BloodHound - Sniffing out domain admins

Michael Schneider

doi:10.5281/zenodo.3521849

Published November 2, 2017 | Version v1

Journal article Open

BloodHound - Sniffing out domain admins

Michael Schneider¹

1. scip AG

Contributors

Editor:

Marc Ruef¹

1. scip AG

Active Directory (AD) is the central administrative point for access data, roles and rights. Along with the Windows infrastructure, other applications are integrated via single sign-on. Anyone with administrative access to AD can control access to applications and their data and issue Kerberos tickets [1], which allow access to information. An intruder (offense [2]) in the internal network will therefore attempt to gain privileged rights in AD. Meanwhile, the relevant IT department (defense [3]) will work hard to prevent precisely this from happening. Domain users already have extensive read rights in AD and are able to access plenty of information, including attributes of users and groups, access rights (ACL) and group policies. These standard rights make it harder to protect AD, because the intruder can already get hold of plenty of information in this way.

Notes

This paper was written in 2017 as part of a research project at scip AG, Switzerland. It was initially published online at https://www.scip.ch/en/?labs.20171102 and is available in English and German. Providing our clients with innovative research for the information technology of the future is an essential part of our company culture.

Files