It is extremely difficult to uncover the security implications of the many permissions configured in a large Active Directory (AD) environment. So, I have created a tool called ImproHound to help with that. ImproHound will identifying AD attack paths breaking the AD tier model using the awesomeness of BloodHound. It is available on GitHub including source code, install instructions, and usage guide: https://github.com/improsec/ImproHound
The blogpost explains the motivation for creating ImproHound and what I hope the tool can do for you.
BloodHound
BloodHound is a great reconnaissance tool that finds AD privilege escalation and lateral movement paths. It is available on GitHub: https://github.com/BloodHoundAD/BloodHound
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an AD environment. Attackers can use BloodHound to identify highly complex chained attack paths that would otherwise be impossible to quickly identify. BloodHound is extremely great at finding the shortest attack path from a compromised user or computer to a desired target.
Using BloodHound as defender
As a defender, you want to remediate not just the shortest path to Domain Admins but ALL the paths to Domain Admins. Unfortunately, that is not easy with BloodHound. You can make great queries that find all paths using the apoc.path.subgraphAll function of the Neo4j APOC plugin, but the resulting graph is often large and it is difficult to get an overview of what relations make up the problem.
Tiering is the solution
It is not viable to implement micromanagement and ensure all AD objects have only the exact permissions they need. Instead, you should draw lines through your AD to separate your AD objects into tiers and ensure no permissions (attack paths) cross these lines. Tiering is the solution. I know Microsoft have replaced the “legacy AD tier model” with their new Enterprise Access Model which spans over access to cloud, OT, etc. and not just AD on-premises, but AD tiering is still one of the most effective ways of preventing the attackers from escalating from a standard AD user to Domain Admin.
ImproHound
ImproHound connects to the Neo4j database of BloodHound and extracts the OU structure of the AD from the BloodHound data. You will from the OU structure decide which AD objects belong to which tiers. When you have defined the tiers, ImproHound will find the relations between the AD objects breaking the tiering and output the findings as a CSV file.
It is difficult to choose what tier AD objects belong to if the AD is messy (like most standard ADs), and ImproHound will in that case find a lot of tiering violations which will be difficult to work with. Before you run ImproHound, I recommend you spilt your AD into at least two tiers; Tier 0 (Domain Controllers, Domain Admins, etc) and Tier 1 (all other objects) to give yourself a better basis for finding the true violations and solving them.
Outro
It is important to remember BloodHound does not identify all attack paths that can lead to an AD compromise. But attackers will certainly look for the attack paths found by BloodHound, why it is highly recommendable to remediate the BloodHound findings.
I am not the only one that have thought about using BloodHound for identifying tiering violations. SpecterOps and the guys behind BloodHound hosted a webinar the 9th of March 2021 where they presented their new commercial product ‘BloodHound Enterprise’ which will help remediate attack paths leading to Tier 0. The solution looked very promising with a lot of cool features, and it is going to be very exciting to check it out when it is released this summer.
You find more info on our AD Hardening service here: https://improsec.com/en/ad-security-hardening