 Hi, welcome. I hope you're going to have to readjust this. You're a little taller than me. But we're welcoming up. I can't pronounce his name, but he assures me that that's common. So you can call him Scooby. That's what he goes by. And Scooby is a senior security architect, adversary detection team lead, and threat hunting team lead for Belk Canada, one of Canada's largest carriers. The talk that he's going to give is really cool because Bloodhound started out as a red teaming tool, right? But we've learned through using the tool that it's really, really useful for blue teamers to discover the attack paths in your active directory. So Scooby is going to give us some information on that and how you can use this tool on the blue side to understand your active directory and the attack paths better. Hello everybody. Welcome to this talk called Bloodhound from Red to Blue. I'm Scooby. You can find me on Twitter at ScoobyMTL. I was mentioned I'm a senior security architect at Belk Canada, adversary team lead detection, and threat hunting team lead as well. This talk was first presented at Beside Charm a few months ago, so if there's some parts that I need to skip, I will refer you to that talk. I might have to go a bit faster because I've added a few things. At this point of the talk, you might wonder, is this guy mentally challenged or does he have an accent? Well, according to my doctors, because I'm French-Canadian, that I speak like this. Canadian, we're usually nice people until hockey comes along, then if you're not on our team, well, you best STF you. Because I'm French-Canadian, you will probably notice I won't pronounce S's at the end of words, or H's, or I might have them where they don't belong, but don't worry, just bear with me. With this talk, I have a few unlock achievements. First of all, I'm giving a talk at Defcon. Secondly, I'm giving a talk with Mohawk. As I mentioned, this is my second talk here at Aker Summer Camp, so that makes me equal with Pyrotec. He gave also two talks. That's one more talk than sub-T, and that's two more talk than Matt Graber. Matt mentioned that I had to talk about quality over quantity. I don't know what he meant. No security researcher, ego was arm and the making of this slide, so rest assured. So here's your agenda for today. We're going to talk about what blood-own is, the basic usage of blood-own. We're going to do an introduction to the Cypher language, and then we're going to set to destroy paths. And then I'm going to talk about report and automation. By show of hands, who here have used blood-own before? Okay, and who have built their own Cypher queries? Okay, awesome. Defenders, thinking list, attackers, thinking graphs, as long as this is true, attacker wins. You probably all of this before, it's a very common saying from John Lambert, and it comes with a whole blog. What it really means is when an adversary lands in your networks, it doesn't land in a list that you have. It lands in a graph, which is a complex set of relationship between objects. Blood-own is one of the tools that will actually show you the relationship between those objects, and they are actually linked together. So when we talk about a list, this is what we think about. We think about a list of assets, a list of server names, a list of group, a list of serial numbers. Then we go deeper, and we have even more lists. A list of open port, a list of installed software, compliant CBOX. But what all those lists won't tell you that a graph will is how are those things actually connected together? What is the relationship that exists that you know of, and especially that you do not know of, between all of those objects and all of your assets? So for those who are not familiar with graphs, it's not a security concept per se. So here's an example in real life. So you and Alexis are going to a restaurant, comes along Taylor and Jordan, and you become infactuated with Jordan. So you're going to leverage relationship in order to get what you want. So first of all, you're going to leverage your family relationship with Alexis, who is a co-worker of Taylor, who is a friend of Jordan, and then you'll get Jordan's phone number. By the icon I choose for the phone, you might guess roughly how old I am. So you can see here, I've made a big effort to stay gender neutral in my names and my relations. I'm really proud of that. In Active Directory, it will look a little bit more like this. So an attacker will land somewhere in the network by compromising an account via phishing or password spraying, because my password is always summer 2019. And there he is. And then he's going to leverage the fact that this user is admin to his workstation, a bad info set practice, but it does happen way more than we want. And then that machine can RDP to a terminal server, for example, in your environment, and depending how much employee you have, this might be between 1,000 or 100 to 1,000 people. Then on that machine, there's a user who has a session, and he has a little crown, because he's a member of a high-value group. I see people with phones. Last slide of the deck will contain the link where you can download the whole slide so you don't need to take pictures of every slide. Now let's go over an overview of Bloodhound. I want to go quickly as more than half of the people seems to have used the tool before. But first of all, what is Bloodhound? Rest assured there's lots of word, but it's the only slide with so many words. So Bloodhound uses graph theory to reveal the hidden and often unintended relationship within an active directory environment. Both attackers and defenders can use those paths. Red teamer to exploit them, and of course blue teamer to destroy them before they are being exploited. Here's a very quick history of Bloodhound. It was released at Bloodhound 24 in a talk called 6 degree of domain admin. If you go to that link, you'll see Rowan actually unlocking his password manager and making the repo live. I was personally introduced to Bloodhound a year after that at Black Hat 2007 in a talk called Industrial Revolution of Lateral Movement from Tal Mahar and Tal Berry. It's an excellent talk where they explain how they can use a path generated by Bloodhound and through PowerShell, they just exploit and get the credential automatically. And then last year at Bloodhound, at Black Hat, sorry, 2018, the team released Bloodhound 2.0 and Bloodhound is developed by Waldo, Captain Jesus and Armjoy, three people that I'm sure you're familiar with. So what does Bloodhound do exactly? Well, there's three simple things. It queries active directory, it imports the data in the Neo4j database and then it shows the relationship between the objects. So why should you use Bloodhound? Well, for red teamers, you can use the UI to build complex attack path offline and this reduced the noise on the network a lot. So every time you jump on a machine, you already know which credentials you need to steal and which attack path you need to follow to get to the next. You don't need to re-scan the network every time you land on a new machine. For Bulu teamer, we can use Query to find the busiest attack path. We can test the relationship of deleting or removing a relationship or remediating would be the right term on your graph. And then you can destroy the path before they are being exploited. So it's now time to talk about the basic or what I like to call the first steps. So first of all, you need an ingester. There's three ingesters. There's Bloodhound, which is a C-sharp tool. There's Invoke Bloodhound, which is a power shell that loads Bloodhound reflectively. And then there's Bloodhound Python that was built by Dirk Jen from Foxit. So if you land in a Linux machine, you can still leverage the goodness of Bloodhound. On the right, I've put some comment. I'm going to go very quickly through them. I just want to mention that collection method all does not include logged on anymore because starting in Windows 10, 10th anniversary and Windows Server 2016, you need to be local admin in order to list the session. So now you need to add that if you want to have everything. DC only is something that is less quiet, makes a lot less noise on the network. But as a defender, you should still run that in order to make sure that you can detect it. Max loop time goes with session loop. By default, Bloodhound will loop for session for two hours. As we're a defender, we don't really care about being detected. So we should run that as long as possible. The reason being that if you run it during the day, you'll get all your user session. Whereas if you run it at night, you might get some administrative tasks that are happening only at night. And you should also shift the days that you're running it, because some activities might happen only a day a week. Search forest, yeah, whatever. If you have more than one forest, Sharpawn-H4-ELP could be useful. This is a screenshot of the GUI, but there's nothing like a live demo. So let's jump into the UI. This is the screen that you're going to see when you get here. Because I'm a bit short on time, I'm going to make it as quick as possible. I'm just going to turn like this. So the thing I wanted to show you guys is... I'm going to skip a few things, but query. Most people, when they land here, they will use the fine administrative, fine shortest path to domain admin and the domain. So I'm going to let the little doggie do his thing while I just show you here the filtering option. So these are all the edges that you have available for you. This is not the latest version. There's a few more now, but it was working for the presentation, and I didn't dare to try the new version. So you can remove any of those edge and recreate the graph, and it's just going to be gone. So from here, what I wanted to show, but I can't really not read, but if you don't know how to... Yeah, anyway, I cannot see the thing, but you can right-click on any edge and get help and information about how you can abuse that type of relationship. So this is really useful, and it's not really well documented. You have some upset consideration and, of course, lots of reference as well for any type of link. Another interesting thing is that if you right-click on any of the nodes, you have a few little menu here and you have edit nodes. So if you go there, you can see all the property of that node, and you can also add properties using the little add button right here. There's a few undocumented shortcut as well that I want to point out today. So first of all, there's the space bar that will bring you spotlight. Here you'll have all the elements of your graph, so you can click on anything and it's going to zoom in on your element and put it in the directory here. So here you have... If you have a user that is called Matt, you can click on it, and if you want to know if he has a path to domain admin, you just use a little road here and you type domain admin. And just like Google Map, it will show you if the user has a path to the domain admin. So here's the path for that user. Beside that, a few other maybe keywords. You can use shift, command and I to bring a console. So if there's any error message that you want to read, they will be here. Lastly here in the settings, there's two... Yeah, two interesting things. First of all, the debug query mode that goes with the rock query here. So when you activate that, every time you click somewhere, you will actually have the query in Cypher at the bottom in the rock query bar, and this is really helpful if you want to learn Cypher. And last but not least, there is the dark mode, which is probably the most important part of Bloodhound. So let's get back to the presentation. By the way, every time I say dark team in this presentation, there's a fairy that is born. So here it is. Why fairies? Because I have two daughters and they love fairies. Here are the undocumented features that I talked about. So using the right click on an edge to show contextual help, using control to toggle on or off the labels, control shift I for the console space bar, and you can also search for GPO or OU right in the bar and also domains. So if you want to know what's been enumerated, you can use those keywords. So graph database. As I mentioned, you load the data in Neo4j. This is where you can download the community edition, which is free. And then you start it like you would start any other Linux services just by using the start. Once it's installed, you can go to a web console on port 74.74. So some people might ask why use the web console when Bloodhound comes with a UI. Well, there's a few reasons for that, especially when you start writing your own query. If you make a mistake in your query in the console, you'll quickly know that your query is wrong and it will point you what is wrong in your query. So right here, you'll see that equal is not the right symbol. You need to put a semicolon. So when you fix that, you get the result of your query. Also, you can see that if you're not returning a path but you're returning a property, it will actually list in a table which doesn't happen in the GUI, but we're going to come back to that. The last reason to use the web GUI, the web console, sorry, it's because it also has a dark theme. Hey, another fairy. Let's go through an introduction of Cypher or what I like to call learning to run. So a basic Cypher query will have a few objects, a few elements, so we have a match statement. Then you have to declare some objects or variables. So here you can see that we are declaring a variable U of the type user and if you want to access the attributes, you need to put a dot with the attribute's name. Then you'll likely want to find some relation, so that says two dash and an arrow pointing in the direction that you want and in brackets, you can put the relation type. After that, you'll probably want to find paths, so you have shortest path or all shortest paths from one variable towards another one. And then you have where if you want to make some filtering. And then you need a return function to say exactly what you want to return. So there's two methods for doing the filtering. There's the explicit methods and there's the where clause. So I'll show you the difference between the two. Here is with an explicit function, so you can see that I'm declaring a variable called n and it's type of a group and the name must be equal to a domain user at testlab.local. And then they're finding another variable m which is a group and this one is domain admin at testlab.local and then I'm looking for a shortest path between those two groups and I don't care how many ops there is and I want to return the path. With the where clause it will look at it with more like this, so we have the match shortest path n towards mgroup and then we say what we want for those variable. So the first one is we wanted to start with domain user whereas the other one is we wanted to contain something. There's also end widths that exist and then we return the path. Here are the two queries side by side. When you run them, not surprisingly you get the exact same result. So why use one instead of the other? First of all the time, it is way faster to use explicit when you can versus a where clause. On the other end, if you're a consultant or if you have multiple domains and you use specific, you'll have to make your query for all the domains to change your query all the time. So depending on the situation one might be more suited than the other. Also when you're using the web UI it will help you improve your query. So when your query works but it's not optimal you'll get those little exclamation mark and when you click on them the UI will tell you how you can actually improve them. So here's the query that we have improved. So if we put them side by side you can see that in the first one they're variable and then we do the shortest path whereas in the second one we do the shortest path and we declare our variable right inside the function which is now the preferred way to do it in Cypher. This is pro tip number one of the talk. So using appending, explain or profile in front of your query will help you understand what's actually happening under the hood. So explain will do the execution plan but will not run the statement whereas the run, the profile will tell you exactly which operator is taking more doing most of the work. So here's how it works. So here's a complex query that returns pretty much all the object in the graph and you do match. So when you do explain match just put explain and before you'll get this. So you know this is explain so you can see here we have 1600 it's estimated when we run it with profile we see that it's actually 16,000 so you can see that it's actually more precise than the other one. Here are some useful query and I'll just put also my github link here so if you want to download it all the custom queries that I did not show you in the UI, they are there. Domain user those are the first thing that I like to do when I start an engagement or go on a new domain looking where domain user are local admins if they have a shortest path to high value target if there are any places that they can RDP to and then all the other bad writes that they might have then I like to look into Kerber hosting if you have no idea what Kerber hosting in is in a nutshell it's it's an attack where you request a weak password a weak cipher of a password in RC4 and then you crack it offline if you want more information adsecurity.org the site by Sean Macal and then I also brought back the top 10 that were removed from version 1 to 10 because I believe as a blue teamer it's a good place to start exploring your graph so I just put them back here's an example of some advanced query that we're sharing the bloodhound cipher query slack channel I believe both of them were built by Waldo it's just to show you that you can start doing optional match you can start collecting variables you can add them together you can unwind you can count stuff and if you look at the second one you can extract labels you can extract variables you can filter things you can do average length and lots of mathematical things also in there if you want to learn more about cipher there is a good cheat cheat from Neo4j and this is the link now that we know a little bit how to build cipher queries it's time to destroy paths so what are we trying to do when we're destroying paths well we're trying to find the busiest path and then we're trying to find to test the effect of the proposed remediation so when you have the whole path sometimes you it might seem obvious that if you remove a link you'll destroy the path and domain user won't have access won't have a path anymore to domain admin but we'll see that this is not always the case and then when we know exactly which path should be removed then we can inform our domain admins and have them make the change let's try this in a control environment first of all we're going to create a problem so I'm going to merge the domain user and I'm going to give them admin rights to the computer 673 when I run that in a console I get that one relation was created and I'm very happy after that we're going to test our relationship so we're going to ask for a path between domain user and the computer 673 and we're going to ask to return the path not surprisingly our path is there now we have two options that we can use we can filter out the relationship this is to be used when there's only one relationship type in that path or you can delete the relationship in one relation I'll show you how to do both so first of all filtering out the relationship so here's the same beginning of the query we're looking for a path between domain user and computer 673 and we want to filter a relationship where the type of relationship is not admin 2 and we want to return the path if we do it with a delete it will look like this so pretty much the same query again but then we just delete the relation and then delete it so same thing but you return the path and those are the three query side by side when you run them again not surprisingly you have no data the thing is everything I just said was wrong so you're like ok everything was wrong so why are we here are we losing our time I'll take you to what happened in my head in the last 36 hours and remember that I've presented this at beside charm and this part was not in beside charm so let's do it against real data so we're going to do the same thing we're going to find our target so we're going to do the shortest path between domain user and domain admin and we're going to get a path that looks like this at the top here is executed.com and it's the only executed.com in the path so this should be a prime target for a filter out so here how you would do that you would say shortest path between domain admin and domain admin where the path is not executed.com and if the fix is right and if this is the fix that we want to send to our sysadmin we should not have a path to domain admin anymore now we have a problem we still have a path but it's much longer so this the executed.com is not the right thing that we want to execute we want to exclude but why filtering is wrong I'll show you right here instead of shortest path to domain admin this is all shortest path to domain admin so as you can see there's two paths with the same length that lends to domain admin this is the first one that we excluded with the executed.com but right here there's another executed.com and that link was also removed from our view so not only did we still have a path to domain admin when we excluded executed.com but we removed every executed.com from every path of the graph so that's why filtering out is actually a bad idea now I was like ok but at least I can delete relationship right so here's the same shortest path but then I print the label and you can see that in between group 4574 and computer 652 there's our executed.com so we're going to target that link and we're going to say take the path I want a path between and then assign it to variable r and then we're going to delete the relationship and then this happened and then I was like well shit now I've deleted two relationships when I wanted to only delete executed.com and I was like ok now what do I do my talk is in 36 hours and none of my techniques actually work and I'm going to look like ok but the solution was quite easy I googled how to target a single link and the first result was actually there so it's very easy the same query but you can see that here I've actually tell it exactly which relation I wanted to target and delete only one relationship and then I was partying like Dave Vader was not there that's pretty much what I looked like in my room yesterday so now we get something that looks like this when you're using the filter out to this path which is actually the path that we saw on the top and our executed.com is right there so that brings me to this part so when you do the same query in the web UI you get the picture on the left which you can see all the all the links when you do it in blood down you only have one link so I looked a little bit I asked the guys from blood down one is when you do a query to Neo4j it returns only one link but then the GUI somehow add them back when the query is done so that's why on the blood down GUI they only get the one link that is returned by the query and it's by alphabetical order so let's talk about what exactly happened here so a graph is like a map so imagine that you want to find all the routes between Chicago and New York City for example maybe you'll be shown one or two routes on the map but that's it's not all the paths that exist by any stretch of the imagination you can turn left on the street, right, whatever so that's exactly what's happening here blood down well blood down will only show you one relationship so you might think that there's only one when there's many and it is possible to delete a very specific relationship using this comment so assigning the name of the relationship that you want to delete before now let's get back to our regular scheduled programming this is the pro tip number two of the talk by default there's five groups that are high value in blood down but in your environment it's probably not the case probably have way more groups that are very important so this is a query that will help you find all the group that contains admin and that their high value attributes is not set to true you're going to return those names and we have Asia admins, Europe admins and North America admins now what we're going to do is that we're going to run the same query but we're going to set those group high value property to true so we go from the five original ones to eight groups that are high value pro tip number three what about the user inside of those groups so here's a query that's going to help you find all the high value groups that you have and all the user that belongs to those group and then you're going to set the property of those user to true if you have a good eye you might have noticed that this relationship is in the other direction and this is just to show you how flexible Cypher can be so what it's going to do is going to change something like this where you have domain admins with a diamond meaning that it's a high value a group and the user are not high value to this it will also change your shortest all shortest path to this from this to this so you see that in reality you have a lot more path than you actually thought at the beginning pro tip number four I know I know it's not Christmas and I keep on giving so here is in the shell CLI where you can use Cypher shell and I'm going to talk about that a little bit later but basically here we see that the first one is longer to execute than the second one and the reason is very simple in the first one we are returning a path where on the second one we are returning a attribute so it's a lot faster to return attributes if you don't have to send a path pro tip number five another way to accelerate your query or make them faster is to remove the relationship variable if you don't need them here the difference seems very small but bear in mind that my database is very short if you want to learn more things about you can use blood down as a defender you can watch a professionalizing blood down attack graph for defenders there's also sad processor who did quite a lot of research you also present another methodology where you actually whitelist or whitelist the nodes themselves by adding a properties and then of course there's a blood down slack the Cypher query channel where there's lots of people there including myself that will try to help you with your Cypher query if you have any problems now we're going to talk about reporting because attackers thinks in graph management thinks in metrics and as long as this is true ops will suffer so here's an example of a very simple report that we can have at the top you can put say in January 100% of our user had a path to domain admin now in February 7 is 57 and then in March 12 and we're trying to get to as low as possible of course if this is not visual enough for your management you can always use gauges those one were built in Google Doc for example very easily and if they don't understand this well honestly at this point I cannot help you anymore here's a query about how you can find a percentage of user with a path to domain admin so what you're doing here is you're looking for a shortest path between domain user and sorry, sort of path to DA so here you're looking for a path from user to domain admin and then you're going to count the number of user you have in your path and then how many user have a path and then you're going to do some maths right in the return function so user that has a path divided by the total of user multiplied by 100 this will give you your percent and when you run this you get 100% in this case now when you're done with the low-hanging fruit you can start looking at things that are a bit more funky like do I have any domain admins that have session to non DC machines this is a bad practice your domain admin should only log in into the domain controller so what we're doing here is that we're looking for computers that are not part of the domain controller group and we assign them a variable called non DC then we're looking for non DC that has a session to a user and the user must be a member of domain admin and then we return the name username and we count the connection again here there's something special about this query we have a double relationship it's also to show you how powerful Cypher can be and I'm very proud of this I worked really hard on this one I got another version from Waldo on the Slack channel but he was using SID and it was not working with this ID in the test database so this will give you something like this so you see all of your admins and how many connections they have to non DC machine if these names are too cryptic in your environment you can do a little modification right here and in bracket you can put all the fields that you actually want to display and it's going to look like this so here you have the username and also the display name so it might be easier for you to find who this account belongs to so here's another way of representing the same graph the same excel fight here is logarithmic and you're aiming for your data to go down down down down probably not the best way to show it but at least there's a dark team and that gives me my third fairy for the talk so now let's talk about automation so as I mentioned earlier there's a CLI command sorry in the bend directory of Neo4j so you can go there you export your username password and then using cipher shell you can paste your query directly there you just need to enclose them with single quotes so another pro tip would be every time you build a custom query in cipher always use double quotes and when you go in your shell you can use a single quotes if you do mix and match it's going to be very difficult to automate things so this query is we're looking for the Kerberos table high value accounts for Kerberos table so that's why we as SPN attributes to true and high value group set to true when you run that you'll get this in the shell but you can also pipe it in a CSV file and it's going to look like this Q8 is only because that was my eighth query in the graph CSV is very easy to open I mean you can send that to your manager or your sysadmins they will be able to open it in their favorite spreadsheet now alerting so when you have your query you can start comparing the current month result with the last month result and you just send an alert if the number increase and I went very fast because we're already at the conclusion here are the key takeaways for today defender can think in graph 2 using tool like blood down cipher is a very flexible language and you can do a lot of things if you put the effort in it it's also important to test the real impact of a remediation before you send it to your sysadmin otherwise they'll lose faith in blood down they'll lose faith in your process and they'll probably lose faith in you but it's easy to do as I demonstrated not all query are work automating what I mean by that is that yes you can see all the domain, all the users in admin for example and you probably want to be alerted if there's new user in that group but you'll run blood down maybe once a quarter once a month if you're lucky maybe once a week that's not fast enough to be alerted if there's a new domain admin so you're way better off looking for event ID 4728 in your logs to be alerted in near real time finally I want to give a big thank you to the blue team village for having me today I want to thank pyrotech grifter I'm here because of these people and especially grifter last year in Toronto said that if you have something that you want to share with the community don't be shy do it, do CFPs and you might get accepted and that's what happened to me so I'm very happy and you learn a lot more about what you want to talk about or about your subject when you make a talk because it's a second talk and as you saw lots of things have changed since the first version I want to thank Waldo and Captain Jesus who created the tool and who are helping everybody in the Slack channel when they have questions so as promised here's the link to the whole deck and the second link is the talk for the same talk but that I gave at b-side charm where I gave a more in-depth tour of the GUI and I go a little bit well less fast let's say slower so if you have any questions I have a few minutes so the question is is there a training or environment you can practice on yes there is an open database I don't have the link with me but if you go to the blood-down Slack or if you send me a text or something I will give it to you it exists the SpecterOps team has built and put online database and you can also generate your own there's a DB generator that comes with blood-down that you can run and you just specify how many user and computer you want and it's going to build everything that's what I use for this presentation so this is all fake data yes so is iValue a blood-down term yes it is it's an attribute that is collected and you can activate it in the GUI or manually using Cypher so it's one of the properties well everything is open source so you can probably change but I don't know how to do that but I'm pretty sure you can any other question yes so the question was if you run blood-down multiple time can you just import data over it or should you kind of clean your database the best way usually is you save your old database and you create then you save it then you clear it and you re-import so you can see yeah it's better because otherwise if your admins have made changes they will still be there in your environment and they will still when you do your query it's not going to be a real representation of your environment if you don't clean it yes sir the question was is there a reason why I did the deleting the relationship between looking for for for the percentage because I believe it's easier to find to break the most path at the beginning but you can do it the other way around also but if you have something from domain user that goes to domain admin it's probably the first thing you want to remove and that will give you a high win rate or a big drop in your percentage if you have a path from domain user to DA that means 100% of your user of a path and it's going to be hard to find which one to if you're not doing the query yes sir okay is there a difference between the tree and jester the sharp the sharp on the power shell one and then the python so python should be mostly used if you land in a linux environment or if you don't have any credentials and then you go to the first machine and you rerun sharp on from there so sharp on is really the preferred methods to run it you'll see that now since a few months a lot of antivirus as I started categorizing it as a virus which is a bit sad but you can kind of understand why so power shell is a way to actually load a sharp on reflectively so if you have application white listing for example you might be able to run a script or but the preferred methods especially for blue teamer would be to allow sharp on to be executed in one machine in one directory and then you do it this way as a as a red teamer I'll let other people and serve but as a blue teamer you should just white list in for a very specific place any other questions yes so the question was is there any tools in Neo4j to see the difference between different graphs I don't know of any but my friend is sitting right there give me a good idea and I'm going to work on that for next year the question was did I test it in any azure environment or any other cloud no I did not any other questions thank you very much everybody