Feature: Active Directory Sites data and ACLs #2030
Description
Feature Description
The current BloodHound implementation does not allow representing Active Directory Sites data and ACLs. Sites can be exploited via GPO-based attack vectors (poisoning a site-based GPO, exploiting gPLink delegation rights). Such exploitation scenarios may lead to rather critical privilege escalation paths, as the compromise of a site via a GPO may allow compromising one or several domain controllers that are defined as site servers.
Please see the following article that we just released for more details: https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites
Are you intending to implement this feature?
yes
Current Behavior
BloodHound does not represent Active Directory site data. The collectors do not retrieve data related to sites from the configuration partition.
Desired Behavior
BloodHound represents Active Directory site data, more specifically:
- Sites
- Site servers
- Site subnets
- Group Policy Objects affecting sites
- GenericAll, GenericWrite and WriteGPLink ACLs on site
- Sites are associated with the "server" objets they contain
- Sites are associated with the "subnet" objects they are associated with
- Sites are added to the default high value targets
Use Case
Although dangerous ACLs affecting sites may not be as frequent as other misconfigurations related to more common object types, it is important to catch them when they exist, due to the high potential impact they can have (compromise of one or several domains).
Implementation Suggestions
Several pull requests will shortly follow this issue, on the following repositories: SharpHound, SharpHoundCommon, BloodHound.