Andy Robbins (@_wald0), Rohan Vazarkar (@cptjesus), Will Schroeder (@harmj0y) - Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations

 
Share
 

Manage episode 215601411 series 2427673
By DEF CON. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Materials: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin-UPDATED.pdf

Six Degrees of Domain Admin - Using Graph Theory to Accelerate Red Team Operations
Andy Robbins (@_wald0), Offensive Network Services Team Lead, Veris Group?
Rohan Vazarkar (@cptjesus) Penetration Tester, Veris Group?
Will Schroeder (@harmj0y) Researcher, Veris Group

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains.

??

Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.
Andy Robbins is the Offensive Network Services lead for Veris Group's Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA.

??

Twitter: @_wald0

??

Rohan Vazarkar is a penetration tester and red teamer for Veris Group's Adaptive Threat Division, where he helps assess fortune 500 companies and a variety of government agencies. Rohan has a passion for offensive development and tradecraft, contributing heavily to EyeWitness and the EmPyre projects. He has presented at BSides DC, and helps to develop and teach the ‘Adaptive Penetration Testing’ course at BlackHat USA.

??

Twitter: @cptjesus

??

Will Schroeder is security researcher and red teamer for Veris Group's Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red team tradecraft, and offensive PowerShell.

??

Twitter: @harmj0y

104 episodes