diff --git a/src/windows-hardening/active-directory-methodology/bloodhound.md b/src/windows-hardening/active-directory-methodology/bloodhound.md index 3f566b90ad8..d97a9812825 100644 --- a/src/windows-hardening/active-directory-methodology/bloodhound.md +++ b/src/windows-hardening/active-directory-methodology/bloodhound.md @@ -65,29 +65,40 @@ SharpHound.exe --Stealth --LDAP # Low noise LDAP only The collectors generate JSON which is ingested via the BloodHound GUI. ---- +### Privilege & logon-right collection -## Prioritising Kerberoasting with BloodHound +Windows **token privileges** (e.g., `SeBackupPrivilege`, `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeAssignPrimaryTokenPrivilege`) can bypass DACL checks, so mapping them domain-wide exposes local LPE edges that ACL-only graphs miss. **Logon rights** (`SeInteractiveLogonRight`, `SeRemoteInteractiveLogonRight`, `SeNetworkLogonRight`, `SeServiceLogonRight`, `SeBatchLogonRight` and their `SeDeny*` counterparts) are enforced by LSA before a token even exists, and denies take precedence, so they materially gate lateral movement (RDP/SMB/scheduled task/service logon). -Graph context is vital to avoid noisy, indiscriminate roasting. A lightweight workflow: +**Run collectors elevated** when possible: UAC creates a filtered token for interactive admins (via `NtFilterToken`), stripping sensitive privileges and marking admin SIDs as deny-only. If you enumerate privileges from a non-elevated shell, high-value privileges will be invisible and BloodHound won’t ingest the edges. -1. **Collect everything once** using an ADWS-compatible collector (e.g. RustHound-CE) so you can work offline and rehearse paths without touching the DC again: +Two complementary SharpHound collection strategies now exist: -```bash -rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z -``` +- **GPO/SYSVOL parsing (stealthy, low-privilege):** + 1. Enumerate GPOs over LDAP (`(objectCategory=groupPolicyContainer)`) and read each `gPCFileSysPath`. + 2. Fetch `MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf` from SYSVOL and parse the `[Privilege Rights]` section that maps privilege/logon-right names to SIDs. + 3. Resolve GPO links via `gPLink` on OUs/sites/domains, list computers in the linked containers, and attribute the rights to those machines. + 4. Upside: works with a normal user and is quiet; downside: only sees rights pushed via GPO (local tweaks are missed). -2. **Import the ZIP, mark the compromised principal as owned**, then run built-in queries such as *Kerberoastable Users* and *Shortest Paths to Domain Admins*. This instantly highlights SPN-bearing accounts with useful group memberships (Exchange, IT, tier0 service accounts, etc.). -3. **Prioritise by blast radius** – focus on SPNs that control shared infrastructure or have admin rights, and check `pwdLastSet`, `lastLogon`, and allowed encryption types before spending cracking cycles. -4. **Request only the tickets you care about**. Tools like NetExec can target selected `sAMAccountName`s so that each LDAP ROAST request has a clear justification: +- **LSA RPC enumeration (noisy, accurate):** + - From a context with local admin on the target, open the Local Security Policy and call `LsaEnumerateAccountsWithUserRight` for each privilege/logon right to enumerate assigned principals over RPC. + - Upside: captures rights set locally or outside GPO; downside: noisy network traffic and admin requirement on every host. -```bash -netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql -``` +**Example abuse path surfaced by these edges:** `CanRDP` ➜ host where your user also has `SeBackupPrivilege` ➜ start an elevated shell to avoid filtered tokens ➜ use backup semantics to read `SAM` and `SYSTEM` hives despite restrictive DACLs ➜ exfiltrate and run `secretsdump.py` offline to recover the local Administrator NT hash for lateral movement/privilege escalation. + +### Prioritising Kerberoasting with BloodHound -5. **Crack offline**, then immediately re-query BloodHound to plan post-exploitation with the new privileges. +Use graph context to keep roasting targeted: -This approach keeps the signal-to-noise ratio high, reduces detectable volume (no mass SPN requests), and ensures that every cracked ticket translates to meaningful privilege escalation steps. +1. Collect once with an ADWS-compatible collector and work offline: + ```bash + rusthound-ce -d corp.local -u svc.collector -p 'Passw0rd!' -c All -z + ``` +2. Import the ZIP, mark the compromised principal as owned, and run built-in queries (*Kerberoastable Users*, *Shortest Paths to Domain Admins*) to surface SPN accounts with admin/infra rights. +3. Prioritise SPNs by blast radius; review `pwdLastSet`, `lastLogon`, and allowed encryption types before cracking. +4. Request only selected tickets, crack offline, then re-query BloodHound with the new access: + ```bash + netexec ldap dc01.corp.local -u svc.collector -p 'Passw0rd!' --kerberoasting kerberoast.txt --spn svc-sql + ``` ## Group3r @@ -112,5 +123,6 @@ PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd - [HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting](https://0xdf.gitlab.io/2025/11/22/htb-mirage.html) - [RustHound-CE](https://github.com/g0h4n/RustHound-CE) +- [Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound](https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html) {{#include ../../banners/hacktricks-training.md}}