This article describes the step-by-step process of deploying and using BloodHound Enterprise, which is to be followed after being provided a BloodHound Enterprise instance.
Don’t have an instance? Request a demo and see why BloodHound Enterprise is awesome.
Information about the security of your BloodHound Enterprise instance is available in the article BloodHound Enterprise Security Overview.
Your instance is pre-created with one or just a few administrative users. Granting your whole team access to BloodHound Enterprise with dedicated users and roles is recommended.
BloodHound Enterprise supports two authentication methods:
- Built-in authentication via username and password, supports TOTP-based multi-factor authentication.
- SAML 2.0-based Single-Sign-On as described in SAML in BloodHound Enterprise.
Your initial users will be configured with built-in authentication, thereafter you are free to configure SAML authentication, create users, and set user roles.
One of four access control roles can be granted to every user as described in the article User Roles.
We recommend enabling multi-factor authentication for all users no matter the authentication method and user role. If using SAML authentication, your connected identity provider will be responsible for multi-factor authentication.
Deploy BloodHound Enterprise
BloodHound Enterprise can analyze data collected by its two collector services, each collecting from a specific directory:
- Active Directory, collected by SharpHound Enterprise
- Azure Active Directory, collected by AzureHound Enterprise
The two services may be run from the same Windows system, however AzureHound Enterprise also supports Docker and Kubernetes.
Deploy SharpHound Enterprise (Active Directory)
SharpHound Enterprise collection can be divided into two types of collection:
- AD structure collection
- Connects to a Domain Controller and collects AD object data.
- Privileged collection
- Connects to domain-joined Windows systems and collects local group memberships, privileges, and active sessions.
We recommend performing both collection types. For technical details read SharpHound Data Collection and Permissions.
No matter the collection type, the SharpHound Enterprise collector service must be installed on a domain-joined Windows system and the service must run as an AD account. Follow the below step-by-step:
- SharpHound Enterprise System Requirements
- Deploy and maintain SharpHound: Install and Upgrade SharpHound Enterprise
- We recommend following the SharpHound Service Hardening Guidelines.
- SharpHound Enterprise also supports Cross-Trust Collection.
- To secure a domain, we recommend at least also collecting data from all trusted domains (outgoing trust).
Deploy AzureHound Enterprise (Azure Active Directory)
The AzureHound Enterprise collector service can be run on Windows, Docker, and Kubernetes. Follow the below step-by-step:
- AzureHound Enterprise System Requirements and Deployment Process
- Configure Azure: AzureHound Enterprise Azure Configuration
- Create your AzureHound configuration: AzureHound Enterprise Local Configuration
- Deploy and maintain AzureHound: Run and Upgrade AzureHound (Windows, Docker, or Kubernetes)
Verify data quality
After data has been collected, click on settings ⚙️ → Administration, select Data Quality and>
- Verify that the collectors have collected the expected amount of data/number of principal types in each directory.
- If using privileged collection, verify that the charts "Local Group Completeness Over Time" and "Session Completeness Over Time" both report higher than 0%. Bear in mind that obtaining 100% is not possible in most environments, e.g., due to workstations being offline during collection.
If seeing lower-than-expected data quality you must examine data collection logs. Please reach out to your SpecterOps representative for assistance in this task.
Scoping Tier Zero
BloodHound Enterprise will identify and prioritize attack paths, to get the most accurate assessment you should scope your Tier Zero objects, for this you should:
- Scope Tier Zero for your environment, read Tier Zero: Members and Modification.
- Mark your environment's Tier Zero objects in BHE, read Modifying Tier Zero.
Explore and remediate attack paths
On the "Explore" page you can see identified attack paths, their prioritization, and recommended mitigations.
For advanced usage, read the following articles: