Tweet
Title: (Intermediate) Cypher for Defenders: Leveraging Bloodhound Data Beyond the UI
Description:
Bloodhound stores AD data in a Neo4j. The UI allows you to get some information out of the box, but that is only the tip of the iceberg. Using Cypher if you can think it, you can visualize it!
The workshop will start with a quick presentation of BloodHound (BH). This is to make sure everybody understands the product as I very often meet security practitioners that never heard of the tool. (5 minutes)
The participants will be provided with test data, either in JSON format (a few KB) that can import in the BH UI or as a Neo4j database (very big). The reason to provide both is that BH is now detected by many AV as a Hacking tool and I don't want to exclude participants who come with their work computer. Those files will be provided ahead of time via Dropbox or similar file sharing site.
The first part of the workshop will go over the various objects present in BH: Computers, Groups, OU, Domains, etc. and the properties of those objects. We will learn how to interact with them using both the UI and the Neo4j Web Console (NWC). We will then use the prebuilt queries from the BH UI and use them in the NWC. From there we will start modifying them and see what impact it has. Debugging techniques will be shown. (~20 minutes)
After that we will go into a bit more advance query type, for example multiple relationships and chaining queries together. A few examples will be provided and the participants will be able to replicate the queries and see the result. (~30 minutes)
Finally, the participants will receive a list of questions and they will need to build the Cypher Queries themselves in order to find the answer. I will be there to assist them and debug their queries as needed. (~30 minutes)
Speaker(s): Scoubi
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 10:00 (10:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-07 11:30 (11:30 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:49 (UTC).
Description:
Bloodhound stores AD data in a Neo4j. The UI allows you to get some information out of the box, but that is only the tip of the iceberg. Using Cypher if you can think it, you can visualize it!
The workshop will start with a quick presentation of BloodHound (BH). This is to make sure everybody understands the product as I very often meet security practitioners that never heard of the tool. (5 minutes)
The participants will be provided with test data, either in JSON format (a few KB) that can import in the BH UI or as a Neo4j database (very big). The reason to provide both is that BH is now detected by many AV as a Hacking tool and I don't want to exclude participants who come with their work computer. Those files will be provided ahead of time via Dropbox or similar file sharing site.
The first part of the workshop will go over the various objects present in BH: Computers, Groups, OU, Domains, etc. and the properties of those objects. We will learn how to interact with them using both the UI and the Neo4j Web Console (NWC). We will then use the prebuilt queries from the BH UI and use them in the NWC. From there we will start modifying them and see what impact it has. Debugging techniques will be shown. (~20 minutes)
After that we will go into a bit more advance query type, for example multiple relationships and chaining queries together. A few examples will be provided and the participants will be able to replicate the queries and see the result. (~30 minutes)
Finally, the participants will receive a list of questions and they will need to build the Cypher Queries themselves in order to find the answer. I will be there to assist them and debug their queries as needed. (~30 minutes)
Speaker(s): Scoubi
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 10:00 (10:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-07 11:30 (11:30 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:49 (UTC).