a fairly light example, in real environments the number of principals with control of a VM can number in the hundreds.

Finally, we can explore what possible attack paths exist to take control of this VM by right clicking on the node and clicking “Shortest Paths to Here”:

This will run the shortest path query against the database for this VM, and display those attack paths in the BloodHound GUI once the query completes:

Each node in this graph has the ability to gain access to the VM on the far right by executing an attack path. Again, in real environments, you will see much, much more data here.

Visually exploring these relationships may offer an easier way to audit privileges on any given object in your Azure tenant and subscriptions, discover dangerous privileges, and remove them before an attacker can abuse them.

Conclusion and Future Work

We’re excited to expand BloodHound outside the scope of on-prem Active Directory, and eager to hear your experiences with using BloodHound to analyze attack paths that include Azure. For defenders, we hope the BloodHound GUI offers an easier and more effective auditing capability to fully understand which and how many principals have control of any given object — or can gain control through attack path execution.

There’s a few more nodes and edges related to Azure we want to add soon, including automation accounts and, if possible, collecting user sessions from VMs. We are also keeping our eyes on the continued research into Azure abuses from others in the community, and are always eager to add new, stable, reliable attack primitives into the BloodHound graph.

BloodHound is available free and open source on GitHub at https://github.com/BloodHoundAD/BloodHound

You can join us on Slack at the official BloodHound Gang Slack by clicking here: https://bloodhoundgang.herokuapp.com/

See the BloodHound 4.0 release video here: https://specterops.io/so-con2020/event-758916

Post Views: 2,360