00:00:11:26 - 00:00:12:09
Justin Kohler
Hi.

00:00:12:09 - 00:00:13:25
Justin Kohler
Welcome to

00:00:13:25 - 00:00:17:10
Justin Kohler
Know Your Adversary. We're exploring open source contributions. With attack

00:00:17:10 - 00:00:20:25
Justin Kohler
Path management today with Christopher Maddalena. My name is Justin Kohler,

00:00:20:25 - 00:00:22:27
Justin Kohler
and this is Jared Atkinson. So

00:00:22:27 - 00:00:34:20
Justin Kohler
open source contributions and, like, just open source ethos. This is kind of like, core to to SpecterOps, but, can you talk a little bit about, like, open source contributions to, to kind of the project attack paths in general,

00:00:34:20 - 00:00:35:05
Christopher Maddalena
yeah.

00:00:35:06 - 00:00:44:02
Christopher Maddalena
Yeah. So and we've been looking at it like the past year of what's been contributed specifically to check attack path management?

00:00:44:02 - 00:00:50:21
Christopher Maddalena
And what, what we've seen is that a lot of things that are in some cases, like old news, like file share triaging

00:00:50:21 - 00:00:54:18
Christopher Maddalena
has been a problem forever looking at Gpos current problem forever.

00:00:54:20 - 00:01:20:05
Christopher Maddalena
There's still been, some cool stuff that came out in the last couple years, like powerhuntshare, GPO hound. But what's evolved is making that stuff kind of like you you both talked about in an earlier episode. It's like BloodHound how we came from like trust visualizer and pivot tables to something like a graph. It's much more easy to use and browse and see, you can get pretty pictures out of it to put into a report, or it makes it much more digestible.

00:01:20:11 - 00:01:37:25
Christopher Maddalena
Yeah. And so like if you look at, say like powerhuntshares, they took again something that used to be like a bunch of PowerShell output, a CSV file that you pour over. Maybe if you were lucky at a tool, maybe like little HTML table or something for you to go, and now it makes like a much nicer looking like little HTML application that opens up.

00:01:37:27 - 00:02:00:12
Christopher Maddalena
Things look really nice. They're styled. It makes it much more digestible. And then even that project started experimenting with pushing that into the BloodHound data so you could actually have like a, an edge added to BloodHound that said, like, there's a permissive file share, or a bad GPO, that it is, you know, adding that edge there so you can actually find a path through BloodHound.

00:02:00:14 - 00:02:22:04
Christopher Maddalena
So again, all in service of not really solving that problem. It's not really solvable, but making it so it's much more digestible so that a defender can take that data and actually triage with it and know how to prioritize. And you maybe see that in BloodHound if BloodHound’s their interface, like that's their lens that they're looking at all that now it all has one home and they can actually see that edge there and maybe understand it better of like, what is the

00:02:22:04 - 00:02:23:03
Christopher Maddalena
actual threat here.

00:02:23:07 - 00:02:45:13
Justin Kohler
So you named powerhuntershares as one example. Do you see like different categories of open source contribution when it comes to like attack path like maybe maybe specific to BloodHound but not like just attack paths in general of different categories. Like I think of like extending the graph as one kind of category. So like, you know, BloodHound historically it was really focused on Active Directory and then moved to Azure.

00:02:45:13 - 00:03:04:07
Justin Kohler
But other people have other things, right, that they want to cover. So like that's Kubehound came in from the Datadog team to explore Kubernetes attack paths. So like so that would be like an expansion of the graph. But then there's also other things like, you know, LLMs and NCP servers for how to interact with these tools in a way that's more approachable.

00:03:04:07 - 00:03:14:29
Justin Kohler
Like I don't know how to write a specialized query to find this thing, but I know what I'm looking for. So can I use this new thing to like? So how do you think about the categories of, different contributions?

00:03:17:12 - 00:03:19:20
Christopher Maddalena
I think there's definitely categories because there's there's

00:03:19:20 - 00:03:43:04
Christopher Maddalena
all sorts of research, especially as you start to look at, like identity kind of you, because like, like you mentioned, we were once focused very much on Active Directory. Yeah. And that was just that was the common denominator across attack paths. If you could get into Active Directory or getting your hands into things there, you found a way to get places, you know, and then some people would maybe be more focused on like Linux tradecraft, but that was the environments they were in.

00:03:43:06 - 00:04:07:20
Christopher Maddalena
Things like that became specialized in one area. But as things have evolved and now, like identity providers are much more like the edge you're trying to go after, that's a whole new world of of research and things to look into. So there's there's all that happening, and, you know, like BloodHound has evolved with like, Entra ID, and Azure things to, to adapt to that as well.

00:04:07:23 - 00:04:32:25
Christopher Maddalena
And I think one of the core themes that I see, like looking over the projects that I have, like the last couple of months, is just making that information digestible, making it something that someone can actually understand, both just for maybe like the the pen tester the red teamer the like, the person that's actually trying to use the data name to go do something and prove out the impact, but also you gotta hand it over to someone eventually and explain to them what was the impact.

00:04:32:28 - 00:04:45:04
Christopher Maddalena
Yeah. And there's it's that's always been one of the biggest challenges for Red teamers like the report is. It's like you're the final boss of that assessment. Now, how do I actually explain why someone should care about anything I

00:04:45:04 - 00:04:53:26
Justin Kohler
just did. Yeah. It's like I could say the same thing in a report form or written out or like BloodHound was it was pivot tables, like back in the day.

00:04:53:26 - 00:05:15:05
Justin Kohler
Right. But seeing it as a path from A through assets B,C, and D to get to X, right. It paints a different picture. So it's like, yeah, what you're saying, it's like it's more approachable, like taking like maybe adversary tradecraft it’s developed for a Linux environment or an AWS environment and graphing it so that more people can understand that. Yeah,

00:05:15:05 - 00:05:15:28
Justin Kohler
it's really cool.

00:05:15:28 - 00:05:31:10
Christopher Maddalena
And being able to draw the connections between them. Yeah. For like, you know, you'd be talking about protocols and things like that that people wouldn't understand. It's like being able to show them in a graph. No, no, no. Here's here's how they connect with okay. Well I can see like these like following GPS directions. Yeah. Versus giving them someone like yeah.

00:05:31:10 - 00:05:51:04
Christopher Maddalena
Go down there. You turn left at the big oak tree and then you'll know when you see it. It's like if I just show you on a map, right. It's much more easy to digest and like, okay, that's where I get, that that's how you got there. And like you mentioned, MC, MC, mcp servers. Those we have seen people move like LLM into, like BloodHound.

00:05:51:04 - 00:06:08:26
Christopher Maddalena
And, you know, just in general, like attack path tradecraft, trying to bring that in. I mean, you the different areas of research there too, where people have just like hooked up LLMs to like Mythic C2 and had it operate an agent completely autonomously just to see what it would do or to give it instructions and have it try to work through a lab.

00:06:08:29 - 00:06:28:18
Christopher Maddalena
But also we have like these, there's been a couple of BloodHound MCP servers that opened up, you know, over this past year that are trying to make it more approachable to become like a power user of BloodHound. Yeah. Where historically, if you wanted to be a power user, you're writing your own cipher queries. And that can be pretty daunting to understand.

00:06:28:18 - 00:06:47:20
Christopher Maddalena
How do you actually write this query out. Or for example, there's been lots of projects. I wrote one years ago and there's been a ton of other, like, Walter and others have made them like interfaces to BloodHound where you can try to ask it questions where it had built in queries, whatever, or did pull outs on the data that wasn't in the graph.

00:06:47:22 - 00:07:07:28
Christopher Maddalena
Exactly. Like if you want an account of domain admins need to be a really simple data point. You couldn't see that in the graph easily. Yeah, you go into like the NIO forge console and actually run the query and pull out like, okay, here's my CSV file of how many domain admins, how many groups or you know, how many people are in this group, etc..

00:07:08:00 - 00:07:29:12
Christopher Maddalena
People made interfaces into into BloodHound to get that data because at the end of the day, I mean, getting back to making things more digestible. BloodHound. Even if you, you didn't even necessarily need to graph like just the BloodHound, like I have a database of everything in Active Directory. If I just want to pull out a data point in my report, right, I need to know something much easier to query the BloodHound data I already have versus trying to find that Active

00:07:29:12 - 00:07:30:08
Christopher Maddalena
Directory tool.

00:07:30:13 - 00:07:49:14
Justin Kohler
Yeah, I think, on the another example, like the MSPs are mentioned like BloodHound queries or cipher, but like you could apply it, right. Like, that's why yeah, people are really excited about using it for like KQL for, for example, or you name it. Right? A lot of people don't have the time to dedicate to like, understanding how that, works.

00:07:49:14 - 00:08:12:17
Justin Kohler
Now, the projects that are really exciting. Yeah, we're we're exploring some of that internally here at SpecterOps and how we use kind of LLMs, or natural language or like, like, generative AI to enhance BloodHound, just as an aside, when you use those, be careful because they can generate queries that function or return.

00:08:12:19 - 00:08:24:19
Justin Kohler
They actually don't look for what you think they're looking for. Yeah. So it just helps to have that background knowledge. You can't totally trust it. You have to be able to read and you can kind of decipher what it's saying the query is doing.

00:08:24:19 - 00:08:28:23
Christopher Maddalena
Yeah, it's it's a tricky subject because you're also getting to the fact that you're,

00:08:28:23 - 00:08:36:02
Christopher Maddalena
you're giving you you want to be careful around, you're taking in lots unless you're working in a lab sensitive like Active Directory data or.

00:08:36:02 - 00:08:38:10
Christopher Maddalena
Yeah, exposing it to a third party LLM.

00:08:38:10 - 00:08:45:04
Justin Kohler
Yeah. Yeah. That's that big disclaimer, right? Yeah. For some of these make sure, you know, it's just to say it's like yeah,

00:08:45:04 - 00:09:03:10
Christopher Maddalena
yeah, yeah. Like what we're talking about. You really quite say, before we get to that topic of like the MCP servers and one thing they're doing right now and I'm sure they'll mature and change, is that one of the primary goals today as they exists today, is making it possible for you to go to like Claude Desktop or something.

00:09:03:10 - 00:09:20:04
Christopher Maddalena
And say, hey, how do I get from point A to point B in this BloodHound data? And then it's it's creating the query. It's going in there and it's finding it for you. If you didn't know how to actually write that decipher query with the right filters or whatever to filter down your attack path to see that rather than just clicking like, show me shortest path.

00:09:20:06 - 00:09:37:15
Christopher Maddalena
And that's really, really cool. Like you said, it could be a cipher query that. Yeah. You know, one of the jokes that you get is like vibe coding or what? Like you're asking an LLM, hey, can you write me this golang function that does this? Eventually you might be like, all right, I need you to process that image and then give me out the, you know, help out with this.

00:09:37:17 - 00:09:45:22
Christopher Maddalena
And it's like, well, no, no, I didn't work. Please try it again. Eventually. Get there. Like wow it works. This is amazing that you see that the function is like just at the end. It just outputs the same

00:09:45:22 - 00:09:50:10
Christopher Maddalena
image every time. Yeah, yeah. It's not actually doing the processing.

00:09:50:10 - 00:09:58:01
Justin Kohler
Yeah. So I hope to have some of that background, knowledge on that, on the, on the exploring, exploring the graph or expanding the graph.

00:09:58:02 - 00:10:20:00
Justin Kohler
Right. So we've we've taken this internally. Right. Primarily your team is expanding that graph and we've seen other teams. Yeah, do that in different technologies. So whether that be Kubepound and or, file sharing stuff out of net spy, kind of expansions too. But part of that was because of the difficulty of getting it into BloodHound.

00:10:20:03 - 00:10:40:20
Justin Kohler
Yeah. And I can say this on our side, we the schema was very, focused on what we looked at as Active Directory data versus Azure data. It wasn't just like a generic, schema, which caused a lot of problems. Right? Like, I mean, when we talked to the Datadog folks, they were saying that they wanted to get it in the BloodHound, but they couldn't.

00:10:40:20 - 00:10:57:28
Jared Atkinson
It was just. Yeah, I think it was. It's obvious from the name. Right? Kubehound, for instance, that there was some inspiration related to BloodHound. And yeah, they, they had told us that there was interest in getting it into BloodHound, but it was just, too onerous of a process to actually go through the, like, the integration steps.

00:10:57:28 - 00:11:18:21
Jared Atkinson
And we understand that. And so then the kind of the troublesome part of that is then they end up creating, having to create the actual, application that's going to view the graph and, and display the graph. And that's first of all, a waste of resources, right, to have to do all that. But also you lose the ability to interconnect everything.

00:11:18:24 - 00:11:52:23
Jared Atkinson
Right? So, whether or not Kubehound or Power Hunt shares or whatever was tightly integrated into what the existing graph schema would have been. Power Hunt shares probably more likely because it is Active Directory based, authentication. Right. If you if you if you extract that from kind of the what we call like the global graph, then you're losing those, those hybrid paths or those interconnected paths that allow you to see, how the compromise of one system, facilitates the compromise of the other system.

00:11:52:23 - 00:12:13:21
Justin Kohler
Yeah. So, like, just to put a really fine point on if we developed another, another tool to analyze AWS attack paths, but that was completely separate. We would have to duplicate all the work to have the front end. And like the visualization, but we would also miss out the connections between maybe AWS and or on prem or our Azure cloud.

00:12:13:21 - 00:12:31:28
Justin Kohler
Like, you don't get that visibility because we're not the same tool. And that's like, again, that was a friction point previously. That was just too difficult. Yeah. And like, I don't know that everybody agrees with me on this, but, I watched this, there's this documentary on Netflix about Terra Vision, which eventually became Google Earth.

00:12:32:00 - 00:12:49:19
Jared Atkinson
And one of the things that they really like focused in on was the ability. If you've open to Google Earth, you start with like a picture of the globe, right? The Earth. And then they have the ability to, like, infinitely zoom in until you get to, they probably don't have Street View at the time, but imagine that it goes from you see the entire Earth all the way down to street view, and you're you're changing.

00:12:49:21 - 00:13:10:10
Jared Atkinson
You're changing the granularity or the level of level of focus. Imagine that that exists in this graph to where you have the Active Directory graph. You have the Azure graph. But then you zoom out and you see like the continental graph. Right. Which shows the relationship like what are the pathways between Active Directory and Entra. What are the pathways between AWS and Kubernetes.

00:13:10:10 - 00:13:38:22
Jared Atkinson
Maybe you're using AWS, IAM to manage, the identities that are interacting with Kubernetes. And it's it's interesting just to look at Kubernetes, what are all the different ways that people can manipulate the aspects of Kubernetes to, to take control of a cluster or something along those lines. But it becomes extraordinarily interesting when you see that, there's a relationship between Active Directory and AWS, and then there's a relationship between AWS and Kubernetes and those, those kind of like interstate highways, though, which are connecting those.

00:13:38:22 - 00:13:51:14
Jared Atkinson
That's almost like the first problem that you should solve. Maybe they're they're on purpose, maybe they should be there. But you you need to be aware of those. You need to take stock of those. And you need to understand like maybe where unintended consequences can come from. Yeah.

00:13:51:14 - 00:13:57:22
Justin Kohler
Like that. I can't emphasize this enough. Like the looking at it one technology at a time really doesn't give you the whole picture.

00:13:57:22 - 00:14:05:12
Justin Kohler
I mean, we don't even do that in we BloodHound doesn't do that in Active Directory, right? It doesn't just look at Active Directory. It's looking at

00:14:05:12 - 00:14:18:13
Justin Kohler
Active Directory and local host permissions. So because the two combined really show you privilege and Windows or on prem Active Directory environment, you can't just trust the domain controller. You also can't just trust the host.

00:14:18:15 - 00:14:37:13
Justin Kohler
You have to put the two together to really understand the true risk. And so the same thing with Kubernetes, like, we were looking at some early work in Kubernetes attack paths, and we actually brought on our infrastructure engineering team to this discussion. It was really cool. They they used Kubernetes every day to, to maintain our infrastructure.

00:14:37:16 - 00:15:07:07
Justin Kohler
And they were saying, if you just look at Kubernetes, that's cool, but we use Kubernetes. And AWS. And so like that's only part of the problem. You have to understand IM everyone's that we're using AWS to control Kubernetes so it's it's super, super important to understand how those systems cross, which I think is why we're so excited with the recent announcement of OpenGraph, like not only expanding into new technologies, but like existing open source contributions.

00:15:07:07 - 00:15:19:02
Justin Kohler
Like I can just contribute faster. Yeah. So I mean, OpenGraph is, as the name implies, it's an open schema that allows you to ingest arbitrary data into

00:15:19:02 - 00:15:28:08
Jared Atkinson
the BloodHound attack graph. Right. And so, we've had a lot of, a lot of keep a lot of opportunities and a lot of, success in how we've actually implemented that.

00:15:28:10 - 00:15:32:01
Jared Atkinson
In fact, one of, one of the founders of BloodHound, Andy Robbins, told

00:15:32:01 - 00:15:53:27
Jared Atkinson
told me that OpenGraph is the thing that has made him the most excited about BloodHound in the past five years. So that's a that's a really kind of strong idea, which is, internally, Justin mentioned we have I, my team is constantly doing research to find new tradecraft, to explore new, platforms and the different, attack graphs that, that are encompassed by that.

00:15:54:03 - 00:16:14:09
Jared Atkinson
Right. But then they, they previously had to turn that over to engineering, who then had to go through this entire onerous process to integrate all of that into the graph. Now, engineering is building the capabilities for OpenGraph, which then basically pushes down the ability to, the, the researcher to be able to actually implement it and see the results immediately.

00:16:14:09 - 00:16:32:27
Jared Atkinson
I think that's the actual like, cool part. We, one of our, one of our researchers, was looking into mssql through all the data into, into OpenGraph, and it actually found a new, like, bit of tradecraft, a new primitive, for privilege escalation that basically was like, because I

00:16:32:27 - 00:16:42:02
Jared Atkinson
was able to visualize this in the graph, I was able to see, like an obvious problem that otherwise maybe wouldn't have been, something that I would have stumbled upon

00:16:42:02 - 00:16:48:17
Jared Atkinson
because it just, like, literally showed up that there was, you know, this thing had a relationship with this thing which had a relationship with this thing.

00:16:48:18 - 00:16:52:12
Jared Atkinson
It's like, oh, I can I can traverse that.

00:16:52:12 - 00:17:03:20
Jared Atkinson
And so then it became really, really cool. That's kind of the dream, right? Of of of what that can enable. Yeah. Because you're, you know, you're, you're talking a little bit of allegory. If you make the Kubehound its own application, you make to be awesome in its own application.

00:17:03:20 - 00:17:26:01
Christopher Maddalena
Not only have those engineering teams duplicated a bunch of effort that we made all that, then it's like, all right, well, we make we fix one bug over here. Well, we let's fix not the other one, but definitely just almost copy paste for the UI. Everything on the back end is probably all the same. You're duplicating a bunch of effort, but then the users are also duplicating much effort because they have to do like our I'm looking at AD over here, but what if I did want to go AWS and back?

00:17:26:07 - 00:17:42:29
Christopher Maddalena
All right, let's go down to AWS hounds and then try to try to connect to yourself extra. Yeah. You can find what would connect the two like you were saying the Google Earth analogy if you were trying to think, all right, if I'm in the US and I want to, I want to visit Africa, how do I get there?

00:17:43:00 - 00:17:57:08
Christopher Maddalena
Well, it might be that you got to jump over to Canada. Actually, I can get a better flight out of Vancouver, go to that international airport and go to Africa. I'm like, oh, that's easier. So you kind of look at that like, oh yeah, you can look at just the United States of the interstates. And you know, how do all the states connected.

00:17:57:10 - 00:18:12:12
Christopher Maddalena
That's all very natural. And you know all right. Oh Canada I cannot it's right there I don't know Canada's Azure like oh yeah. There. It's it's all Microsoft I can go Azure really easily. But how do I get over to AWS. Over here. Like oh well I can actually if I go to Azure for like you can see those edges much more easily.

00:18:12:18 - 00:18:20:26
Christopher Maddalena
Yeah. Yeah. Visualize it. And then yeah like the dream would be like oh not only that, you found new tradecraft along the way because now you can actually it's the first time you could actually see it.

00:18:20:26 - 00:18:36:28
Justin Kohler
Yeah, yeah, yeah. Like like Jared you had an example recently, but so before we publicly announced open draft, we announced it internally because we wanted to have already kind of put it through its paces and see what they could come up with.

00:18:37:00 - 00:19:00:13
Justin Kohler
I think we were kind of we're kind of blown away by what people came up with. We didn't realize it was going to be that fast. I did actually explain the reasoning. Okay. Yeah, sure. So, we're looking at one of the things that we find is that it's actually much simpler to just like, do the research on platforms that we use internally at SpecterOps, just because you don't have to go through the process of like obtaining a license and all that kind of stuff because we already have it.

00:19:00:16 - 00:19:18:24
Jared Atkinson
And so one of the just kind of playing around one of the, the, applications that I looked into was one password. So imagine that this is a password vault where we store passwords for all, all different kinds of resources. And as an attacker, if I can compromise one password, I now have the ability to kind of fan out to all kinds of different systems.

00:19:18:24 - 00:19:25:27
Jared Atkinson
Right. And as I was looking into that, I started at 12:30 in the afternoon and by,

00:19:25:27 - 00:19:37:01
Jared Atkinson
2:30, I had already built out kind of like a basic attack graph that allowed me to enumerate who are the users, what are the groups that they're a member of? What what are the vaults? What are the different items which are like the actual

00:19:37:01 - 00:19:39:20
Jared Atkinson
logins or the passwords that are that are in one password?

00:19:39:27 - 00:20:03:00
Jared Atkinson
And who has access to what? Who has the ability to steal passwords? So I had built the, the collection, which is a little, a little bit, contrived and janky. Probably not enterprise grade. We'd say. And I had built the actual visual visualization of the graph and, less than two hours. So that was like, that's the level of speed that you're able to kind of gain from digging into you.

00:20:03:03 - 00:20:30:10
Justin Kohler
You're on the probably. Yeah, because you're used to doing kind of this in BloodHound. But yeah, I mean just the concept of attack paths there's also platform scale issues. So like AWS is significantly more I don't even know much about AWS, but I, I know enough to know that it's significantly more complicated than one password. So there's there's definitely going to be, examples to where the, access control system is significantly simpler and easier to understand, versus other platforms that are just like super convoluted.

00:20:30:10 - 00:20:51:27
Jared Atkinson
Right? And generally speaking, what we see are there's, like IDPs identity provider. So your, your Okta’s, your AWS, your, your Entra and then and then there's going to be kind of like, service providers, which are things like GitHub, Snowflake, one password. I hesitate to say Salesforce because it's probably more complicated than yeah.

00:20:51:29 - 00:21:03:21
Jared Atkinson
But but like, the service providers, there's probably, a what would you say like a scale of simpler versus harder, but service providers are going to be significantly smaller problems to take on.

00:21:03:21 - 00:21:09:11
Jared Atkinson
As opposed to these identity providers, which are like major, major, systems that you have to really dig

00:21:09:11 - 00:21:13:01
Christopher Maddalena
into. Right. But yeah, working with something that you already had.

00:21:13:01 - 00:21:31:22
Christopher Maddalena
Right. And that's that makes it pretty easy. I also imagine one thing I'm excited and, hopefully we'll hear about it because it would be an internal thing. But maybe we'll have a client that'll do it. You know, we work with clients that have like, massive in-house custom applications. Yeah. Or whole workflows for their specific line of business.

00:21:31:22 - 00:21:46:18
Christopher Maddalena
Yeah, that thing doesn't exist outside of their company. But it's also we've used it on red teams like as our attack path because it is like, hey, go after this thing because this is our this is everything. So if you can get in here, you can compromise this workflow.

00:21:46:18 - 00:21:49:07
Christopher Maddalena
That's that's what we want you to that's that's the objective of that red team.

00:21:49:10 - 00:21:52:20
Christopher Maddalena
Yep. They their teams could now actually build

00:21:52:20 - 00:21:57:04
Christopher Maddalena
an OpenGraph for their thing. Yeah. And actually have that representative

00:21:57:04 - 00:22:03:19
Jared Atkinson
one of our, one of our researchers Garrett. Yeah Garrett Foster he he was really excited about the

00:22:03:19 - 00:22:11:13
Jared Atkinson
opportunity to literally expand the graph in real time during a red team. So later, we're going to we're going to be talking to Andrew.

00:22:11:21 - 00:22:33:23
Jared Atkinson
And one of the things that he'll talk about is the relationship of how, on a red team, how this idea of tech path management expands beyond kind of like the traditional conception of Active Directory and Entra, and so imagine that you're on a red team, you're given some target, which is some system out there, and you don't know anything about it, but, you know, there's maybe SSO being used, maybe whatever, right.

00:22:33:23 - 00:22:48:04
Jared Atkinson
Maybe there's a browser cookie that you need to still. But then once you're in there, there's a bunch of internal resources. It's kind of like I think of it as like clearing the fog of war, in battle. Right. Or in, like, a top down strategy. Yeah, yeah, yeah, yeah. So you're, you're kind of clearing the fog of war.

00:22:48:04 - 00:23:05:11
Jared Atkinson
And so imagine that it's like, okay, as I start and, and this is a really important part, I've found personally that, there's always like a certain amount that you have to get over, like, you need to know users and groups and vaults in one password, for instance. Right. But, like, it doesn't have to be perfect.

00:23:05:11 - 00:23:30:21
Jared Atkinson
BloodHound started with, as we said, users, groups and computers, right, is a relatively simple. As we explored that we worked with customers, we found, hey, there's there's things that we're not considering. We're not considering gpos. For instance, we're we're not. Yeah. We're not considering ACS. We're not considering ADCs. Right. So like there's all these different components but like start simple and and like in the context of a red team, you can actually start to graph it.

00:23:30:22 - 00:23:44:11
Jared Atkinson
Like the coolest idea is, is imagine you're in a red team and you see the system and you're like, I want to go after that thing. You pull up the documentation, you say, okay, it has users, it has groups, it has these types of permissions. Let me build a collector, grab all that data, throw it into, throw it into BloodHound.

00:23:44:11 - 00:24:03:05
Jared Atkinson
And now I know I have the ability to say I'm this user in Active Directory. Show me how I can take over this database and snowflake like, the basic example in Linux, right. Who has access? So yeah. What resources. And then now I can go from how do I get from Azure to SSH. Like control over.

00:24:03:06 - 00:24:09:23
Jared Atkinson
So yeah. So yeah okay. So that's I mean that's even simpler. Right. Because that's maybe it's not actually simpler in practice,

00:24:09:23 - 00:24:14:16
Jared Atkinson
but it's, it's one edge as opposed to like integrating an entire system. Right. For instance. Yeah.

00:24:14:16 - 00:24:22:02
Justin Kohler
what we're talking about an OpenGraph, ability to supply BloodHound with a payload, of of data.

00:24:22:02 - 00:24:39:11
Justin Kohler
It's properly structured in a format that we provide. You can choose icons and color. So you can give like, hey, this is an, this is a user in snowflake, for example. And then this is a right that they might have over some asset. And you can do that. You can use edges that we are to have as well.

00:24:39:13 - 00:25:04:22
Justin Kohler
So like this is admin access over here for example. And that just shows up. So once you supply the data it's ingested, you can use it to search for a specific node. So I want to see like does this user exist. And snowflake what access do they have. Right. So what resources do they directly control or how can I use an attack path to traverse from Jared's account to Christopher's, for example.

00:25:04:29 - 00:25:24:29
Justin Kohler
And it might be in different platforms, but all that out of the box that's that's how it functions. Yeah. So and we're really excited to roll out more coverage that at first this is going to be very direct relationships or not very complex. So an example of a complex relationship might be a PDX or a dc sync attack demo here.

00:25:25:02 - 00:25:33:00
Justin Kohler
But having admin rights or SSH rights or read files here, access that. That's all in scope. Yeah. Super exciting.

00:25:33:00 - 00:25:38:07
Justin Kohler
Thanks again, Christopher, for joining us. We'll see you next time.