BloodHoundAD / BloodHound

Six Degrees of Domain Admin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Password/Secret Re-use Ingest Capability

doomerhunter opened this issue · comments

Hi,

First, thanks a lot for developping and maintaining this tool. I'd like to request / suggest a new feature though it might be considered out of the scope of BloodHound.

Once a domain is compromised, it is possible quickly map credentials issues within the domain. Here's a few examples :

  • Local password reuse between computers
  • Password reuse between local account and domain account
  • DPAPI secrets
  • ...

These credentials issues cannot be seen through BloodHound, as they are not relevant during the cartography of an AD domain.

However, they yield very interesting information on the compromission paths that might be taken by a threat actor and can be quite useful to provide a more "in-depth" map of the overall risk scenarios (both for the RT operator / pentester as well as for blue teams)

Option 1

A useful feature would be to allow the final user to import a file that would allow BloodHound to map these "hidden links".
Depending on the security model, the hashes / password might not be stored, but a simple reference could be stored.

For example, new attributes could be created such as :

  • shareslocalpasswordwith : Account + UUID combo representing a login+password combo shared between multiple computers
  • DPAPIpasswords : List of accounts for which the password can be retrieved through the DPAPI. Could be used to map relationships for "shortest path" queries for example

Option 2

If this solution might be considered as too complex / not in the scope of BloodHound, another approach could also let the end-user "customize" the graph :

For instance, it could be possible to add a menu option similar to "right click > mark as owned" to allow the end-user to add a custom edge on another computer. E.g : "right click > mark owned credentials" -> specify target (computer, account...)..

This custom edge would then be displayed on the shortest paths queries.

Once again, thanks for this tool :)