At the first virtual SO-CON, the organizer SpecterOps gave insights into the tools and mindsets of professional Red and Blue teams in many different presentations. Even if the name SpecterOps may be less familiar in Germany, the company’s open source tools are all the better known. These include the projects PowerShell Empire, BloodHound, PowerSploit and GhostPack.

In the frame of the lecture “Six Degrees of Global Admin”, Andy Robbins introduced BloodHound 4.0. While the older versions of the tool still helped to analyze classic Active Directory environments and to represent possible attack paths using graph theory, the new version can now also examine Microsoft Azure. For this purpose, the new ingestor called AzureHound collects the data from the Azure Active Directory and the Azure Resource Manager. The tool imports this into a Neo4j graph database via the BloodHound GUI.

Attack Active Directory locally or in the cloud Especially with hybrid infrastructures – classic Active Directory and Azure AD in parallel use – or for VMs with Azure, it makes sense to transfer the data from both directory services to a database and load it into a graph. In this way, the software can possibly map additional attack paths that were not previously detectable. For example, a user synchronized from the local Active Directory to Azure AD could have extended rights to a VM, which would allow the local domain to be compromised, or the global administrator in Azure AD could be compromised by nesting group memberships.

In order to be able to extract and map the data from the Azure infrastructure, the BloodHound graph has ten new nodes: Tenants, Azure Users, Azure Security Groups, Apps, Service Principals, Subscriptions, Resource Groups, Virtual Machines , Devices and Key Vaults. There are also 14 new edges that represent the possible attacks.

As with the classic, local Active Directory, the rights of one are sufficient ordinary Azure AD user to query almost all required information. Only the subscriptions cannot be queried in this way by default. According to SpecterOps, the AzureHound needs almost two hours to collect the data, even in large environments with 240. 000 users.