For the best web experience, please use IE11+, Chrome, Firefox, or Safari

SpecterOps BloodHound Enterprise

Minimize attack paths and secure Active Directory and Azure from every angle. Attack path management is a critical component of defending Active Directory (AD) and Microsoft 365 environments from attacks. When you consider that Microsoft reported more than 25 billion attempted attacks on enterprise accounts in 2021 alone, securing attack paths is essential. SpecterOps BloodHound Enterprise greatly simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.
Secure your Active Directory with Quest & SpecterOps BloodHound Enterprise 08:34
Traditionally, attack path management has been challenging. Why? Because as a security practitioner, you’re often conditioned to think in terms of lists – checking thousands of generic configuration issues. Attackers, on the other hand, think in graphs. This outlook makes it easier for them to find effective attack routes. SpecterOps BloodHound Enterprise helps you reduce the risk of attacks significantly  by arming you with a graphical mapping of all AD and Azure attack paths, enabling you to easily identify, prioritize and eliminate the most vital avenues that attackers can exploit. 

Key benefits

Continuous attack path mapping

Visualize every relationship and connection in AD and Azure, making it easy to identify new and existing attack paths.

Choke point prioritization

Measure the impact of any point in an attack path and identify optimal locations to block the largest number of pathways.

Practical remediation guidance

Get practical remediation guidance, with clear instructions, without having to make drastic changes to AD.

AD security posture measurement

Establish a continuous baseline of AD and Azure, to monitor and measure the reduced risk as attack paths are removed.

Unprecedented visibility into Azure AD

Azure uses different technologies to manage identities and access, but is vulnerable to the same types of identity attack paths as AD.

Capabilities

Top down view of critical assets

SpecterOps BloodHound Enterprise greatly supports attack path management by showing you a superset of your critical assets in AD and Azure (Azure AD and Azure Resource Manager) – the crown jewels that would mean game over if a cyber attacker got control of them. It then maps every attack path down from that view. As a defender, securing attack paths requires that you understand every possible route, and SpecterOps BloodHound Enterprise identifies every single relationship throughout your hybrid environment and articulates how attackers could abuse any set of principals to gain access to these vital assets.

Identify and quantify exposure choke points

Mapping critical assets and paths is only part of attack path management, however. SpecterOps BloodHound Enterprise takes it further by quantifying those choke points. For example, it can tell you that 92% of all your Active Directory users and computers have the ability to compromise the domain through this one ACL applied to this one domain controller. It gets extremely specific on the risk involved in this, as well as the specific permissions or privileges that you need to address to remediate the attack path and mitigate downstream misconfigurations. 

Quantify impact to security posture

Because SpecterOps BloodHound Enterprise measures every risk, you’ll see the overall risk your organization is carrying in your hybrid AD environment. But as you improve attack path management by eliminating the choke points, you’ll be able to see the effect these changes will have on your overall security posture. For example, by securing attack paths, you could improve your exposure to attacks significantly. Most companies start off with a risk exposure between 70% and 100%. The goal would be to get your organization’s risk exposure below 20%, and SpecterOps BloodHound Enterprise can help you get there. 
Comprehensive risk assessment and threat monitoring in attack path management software

Comprehensive risk assessment and threat monitoring

Pair SpecterOps BloodHound Enterprise with Change Auditor or On Demand Audit for a comprehensive risk assessment and threat monitoring solution. Together, you’ll be able to fully audit all security changes across your AD and Azure AD environments, including user and group changes, as well as exploits such as exfiltration of the AD database via offline copy or unauthorized domain replication. You’ll also be able to detect threats early – including unauthorized domain replication, offline extraction of your AD database, and GPO linking – to mitigate and avoid costly ransomware attacks. 
Attack path mitigation via securing GPOs

Attack path mitigation via securing GPOs

When you use SpecterOps BloodHound Enterprise with GPOADmin, you’ll be able to improve attack path management by securing GPOs. These solutions allow you to ensure that any changes adhere to change management best practices prior to deployment, a critical step in Active Directory group policy management. Moreover, you’ll be able to continually validate GPOs through automated attestation — a must for any third-party group policy management solution. Furthermore, you’ll be able to quickly revert back to a working GPO in the event that a GPO change has an undesired effect, allowing you to get your environment running smoothly again in seconds.
Risk protection and remediation insurance

Risk protection and remediation insurance

For true risk protection and remediation insurance, combine SpecterOps BloodHound Enterprise with Recovery Manager for Active Directory Disaster Recovery Edition or On Demand Recovery. This product combination gives you comprehensive capabilities when it comes to backing up hybrid Active Directory and quickly recovering from any mistakes, corruption or disaster. Moreover, you’ll be able to highlight any changes since the last backup by comparing the online state of AD with its backup (or multiple backups). Furthermore, you’ll be able to restore any object in AD, including users, attributes, organizational units (OUs), computers, subnets, sites, configurations and Group Policy Objects (GPOs). 

Tour

Continuous attack path mapping
Identify choke points
Top-down view of critical assets
Explore complex relationships
Prioritize remediation
Practical remediation guidance
Comprehensive threat monitoring
Mitigate GPO attack paths
Risk protection and insurance
Continuous attack path mapping

Continuous attack path mapping

Visualize every attack path to your critical AD and Azure assets along with all complex relationships and connections.

Tech Specs

SpecterOps BloodHound Enterprise requires installation of the SharpHound Enterprise on-premises agent, a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is generally deployed on a single, domain-joined Windows system per domain, and runs as a domain user account.

The AzureHound Enterprise service collects and uploads data about your Azure environment to your BloodHound Enterprise instance for processing and analysis. AzureHound Enterprise is generally deployed on a single Windows system per Azure tenant, and may run on the same system as your SharpHound Enterprise service account.

System:
  • Windows Server 2012+
  • 16GB RAM
  • 100GB hard disk space
  • .NET 4.5.2+
Network:
  • TLS on 443/TCP to your tenant URL (provided by your account team)
  • TLS on 443/TCP to Azure tenant (if applicable)
Permissions:

SharpHound (on-premises Active Directory collection)

  • Service account added to local Administrators group

AzureHound (Azure collection)

  • Directory Reader on Azure AD Tenant
  • Reader on all Azure Subscriptions
  • Microsoft Graph
    • AppRoleAssignment.ReadWrite.All
    • RoleManagement.Read.All

Active Directory enumeration represents the most basic information required for BloodHound Enterprise. Additionally, SharpHound Enterprise enumerates local groups and sessions on all domain-joined Microsoft systems for ideal visibility.

Collection Type

Service Account Permissions

Service Network Access

Active Directory

Domain user account with rights to read Deleted Objects.

LDAP on 389/TCP to at least one domain controller

Local Groups and User Sessions (Privileged)

Local admin on workstations and servers

SMB on 445/TCPto all domain-joined systems

Azure

Directory Reader on Azure AD Tenant, Reader on all Azure Subscriptions, AppRoleAssignment.ReadWrite.All and RoleManagement.Read.All on Microsoft Graph

TLS on 443/TCP to your tenant

Active Directory security groups: What they are and how they improve security

Active Directory security groups: What they are and how they improve security

Active Directory security groups play a vital role in most organizations today, but there is a lot of confusion about them.
Matthew Vinton
Strengthening Active Directory security: 3 best practices for implementing a Zero Trust model

Strengthening Active Directory security: 3 best practices for implementing a Zero Trust model

If you are interested in Active Directory security, you’ve undoubtedly heard of the Zero Trust model.
Matthew Vinton
Kerberos authentication: How it works — and how to maximize its security

Kerberos authentication: How it works — and how to maximize its security

Kerberos authentication has been Microsoft’s default authentication method since Windows Server 2000.
Bryan Patton
NTLM authentication: What it is and why you should avoid using it

NTLM authentication: What it is and why you should avoid using it

NTLM is an old technology, introduced way back in Windows NT 3.1, so why it is worth talking about today?
Bryan Patton
What is multifactor authentication (MFA) and what are the benefits of using it?

What is multifactor authentication (MFA) and what are the benefits of using it?

What exactly is multifactor authentication (MFA)? What technologies are available for implementing it, and what are their pros and cons? This blog an...
Matthew Vinton
Top security considerations in an Active Directory migration

Top security considerations in an Active Directory migration

Don’t worry, your manager says. Take all the time you need for that Active Directory migration.
Bryan Patton
What is Active Directory Domain Services and how do I protect domain controllers?

What is Active Directory Domain Services and how do I protect domain controllers?

Today, I’m going to answer all the key questions you might have about Active Directory Domain Services.
Bryan Patton
Golden ticket attacks: How they work — and how to defend against them

Golden ticket attacks: How they work — and how to defend against them

Golden Ticket attack is a particularly colorful (if you’ll pardon the pun) name for a particularly dangerous attack. 
Bryan Patton
What is KRBTGT and why should you change the password?

What is KRBTGT and why should you change the password?

KRBTGT is an account used for Microsoft’s implementation of Kerberos, the default Microsoft Windows authentication protocol.
Bryan Patton
A 4-step plan for effective Group Policy management — and stronger IT security

A 4-step plan for effective Group Policy management — and stronger IT security

Just how critical is Group Policy? Well, what might happen if your lockout policy got changed and hackers were allowed unlimited attempts to guess a ...
Jennifer LuPiba

Get started now

Comprehensive attack path management.