Common Usage
Collect the zip file and start the neo4j server with bloodhound. Refer to AD Attack Surface Recon section.
(Clear previous session and database) Select a menu, scroll down to the bottom, and click on "Clear sessions" and "Clear Database".
Look at the list of menue at the right side, and select "Upload Data" menu. Select the zip file.
This will automatically import the zip file and parse the information for you to analyze.
Let's select settings at the right menu. You may want to adjust some settings here. You may need to enable Edge Label Display to Always Display, for example.
Let's go to Analysis menu and see anything you can leverage built-in rules.
SVC-ALFRESCO is a member of SERGICE ACCOUNT group, which is a member of PRIVILEGED IT ACCOUNT group, which is a member of ACCOUNT OPERATORS group.
The ACCOUNT OPERATORS group has 'GenericAll' privilege to EXCHANGE WINDOWS PERMISSIONS group.
The EXCHANGE WINDOWS PERMISSIONS group has 'WriteDACL" privilege to the HTB.LOCAL domain.
HTB.LOCAL domain has 'DCSync' privilege to other Domains.
When you right click on one of the privilege names (for example, GenericAll below) and select "? Help", you will see more info on the privilege and abuse you can try.
What you could do based on the info on the privileges of GenericAll and WriteDACL above.
GenericAll known as full control of a group allows you to directly modify group membership of the group.
With WriteDACL to a domain object, you may grant yourself DCSync privileges.
Your final commands look like below.
Last updated