Sometimes, you have to step back and look at your code you wrote a while ago. Usually, it’s not pretty. Sometimes, it’s just flat out wrong. This is one of those times. The 2.1 release of BloodHound has a large focus on bug fixes, and a couple new features including a new attack primitive. This post is going to cover changes we’ve made since the release of BloodHound 2.0, including some of the incremental changes in between.

New Attack Primitive — AddAllowedToAct/AllowedToAct

The BloodHound team has been looking for a generic computer ACL attack primitive for quite a while. Thanks to the excellent work of Elad Shamir (@elad_shamir), one has finally been found, with additional weaponization and simplification done by Will Schroeder (@harmj0y). In BloodHound 2.0, we added collection for computers with LAPS, allowing users to determine which principals could read those passwords. The new attack primitive is for Resource Based Constrained Delegation, which allows for a generic attack against computer objects provided you can write to the msds-AllowedToActOnBehalfOfOtherIdentity property, and you control a user with a ServicePrincipalName set. If you fulfill these conditions, you can gain privileged code execution on the computer itself. …


Rohan Vazarkar

Penetration Tester and BloodHound Developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store