Operationalizing ShotHound to Enhance Active Directory Resilience

by | May 12, 2022

It’s not just about Ransomware

In 2022, it’s difficult not to grasp the severe and pervasive nature of ransomware. With malicious emails up 600% in 2021 due to the pandemic and other malicious cyber activity on the rise that may deliver ransomware [1] and the enormous cost (both in dollars and in time) associated with downtime caused by ransomware, it is important to prepare for such an attack. SRA has written about ransomware a few times now with topics ranging from preparedness strategies, to building resilience to ransomware attacks, and most recently detailing a ransomware resilience assessment service.

 

Focus on AD Security

But, ransomware and other attacks like it are only effective if the attackers or malware are easily able to move laterally throughout the network. 10 machines with ransomware calls for a much different containment, eradication, and recovery strategy than 10,000 machines. So, how do you effectively limit the blast radius? By understanding and taking proactive measures in Active Directory (AD) domain security. A common method used for assessing an AD domain is BloodHound, a tool used to analyze user privileges and admin rights, active sessions, group memberships, and other configurations. It leverages a graph database to determine a given node’s (e.g. User, Group) closeness to high-value assets (e.g. Domain Admins). While often associated with red team use, BloodHound can play a vital role in blue teams’ understanding of the theoretical paths an attacker may take to move laterally or otherwise gain control over resources in a domain. This understanding can also provide insight into remediating overly permissive configurations to prevent abuse.

BloodHound Paths to Domain Admins Group

Pictured above is a simple Active Directory domain visualized in BloodHound, with the lines between nodes representing some policy or permission that grants the node on the left rights over the node on the right. Starting from the left, the computers WORKSTATION-01 and WORKSTATION-02 have active sessions from LOCALADMIN_1 and LOCALADMIN_2 respectively. These users are both members of the LOCAL_ADMINS group, which has AdminTo permissions over the WORKSTATION-03 computer. This computer has an active session from the Domain Administrator DOMAINADMIN_1. An attacker might use this information to target the workstations on the left or the local admin users and eventually move laterally to the computer with a domain admin session.

 

Overwhelming Data

While this information is valuable, it can also be a lot to sift through, especially in large organizations. Depending on the directory’s complexity and size, thousands of theoretical attack paths could be returned in BloodHound. However, BloodHound is unaware of security controls and other factors that may prevent network communication between hosts, which further complicates understanding how many attack paths are viable. For example, BloodHound can show that a host may have a DACL control entry granting elevated access over another host which can enable lateral movement and privilege escalation for an attacker. What BloodHound can’t see is if there is a firewall between the two hosts that blocks network connections (and in turn, lateral movement). An attacker cannot feasibly move between those two hosts in such a situation.

 

Enter the CornerShot and ShotHound duo

ZeroNetworks is a cybersecurity company whose team has published, among others, two open-source tools to interface with BloodHound: CornerShot and ShotHound.

CornerShot is a Python module leveraging Windows RPC calls to determine network connectivity between two hosts, where one host is referred to as the “carrier” and the other host as the “target” [2]. CornerShot makes a connection to the carrier host, and then the carrier host sends RPC calls to the target. These call outcomes determine whether the ports are open, closed, filtered, or unknown between two hosts.

ShotHound finds logical paths in a BloodHound database and tests connectivity between computer objects along those paths. By default, this is checked along all shortest paths to the Domain Admin group, but the source and target can both be overridden. This produces a set of “practical” paths where network connectivity is “open” between computer object nodes. If a logical path exists but does not appear to have open network connectivity between nodes, the path is not considered practical. These logical-only paths may be prioritized lower than practical paths when looking for mitigation opportunities.

 

Caveats and a Fix

It is important to remember that BloodHound data is a point-in-time snapshot and host availability may change over time. ShotHound should ideally be run close to when the BloodHound data is collected, as some computer nodes may be offline at other times (and others still that come online later that were offline during collection), leading to network connectivity between nodes incorrectly appearing as closed. Periodic BloodHound data collection may provide additional insights as different active sessions and online hosts will be present at different times.

ShotHound running in the environment pictured in Figure 1. Cornershot RPC call outcomes are included in this output.

When initially testing ShotHound, we found that Cornershot had a small bug preventing the queued RPC calls from running and that ShotHound lacked the functionality to modify the BloodHound database and add these open network connection edges between nodes. Since that initial testing, we opened a pull request to fix the CornerShot bug. ZeroNetworks also added a feature recently to create the open edge in the database by using the `–updatedb` flag when running ShotHound. This feature aided in a recent ransomware resilience assessment we performed, where we collected BloodHound data and needed to filter down the paths to only those with open network connectivity. At first, having many BloodHound paths may seem like it correlates directly to a likely compromise at every turn, but assessing network-level controls by testing connectivity can paint a very different picture. The example network shown below is reduced to just one path to domain admin with network connectivity. Enterprise-scale networks may have more complicated networking, more nodes, and more security controls in place — checking connectivity using ShotHound and CornerShot is an effective way to assess practical attack paths.

Filtering BloodHound paths to only show paths with network connectivity.

To filter a BloodHound graph to show practical paths, ZeroNetworks has also provided a BloodHound customqueries.json file to expand search capabilities. This includes the query “Find ALL Shortest Paths to Domain Admin – Network” to visualize attack paths with network connectivity (demonstrated above).

Consider when running ShotHound in larger networks to set aside plenty of time for the tool to enumerate all paths and run the RPC calls. As the domain admin path count increases (where a given path passes through two or more computers), the tool will run longer. Informing IT and security teams ahead of execution is advised as network requests coming from the machine running ShotHound may trigger alerts.

ShotHound and CornerShot work together to enrich BloodHound data and can help generate more meaningful attack path analysis. These paths provide valuable insight for security teams both when reviewing weak policies and configurations and when predicting the blast radius of attacks like ransomware. In turn, security teams can focus more on remediating issues that present more immediate threats rather than getting lost in the noise.

 

References

[1] R. Sobers, “81 Ransomware Statistics, Data, Trends and Facts for 2021,” 2 July 2021. [Online]. Available: https://www.varonis.com/blog/ransomware-statistics-2021. [Accessed 16 March 2022].

[2] zeronetworks, “CornerShot,” [Online]. Available: https://github.com/zeronetworks/cornershot. [Accessed 16 March 2022].

 

Pat Heaney
CSOC Consultant, CySA+ | Archive

Pat focuses on developing and improving SOAR playbooks and running Purple Team Essentials engagements from both a blue and red team perspective. He is also a member of CSOC’s Security Engineering and Advanced Response (SEAR) team, where he provides architecture and engineering support and insight, maintains infrastructure and configuration automation, and contributes to research and innovation projects.

Pat is CompTIA Cybersecurity Analyst (CySA+) certified, an AWS Certified Cloud Practitioner, and a GIAC Python Coder (GPYC).

He has worked with companies across multiple industries, including pharmaceutical, healthcare, business services, and financial services.

Prior to joining SRA, Pat played roles in SOCs in the insurance and healthcare industries. He holds a degree in Security & Risk Analysis from The Pennsylvania State University.