Adversary Village

Jonas Bülow Knudsen

Security Advisor, Improsec A/S

Jonas Bülow Knudsen is an Active Directory (AD) security advisor. Jonas have spent the past two years helping organizations implement technical countermeasures and remediate vulnerabilities in and around AD, including implementation of the AD tier model. Working closely together with penetration testers and having a strong interest in offensive security enable Jonas to focus on security measures that matters and not just best practice. Jonas has recently developed a FOSS tool called ImproHound to identify the attack paths in BloodHound breaking AD tiering:
At least _wald0 (co-creator of BloodHound) thinks it is cool:

Tool Demo: ImproHound - Identify AD tiering violations

It is not viable for system administrators and defenders in a large Active Directory (AD) environment to ensure all AD objects have only the exact permissions they need. Microsoft also realised that, why they recommended organizations to implement the AD tier model: Split the AD into three tiers and focus on preventing attack paths leading from one tier to a more business critical tier.

The concept is great, as it in theory prevents adversaries from gaining access to the server tiers (Tier 1 and 0) when they have obtained a shell on a workstation (Tier 2) i.e. through phishing, and it prevents adversaries from gaining access to the Domain Admins, Domain Controllers, etc. in Tier 0 when they have got a shell on a web server i.e. through an RCE vulnerability. But it turns out to be rather difficult to implement the tiering concept in AD, why most organizations fail it and end up leaving security gaps.

It doesn’t help on the organization’s motivation to make sure their tiering is sound, when Microsoft now call it the AD tier model “legacy” and have replaced it with the more cloud-focused enterprise access model:

As a person hired to help identify the vulnerabilities in an organization, you want to find and report the attack paths of their AD. BloodHound is well-known and great tool for revealing some of the hidden and often unintended relationships within an AD environment and can be used to identify highly complex chained attack paths that would otherwise be almost impossible to identify. It is great for finding the shortest attack path from a compromised user or computer to a desired target, but it is not built to find and report attack paths between tiers..

I will in my presentation explain and demonstrate a tool I have created called ImproHound, which take advantage of BloodHound’s graph database to identify and report the misconfigurations and security flaws that breaks the tiering of an AD environment.

ImproHound is a FOSS tool and available on GitHub:

Recorded Live 📼