Share this page!

Andrew Robbins Profile picture
Twitter logo
9 Mar, 9 tweets, 3 min read
I am thrilled to announce #BloodHoundEnterprise, which will be released in Summer of 2021!

Learn more: specterops.io/bloodhound-ent…
View our announcement webinar: specterops.zoom.us/webinar/regist…

A thread of major points about BloodHound Enterprise: Image
Once an attacker has access to Active Directory, it's virtually guaranteed they can find an attack path resulting in the compromise of a Tier 0 asset (Domain Admin). Owning Tier 0 means owning AD. Owning AD means owning the organization, all its data, users, processes, etc.
The scale, availability, and growth of those attack paths has exposed an enormous gap in how we try to secure Active Directory today. Organizations try (and fail) to fill that gap with technologies, products, and processes.
We think it's possible to fill that gap by quantifying the most critical choke points in AD. BloodHound Enterprise identifies and quantifies the most critical attack path choke points, enabling highly effective remediation with minimal effort within your existing architecture.
We call this methodology "Attack Path Management". At the core of that methodology is the Attack Path Topology, which prioritizes remediation actions based on attack path reduction.
Image
What was once unknowable and invisible for the defender becomes clear, concise, and easily tracked over time. BloodHound Enterprise reports overall Tier 0 exposure (percentage of users w/ an attack path to Tier 0). Image
Free and open source BloodHound isn't going anywhere. We are continuing research and development on FOSS BloodHound, which will remain free and open source forever. Image
Want to know more?

Join the #BloodHound Slack: bloodhoundgang.herokuapp.com

There is a new channel dedicated to BHE, #bloodhoundenterprise

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andrew Robbins

Andrew Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andrew Robbins Profile picture
26 Sep 20
The hardest targets I faced while pentesting/red teaming all had one thing in common: mature, funded, and empowered vuln/patch management programs.

The hardest of all combined vuln/patch management with least privilege enforcement - and inspired the creation of #BloodHound.
Are patch/vuln management and least privilege enforcement sexy? No.

Are they easy? Hell no.

Are they worth the initial and continued investment? Absolutely yes.
The best teams have processes for pretty easily dealing with things like Zerologon. They hear about the new scary vuln, understand its impact, test patch deployment to a subset of affected systems, then deploy to all affected systems, and audit patch deployment/effectiveness.
Read 8 tweets
Andrew Robbins Profile picture
20 Apr 20
(1/9) My first pentest job was at a company called TrustCC - little-known then and since purchased. We had a tradition whenever got DA: horrible, awful, cringe-worthy puns.
(2/9) We would send internal emails that were half celebratory, half instructive, explaining how we got DA in that particular client environment. But the email subject was REQUIRED to be a pun based on the client name.
(3/9) So if the client was "Sunny Hills Bank", the email subject might be "Walking on the Sunny (Hills Bank) Side of the Street: Path to DA #1".
Read 9 tweets
Andrew Robbins Profile picture
20 Feb 19
1/n Domain trust boundaries are not, of course, security boundaries; however many organizations effectively treat them as such. #BloodHound's attack graph tells the real story of how isolated our domains are from each other. Take this simple 3-domain forest for example.
2/n The domain trust map is pretty simple. Domain 1 is trusted by Domain 2, and Domain 2 is trusted by Domain 3. (This is real, anonymized data). So principals in Domain 1 can query Domain 2 or 3 for information, but no privileges are implied by default. Image
3/n With #BloodHound we can easily find the shortest attack paths from "Domain Users" in Domain 1 to "Domain Admins" in Domain 3. Pretty easy attack path, and very common situation in the real world: Image
Read 7 tweets
Andrew Robbins Profile picture
4 Feb 19
1/4 #PrivExchange by @_dirkjan perfectly illustrates how legacy permissions degrade an Active Directory environment's security posture. I want to share three free resources that will help you proactively protect your organization.
2/4 First is part one introducing our Adversary Resilience methodology. Part one covers the high level concepts of this new methodology:

posts.specterops.io/introducing-th…
3/4 Second is part two introducing our Adversary Resilience methodology, and shows the nuts and bolts involved. We've made big improvements to the methodology since its introduction and will be speaking about those publicly at @WEareTROOPERS in March:

posts.specterops.io/introducing-th…
Read 4 tweets
Andrew Robbins Profile picture
31 Jan 19
1/n - Here's how #BloodHound can help you determine whether you are vulnerable to PrivExchange by @_dirkjan:

Find the domain head object in the BloodHound GUI, click the number next to "First Degree Controllers". See whether an Exchange security group is present:
2/n - Unroll this view by clicking the number next to "Unrolled Controllers" to see the real number of users and computers with control of the domain head
3/n - "WriteDacl" on the domain head is extremely dangerous, as @_dirkjan outlined in his blog, but Exchange servers often have way, WAY more privileges than this. Click an Exchange server and see the real count of domain objects it has control of
Read 5 tweets
Andrew Robbins Profile picture
10 Jun 18
(1/2) One common strategy is to isolate sensitive accounts into certain OUs. Consider this: we have two OUs, "Normal Accounts" and "Sensitive Accounts". Are there attack paths from the normal accounts to the sensitive accounts? Image
(2/2) With some cypher magic and #BloodHound's visualizations, we can discover, analyze, measure, and start to remediate those attack paths. Check out these attack paths from a real environment. Image
Of course, OUs aren't the only "groups" of nodes we can find attack paths between. Domains, geographic locations, business entities, subsidiaries, or a combination of any of those. It's crucial for defenders to enumerate, analyze, and mitigate such attack paths.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_wald0 has new unrolls!

Check out other threads from @_wald0!

Read all threads by @_wald0