BloodHound

NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it is, in fact, alive ...

Getting Started with BHE — Part 2Contextualizing Tier ZeroTL;DRAn accurately defined Tier Zero provides an accurate depiction of Attack Path Findings in your BHE tenant.Different principals (groups, GPOs, OUs, etc.) have different implications when Tier Zero is ...

Getting Started with BHE — Part 1Understanding Collection, Permissions, and Visibility of Your EnvironmentTL;DRAttack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate permissions.Your collection strategy benefits from tiering just ...

Just in time for the holidays, sharper tools for faster defenseToday, the SpecterOps team rolled out a number of new features, product enhancements, and recommendations intended to help users of BloodHound Enterprise and ...

ADCS Attack Paths in BloodHound — Part 3In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify ...

Introducing Hybrid Attack PathsDeath from Above: An Attack Path from Azure to Active Directory With BloodHoundWhen we introduced Azure Attack Paths into BloodHound, they were added as a completely separate sub-graph. At no ...

ADCS Attack Paths in BloodHound — Part 2In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify ...

How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that.At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of ...

Final Steps to BloodHound Federal — FedRAMP High ComplianceEver since SpecterOps first launched BloodHound Enterprise (BHE) in July 2021, one of our team’s biggest frustrations involved a lack of FedRAMP qualifications, which prevented us ...

Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but this role is hidden from view in the Azure portal GUI.Why it mattersAn adversary may target the ...