Six Degrees of Domain Admin - Using BloodHound to Automate Active Directory Domain Privilege Escalation Analysis presented at BSidesLasVegas 2016

by Rohan Vazarkar, Will Schroeder, Andy Robbins,

Summary : Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but to date, established methodology dictates a manual and often tedious process of gathering credentials, analyzing new systems we now have admin rights on, pivoting, and repeating this process until reaching our objective. Then -- and only then -- we can look back and see the path we took in its entirety. But that may neither be the only, nor the shortest, path we could have taken to achieve elevated privileges.
By combining the concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. For example, Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data.
The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.