00:00:11:09 - 00:00:13:09
Jared Atkinson
Welcome back to the Know Your Adversary podcast.

00:00:13:09 - 00:00:16:26
Jared Atkinson
Today, we're joined by Elad Shamir, our Head of Research here at SpecterOps.

00:00:16:26 - 00:00:28:15
Jared Atkinson
And we're going to talk about kind of the BloodHound Graph and some of the work that we've put in over the past year, and maybe look forward a little bit into what we're going to be doing over, the upcoming year and how we're expanding the graph.

00:00:28:15 - 00:00:36:06
Jared Atkinson
So how are we adding new platforms, new edges, new, new tradecraft into the graph? So the customers have I like to say this,

00:00:36:06 - 00:00:41:04
Jared Atkinson
The map is not the territory. And the idea is, is the territory is the actual attack surface that,

00:00:41:04 - 00:00:45:05
Jared Atkinson
adversaries are taking advantage of? The map is our representation of that.

00:00:45:10 - 00:00:53:23
Jared Atkinson
And we want to try to get our, our map to be as close to the actual territory as possible while, maybe ignoring some things that maybe don't matter as much. But,

00:00:53:23 - 00:01:01:09
Jared Atkinson
one of the things that Elad’s team is doing is constantly trying to understand what are the what's the tradecraft that adversaries are using to be successful in environments,

00:01:01:09 - 00:01:07:12
Jared Atkinson
and how do we make sure that we recognize,the ability to see that in our customer's environments?

00:01:07:14 - 00:01:15:08
Justin Kohler
So Elad, welcome. Yeah. I think before we get started on that, can you give us, like, kind of a history lesson, like, where did we come from? Kind of where we are at

00:01:15:08 - 00:01:31:13
Elad Shamir
now in terms of, like, so we've come a very long way in the beginning, the model, the graph was very simple, where the computers, users and groups and you had member of, admin to, and have sessions at each session pretty much.

00:01:31:15 - 00:01:47:12
Elad Shamir
And nowadays we have over 30 node types and well over 100 H types. So it's, it has it has exploded over the years. And now with the introduction of OpenGraph, we expect it to accelerate even more.

00:01:47:12 - 00:01:55:21
Justin Kohler
How do you start? Is it like a obviously we have a consulting team that, SpecterOps like where do you take a signal from where we should expand next?

00:01:55:21 - 00:02:08:08
Justin Kohler
Is it is it personal interest from, the team of researchers you have? Is it like, exposure on consulting engagements and or is it, customers asking for us to expand to this? Like, so how do what's

00:02:08:08 - 00:02:18:24
Elad Shamir
that balancing act I guess. It's a bit of everything. So yes, there are things that we see, you know, engagements and then we,refine that tradecraft and model it into nodes

00:02:18:24 - 00:02:48:15
Elad Shamir
And edges, there are things that the community contributes. Sometimes the contributor just the research, sometimes they contribute to actual graph extensions. Sometimes we just follow our spider senses to figure out, what's, what area we should do. We should dig into and, discover new tradecraft. And I should say that not all tradecraft is easily represented as nodes and edges.

00:02:48:17 - 00:03:03:02
Elad Shamir
Sometimes it doesn't quite fit. Sometimes you need to get a bit creative. We'll talk about NTLM relays in a bit, and then we'll see. That was actually not that straightforward to represent that

00:03:03:02 - 00:03:09:28
Elad Shamir
in the form of nodes and edges. Yeah. Can you explain like I mean you kind of left off at it might want to just go right into it.

00:03:09:28 - 00:03:11:13
Justin Kohler
What what was the

00:03:11:13 - 00:03:39:27
Elad Shamir
what was the struggle with representing NTLM? The struggle is that NTLM is an authentication protocol and and nodes and edges, or edges, actually represent an abuse primitive, something that, we can actually take advantage of to take over a resource. So authentication alone is not enough. Authentication gets you a session. What can you do after you have the session?

00:03:40:00 - 00:04:06:20
Elad Shamir
Is the big thing that that we need to figure out. So, in the event I guess of NTLM relay attacks, there's also the, question of how do you get into the middle position that actually allows you to perform that attack. So we combined two different attack primitives authentication, coercion, and the NTLM relay attacks into a single edge course.

00:04:06:20 - 00:04:39:26
Elad Shamir
And relay to an end to whatever protocol we're targeting, to create something that we can actually traverse. On the graph, to take over a resource. And of course, we also need to take into consideration, what access the client in that interaction, what we like to call the relay victim has on they relay target because that ultimately determines whether you can take over the resource or not.

00:04:39:29 - 00:04:46:11
Elad Shamir
So quite a lot goes into that. And the reason we decided to

00:04:46:11 - 00:04:56:11
Elad Shamir
actually tackle that, well, there are a few reasons, obviously, it's a very, prevalent attack nowadays, but also

00:04:56:11 - 00:05:07:04
Elad Shamir
connecting all the dots to figure out what what is it that you can relay from where to where to take over? What requires running lots of different tools for enumeration.

00:05:07:06 - 00:05:22:27
Elad Shamir
Each tool produces a list. Then you need to sort of, cross-reference the list see what way you have a match. And we don't like to do that. Attackers think in graphs. Right. So what we wanted to do was to enable attackers to think in

00:05:22:27 - 00:05:36:26
Jared Atkinson
graphs once again. Yeah, that actually goes back to we had previously described kind of what the impetus was for Andy and Rohan and Will to create BloodHound, which was we were collecting a bunch of information, putting it into a Excel spreadsheet using pivot tables.

00:05:36:28 - 00:05:55:22
Jared Atkinson
You've you've definitely told me and you just described it, for NTLM relay. It's it was a very similar problem. And so it was like, okay, it's literally the same, the same problem that I'm experiencing. So like there must be a similar solution to kind of bring that, bring that to fruition so that we can do it in a more efficient, quick manner.

00:05:55:22 - 00:06:26:17
Elad Shamir
that there's so many different, NTLM relay scenarios, out there, we modeled 3 or 4 major ones, specifically those that involve authentication coercion of a computer account and then relaying that to either SMB, LDAP or ADCS. There are many others, not all NTLM relay attacks involve coercion, not all NTLM attacks involve a computer as the relay victim.

00:06:26:20 - 00:06:44:12
Elad Shamir
So there's more than more that we can potentially model in the future. The challenge is, how do we turn all these scenarios into nodes and edges, and how do we collect all the information that we need to actually,

00:06:44:12 - 00:06:55:26
Elad Shamir
determine that it is viable? What? This is kind of a potentially silly question, but do you have a favorite, piece of tradecraft that we have implemented over the last couple of years?

00:06:55:26 - 00:07:03:19
Justin Kohler
Like what? Like, or like, what's an edge or or thing that we've done, on a research team that you've been like,

00:07:03:19 - 00:07:20:14
Justin Kohler
that was really cool. Like the way that we did that. Intensive graph expansion, I think the hybrid paths that we introduced exactly a year ago. Yeah, that was it. Until that point, we had almost two separate subgraphs.

00:07:20:16 - 00:07:41:18
Elad Shamir
In BloodHound, the active directory graph and the, Azure Entra graph. And there were no edges connecting the two. And maybe I shouldn't say that, but the AD side was very interesting and we had a lot of tradecraft there. There was a lot of technical debt. In those environments over the years that created a lot of beautiful and interesting paths.

00:07:41:18 - 00:08:14:14
Elad Shamir
But the Entra side was a bit boring. Yeah, yeah. And, once we introduced just a couple of edges connecting the two, subgraphs, things exploded really. We started finding such beautiful paths going from AD to Entra and back again. Sometimes even crossing forest boundaries. But when you had to mess with the forests, synchronized to a single Azure tenant.

00:08:14:17 - 00:08:19:21
Elad Shamir
And, that was a game changer. I think you'll

00:08:19:21 - 00:08:33:28
Elad Shamir
agree that. Yeah, yeah, I think and looked very different once we got that going. And a lot as we as we begin to move forward, I think, you in particular are very interested in how this hybrid hybrid thing expands beyond just the relationship between AD and Entra.

00:08:33:28 - 00:08:34:19
Jared Atkinson
Right. There's

00:08:34:19 - 00:08:59:27
Jared Atkinson
as we start to add more platforms, there's going to be these hybrid kind of relationships between them. And so, the, the ability to compromise one platform, potentially gives us the opportunity to, escalate in another platform. One thing that we've, we've looked into is, for instance, GitHub. And so, imagine that even if you don't have escalation primitives within GitHub, if you've connected GitHub to Entra via SSO.

00:09:00:00 - 00:09:18:25
Jared Atkinson
You can and you compromise a user and then you're able to get access to GitHub, maybe you don't have sufficient permissions to access a repository or code or have the impact that you want. You would be able to see, oh well, what other user does have that access. And then you go back to Entra chain. You know, you find your attack path in there, you change users and then you go back up to GitHub.

00:09:18:25 - 00:09:30:08
Jared Atkinson
So it's this constant thing of if I don't have what I need in my target platform, I can go back down to some via some hybrid relationship change and then go back up. So there's this constant like back and forth

00:09:30:08 - 00:09:36:07
Elad Shamir
between platforms. Yeah, absolutely. And of I'm also going to say platform. The question is what do you mean by platform.

00:09:36:14 - 00:10:05:13
Elad Shamir
Yeah some platforms can be, you know an IDP and then that IDP is really responsible for authenticating principles and so you can form all sorts of identity attacks on the IDP side so you can impersonate whomever you like on the other platform, GitHub or whatever SaaS provider. And then there's also the question of them, how do users actually establish their session to that platform?

00:10:05:15 - 00:10:27:27
Elad Shamir
You have to log into some device somewhere. If it's an AD joint device, and get to the device through AD, steal a session, steal a cookie, whatever. And get to that third party SaaS platform. So yeah, there are so many different types of hybrid paths that we can steal and model

00:10:27:27 - 00:10:41:19
Justin Kohler
and, expand the graph. And, but do you think that, like, it's it's funny that we've seen that too, like, on the customers environment side like where you, you may have done a really good job at one platform.

00:10:41:19 - 00:11:03:28
Justin Kohler
So I'm just like to say it, but you just said, yeah, going back and forth to traverse the separation. You put it into one. Right. Like I can hop back and forth. On the hybrid path thing. Is it? I don't know if this is like a valid question or not, but is a hybrid path like a contrived thing? And what I mean by that is like, AD to like the Windows end point.

00:11:03:28 - 00:11:24:21
Justin Kohler
Right? So imagine like a subgraph or just the Windows host. Do you think that they're like, like a hybrid path, or the concept of different platforms. Is that useful because we think in separation of those platforms, or is that is that a real thing? In other words, would we expect that we should not think in like this, an Active Directory versus Entra ID?

00:11:24:21 - 00:11:30:10
Justin Kohler
Right. There's always think of them as mixed systems,

00:11:30:10 - 00:11:44:03
Elad Shamir
you know, I mean, I see what you mean. And I think you're right. I think we shouldn't think of it as separate systems because it is they’re components of an entire ecosystem. It's a it's a network, right. Once you've network things together.

00:11:44:03 - 00:11:51:20
Jared Atkinson
Especially at the authentication. So there's like the physical network, but then there's the network within the authentication substructure.

00:11:51:20 - 00:11:55:28
Jared Atkinson
Right. It's like once you've connected the authentication mechanisms, they are now the same

00:11:55:28 - 00:12:15:15
Elad Shamir
environment. Yeah I have a whole philosophy about that too. Like you know that I like talking about the Clean Source Principle and security dependencies. So in my mind, once you authenticate to one platform from devices or whatever resources in another system, you create a security dependency between the two systems.

00:12:15:18 - 00:12:47:23
Elad Shamir
And then if the systems are not, equally and trustworthy or the trustworthiness hierarchy, is not correctly set. You create. You violate the Clean Source Principle and then you create attack paths. That's that's that's my philosophy. I think that every single edge in BloodHound can actually be traced back to a violation of the Clean Source Principle. And honestly, most of the attacks that we actually see in the wild, especially on red teams.

00:12:47:23 - 00:12:52:22
Elad Shamir
And our and ops can be traced back to a Clean

00:12:52:22 - 00:13:21:15
Justin Kohler
Source Principle violation. Yeah. So, like, like, just they could really clear example. We have a domain control or you have an agent on that domain controller. Every person who has access to that agent should be treated the same as, like a domain admin to take this to like the level. Recent, recent kind of news, I don't know when this is going out, but Mandiant just released this ESXi, like, report on how an attacker, takes over ESXi to then, dump creds from a DC.

00:13:21:15 - 00:13:39:21
Jared Atkinson
Right. So imagine that you have a hypervisor and it's virtualized and, or it's virtualized in a DC. So your DC is running an ESXi. But then if you have an admin of ESXi who is not that that admin is effectively a domain admin because they have control over a virtual machine, which is a domain controller, physical access.

00:13:39:23 - 00:13:45:04
Jared Atkinson
And so if you don't treat your ESXi cluster admins the same as you treat your your domain admins,

00:13:45:04 - 00:14:00:27
Elad Shamir
then you have a Clean Source Principle violation and it’s nothing new. We've been doing it on Red team operations for years, and I guess real threat actors have been doing that too. And I think that's a very common oversight that okay, everyone understands that.

00:14:00:28 - 00:14:29:29
Elad Shamir
And the domain admins need to be they have to be, protected adequately. With workstations and everything and whatever, you know, all the beautiful things that you can, that you can protect them with. But they don't really realize that, it EXSi admins or even the EDR. Oh, yeah. Oh, analysts, users, operators, that can control the EDR agent.

00:14:30:05 - 00:14:34:15
Elad Shamir
That's fine. On your domain controller effectively have

00:14:34:15 - 00:14:39:10
Elad Shamir
the same level of access. Yeah. And that's, very common oversight.

00:14:39:10 - 00:14:43:13
Elad Shamir
So the same thing goes for, backups.

00:14:43:15 - 00:15:13:02
Elad Shamir
Oh, yeah. Yeah, yeah. Many people and many organizations don't protect their domain controller backups as well as they do the domain controllers themselves. And then you can abuse that a couple of different ways. If you have free access to the backups, you can and then pull at the deep file and extract credentials. And conversely, if you can write to the backup, just change passwords and, and then just a matter of time until they have to restore from backup.

00:15:13:02 - 00:15:17:21
Elad Shamir
And then you have your backdoor deployed into

00:15:17:21 - 00:15:40:12
Jared Atkinson
the domain controller. You talk about privileged access workstations. I think one of the major problems is that people view these kind of like security controls very narrowly within the context of whatever scenario caused that thing to be created. So privileged access workstations. It's like, well, that's a Microsoft concept. And it was created for like domain administrators or people that have privilege within the domain.

00:15:40:14 - 00:16:01:28
Jared Atkinson
But then you, one of the things that we see often, you kind of imply that is if I'm on my computer and I browse, to Snowflake and I'm a, an admin of your Snowflake environment, but I'm just a normal user in AD. You're not protecting my computer as well as you probably should, because there's a there's this Clean Source Principle violation, right?

00:16:01:28 - 00:16:17:16
Jared Atkinson
Because by compromising my computer, you can compromise my Snowflake account, which then gives you access as a environment admin within Snowflake. But I'm just a normal user, and so maybe you're not applying that same privileged access workstation kind of approach that you should be,

00:16:17:16 - 00:16:27:15
Elad Shamir
in that scenario. Yeah. Or in terms of Clean Source Principle, your workstation is not as trustworthy as the Snowflake admin in that case.

00:16:27:25 - 00:16:43:17
Justin Kohler
Yeah, yeah. So we, we we just recently announced OpenGraph. I'm curious. Like what? And is there anything, that you're looking forward to out of, like, OpenGraph, whether it's for your team for like the broader BloodHound Community.

00:16:43:17 - 00:16:52:13
Elad Shamir
Yeah. So it's, it's it's really a game changer. Everything is so easy and so fast. Now with that, with OpenGraph.

00:16:52:16 - 00:17:17:02
Elad Shamir
Until now, whenever we wanted to add a new node or a new edge, we had to actually change the code, the BloodHound code. And that takes a lot of time and effort. And then it needs to go through the review process to get merged into, the product. It takes a lot of time. With OpenGraph, we can skip all that you basically just upload a Json payload and that's it.

00:17:17:02 - 00:17:41:28
Elad Shamir
You have your nodes and edges in there. Within a couple of weeks, from when the OpenGraph was available, our team had like, I don't know, 3 or 4 new extensions ready in no time. That was phenomenal. Things that until then took a month to achieve. We put them through in just a matter of weeks. Yeah.

00:17:42:00 - 00:17:54:02
Elad Shamir
There's still a long way to go with OpenGraph. Yeah, that we have quite a backlog of new features and capabilities. We want to see in OpenGraph to support everything that BloodHound can do. But

00:17:54:02 - 00:18:00:04
Elad Shamir
we'll get there. We'll get there very soon. I think. Very soon. You got that? Yeah.

00:18:00:04 - 00:18:06:14
Jared Atkinson
I think, I think we're good to go on this, but thank you Elad for joining us on this episode of Know Your Adversary podcast.

00:18:06:14 - 00:18:07:04
Jared Atkinson
And,

00:18:07:04 - 00:18:12:08
Jared Atkinson
we'll see the people watching next time. Thanks for having me.