my personal blog about systemcenter

Delegations Matter , Hunting mistakes with Bloodhound

In this example i will use Bloodhound to show alternative path to Domain Admins

In the environment almost All Domain Admins have been removed , leaving DA-Alice as the sole enabled Domain Admin account

This makes a nice clean domains , does not give Alice much time off though so that will need to be fixes , but beats having 20+ Domain Admins running around , and Alice uses her Tier 0 Admin Workstation , so the users only logs on to the right security tiers

But we all know Alice and Bob is working together , Bob is helping out with password reset and a previous admin delegated rights to the Password-Reset Group

This is where the trouble start , Support-BOB is a member of Password-Reset , that group have been delegated full control over the Company OU to be able to reset passwords

First Mistake was to delegate full access and not only the password reset needed , but the 2nd and worse mistake was that someone placed the admin users under “Company” because it was the easy options , following bloodHound Shortest Path to Domain Admin

Gives us Support-BOB who have write permissions on all users in Admins that DA-Alice is a part off , this mean that no matter if Alice keeps doing everything right , Support-BOB can now reset DA-Alice password and start creating chaos.

In this case a Quick fix is to move the Admins outside of the Delegations so that Support-BOB rights that was on the “Company” OU does not apply anymore

This ends up giving us a single path to domain admin being DA-Alice

https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html

Check out BloodHound , ensure you have permission to run it as it will most likely will set off a alarm bell or two