Defending any piece of territory requires knowing where it is vulnerable and how adversaries are likely to attack it. In the case of Microsoft’s Active Directory (AD), the territory that needs to be defended actually controls access to critical data and resources. Blocking the paths that threat actors use is a pivotal part of protecting AD. So is knowing where the vulnerabilities are.
This is where the free tools BloodHound and Purple Knight (built by Semperis identity experts) can help each other. Attackers frequently install applications such as BloodHound in the organizations they compromise so they can map the AD environment and determine the best way to strengthen their hold on the victim. Red and blue teams can leverage that same capability to make the attackers’ mission more difficult.
Finding Attack Paths and Uncovering Exposures
Using graph theory, BloodHound identifies the attack paths adversaries are likely to use to elevate privileges and move laterally inside your organization. But while BloodHound focuses on attack paths, Purple Knight is focused on finding exposures. Purple Knight works by querying your organization’s AD environment and performing tests against common attack vectors. By scanning for Indicators of Exposure (IoEs) and Indicators of Compromise (IoCs), Purple Knight can find risky misconfigurations and suspicious changes that suggest the AD environment has been breached.
Purple Knight has 70-plus security indicators split into five categories: account security, AD infrastructure security, group policy, kerberos security and AD delegation. When we first released Purple Knight, we discovered that kerberos security was the most at-risk area among the tool’s users. Group policy and account security issues rounded out the top three. According to the data collected from Purple Knight users, the largest organizations – which often have the most resources – have some of the most significant AD security gaps because of the complexity of their environments, the prevalence of legacy applications and the constant flux of IT personnel. The vulnerabilities reported frequently took the form of poor password policies, accounts with elevated privileges that have not been adequately reviewed and weak group policy configurations that created security holes attackers could exploit.
"When we first released Purple Knight, we discovered that kerberos security was the most at-risk area among the tool's users"
Some specific issues indicate that an attack has likely taken place. For example, suppose an object in a built-in protected group has an adminCount attribute that is not set to 1. In that case, it could signal that the discretionary access control lists (DACLs) were manually set, that there is an issue with SDProp or that the attacker manually modified the adminCount attribute. Purple Knight would flag this condition, enabling the organization to close the security hole and start an investigation.
Purple Knight cannot take the place of continuous monitoring; it only offers a snapshot of an organization’s security posture. Still, it shines a light on everything from patch levels to domain controllers with old passwords so that organizations can identify where they are vulnerable.
Uncovering vulnerabilities is only one aspect of a successful defensive strategy. With BloodHound, red teams can uncover the trust relationships in their AD environments and determine the paths attackers can use to get admin privileges. Then they can use the findings of Purple Knight to choose the path of least resistance.
BloodHound collects data via PowerShell functionality to obtain information about all domain trusts, computer objects, user objects, and Group Policy information. It also gathers information about the group membership of each user object. Once that is completed, BloodHound will query local systems to uncover local group membership, local access control lists and what user objects have sessions established to the computer object. After all this data is uploaded, you can query and analyze it to find the best opportunity for privilege elevation.
Bloodhound and Purple Knight Work in Tandem
BloodHound and Purple Knight augment each other. Purple Knight adds the expertise of a community of security researchers to minimize your attack surface and stay ahead of the ever-changing threat landscape. With Purple Knight, vulnerabilities and misconfigurations can be identified and remediated, thereby closing paths uncovered by BloodHound before an adversary can exploit them.
Blue and red teams alike can benefit from using both these free tools to harden the defenses of their Active Directory environments.
