MacHound : An extension to audit Bloodhound collecting and ingesting of Active Directory relationships on MacOS hosts

MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. MacHound collects information about logged-in users, and administrative group members on Mac machines and ingest the information into the Bloodhound database. In addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database:

  • CanSSH – entity allowed to SSH to host
  • CanVNC – entity allowed to VNC to host
  • CanAE – entity allowed to execute AppleEvent scripts on host

Data Collection

Logged-in users (HasSession)

MacHound uses the utmpx API to query currently active users and OpenDirectory and membership API to validate Active Directory users.

Administrative Groups

MacHound collects Active Directory members of the following local administrative groups:

admin

The local administrative groups, allowing for root operations.

com.apple.access_ssh

Members of this local group are allowed to access the remote login service (SSH).

com.apple.remote_ae

Members of this local group are allowed to remotely execute AppleEvent scripts.

com.apple.access_screensharing

Members of this local group are allowed to access the screen sharing service (VNC)

Components

MacHound is split into two main components: the collector and the ingestor.

Collector

The MacHound collector is a Python3.7 scripts that run locally on Active Directory joined MacOS hosts. The collector queries the local OpenDirectory and the Active Directory for information about priviliged users and groups. The output of the execution is a JSON file that contains all the collected information.

Ingestor

The MacHound ingestor is a Python3.7 script that parses the output JSON files (one per host), connects to the neo4j database and inserts the edges to the database. The ingestor uses the neo4j library for Python to query information to and from the neo4j database. The ingestor must be executed on a host that has TCP access to the neo4j database.

Getting Started

Requirements

MacHound requires Python3.7. The ingestor requires the neo4j library for Python3.7. 

Collector

Deployment

The Collector should be deployed and executed locally on Macs. The output is stored locally and needs to be transfered to the host running the ingestor. The collector depends on builtin libraries in Python3.7 and does not require additional installations. MacHound can be compiled as an Application using the py2app library to ease the deployment.

Usage

The Collector takes no arguments by default queries all information, and writes the output file into ./output.json. The Collector must be executed as a root user.

collector.py -o <output_file> -c <Admin,CanSSH,CanVNC,CanAE,HasSession> [-v] [-l log_file_path]

Ingestor

The Ingestor should be deployed on a host that has direct TCP connection to Bloodhound’s neo4j database, preferably locally on the neo4j database server to avoid security risks. The ingestor requires the installation of neo4j driver for Python (see requirements file).

ingestor.py <url_to_neo4j> -u <username> -p <password> -i <json_folder>

R K

Recent Posts

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

7 hours ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

8 hours ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

1 day ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

1 day ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

2 days ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

1 week ago