2024-02-14 Release Notes (v5.6.0)

  • Updated

Announcements

Active Directory Certificate Services General Availability

AD Certificate Services coverage in BloodHound is officially in General Availability with v5.6.0! To collect and process this information, ensure you're using the most recent version of SharpHound available from the "Download Collectors" view in your BloodHound environment!

As of this release, BloodHound provides coverage for:

  • GoldenCert (DPERSIST1 in the Certified Pre-Owned whitepaper)
  • ESC1
  • ESC3
  • ESC6a
  • ESC9a
  • ESC10a

We will continue to expand coverage on these escalation paths (some have multiple variations, represented by the 'a' trailing designator) plus additional ESC paths from the whitepaper and through additional ongoing research over future releases.

SpecterOps Training: Customer Discounts!

Join one of our upcoming training sessions during SO-CON for a discount and learn from in-the-field experts to develop your skills based on current adversary TTPs - all in the comfort of your own home/office!

Courses run March 12-15 from 9AM - 5PM ET:

  • Adversary Tactics: Detection
  • Adversary Tactics: Red Team Operations
  • Adversary Tactics: Tradecraft Analysis
  • *NEW* Azure Security Fundamentals

Reach out to your point of contact for a discount code and register today: https://events.humanitix.com/tours/so-con-2024

Summary

  • BloodHound (v5.6.0)
    • New and Improved Features
      • General Availability of AD Certificate Services paths: GoldenCert, ESC1, ESC3, ESC6a, ESC9a, ESC10a (requires latest version of SharpHound)
      • New "Power User" role was added in BloodHound as a bridge between "User" and "Administrator"
      • Added filtering capabilities to the Group Management view
      • Significant expansion of data available in BloodHound audit logs
      • Improved accuracy in the "... where Domain Users can RDP" default cypher queries
      • [BHE Only] Analysis will now separate warnings from errors in completion, leading to more accurate completion of analysis in environments
    • Bug Fixes
      • Data Quality page fails to count Azure tenant objects in specific scenarios
      • Improved accuracy of the "count" responses from paginated API queries
      • Resolved a specific issue with SAML implementations resulting in inaccurate "NotAuthorized" responses
      • Resolved several role-privilege issues with BloodHound roles (The "User" role can no longer perform actions in the Manage Clients page, the "Upload Only" role can no longer view Experimental Features)
      • Moving from "Pathfinding" to "Search" on the "Explore" page will now properly disable pathfinding
      • Cursors will no longer jump to the end of the search fields on "Explore"
      • [BHE Only] TrustedBy edges should now reconcile appropriately
  • SharpHound (v2.3.5 - BHE, v2.3.2 - CE)
    • New and Improved Features
      • Additional ADCS property collection
    • Bug Fixes
      • Resolved issues with hitting KERNELFAULT errors during collection
      • Improved handling and retries for LDAP ServerDown responses, preventing cross-trust collection
  • AzureHound (v2.1.7)
    • New and Improved Features
      • Significant reduction in memory consumption when processing Azure group membership information
    • Bug Fixes
      • [BHE Only] AzureHound will now properly respect the verbosity setting set in config.json

BloodHound (v5.6.0)

New and Improved Features

  • General Availability of AD Certificate Services Coverage - AD Certificate Services Attack Paths are now generally available to all BloodHound users. This release includes support for: GoldenCert, ESC1, ESC3, ESC6a, ESC9a, ESC10a (requires latest version of SharpHound)
  • New "Power User" role - BloodHound now includes an additional role as a bridge between "User" and "Administrator" for customers with users who should be able to modify the graph through file uploads or modifications of collectors but who should not be able to modify who can access the environment. For more, see Administering users and roles.
  • Filtering in Group ManagementThe Group Management view will now let users filter for objects within an Asset Group based on object type and whether the object is a custom-assigned object.
  • Audit Log Enhancements - BloodHound audit logs got a significant expansion, including the addition of logging failed actions, as well as including information such as the user's email address, and the source IP (including any proxies) in each record.
  • Improved accuracy in the "... where Domain Users can RDP" default cypher queries
  • [BHE Only] Analysis will now separate warnings from errors in completion, leading to more accurate completion of analysis in environments

Bug Fixes

  • Data Quality page fails to count Azure tenant objects in specific scenarios
  • Improved accuracy of the "count" responses from paginated API queries
  • Resolved a specific issue with SAML implementations resulting in inaccurate "NotAuthorized" responses
  • Resolved several role-privilege issues with BloodHound roles (The "User" role can no longer perform actions in the Manage Clients page, the "Upload Only" role can no longer view Experimental Features)
  • Moving from "Pathfinding" to "Search" on the "Explore" page will now properly disable pathfinding
  • Cursors will no longer jump to the end of the search fields on "Explore"
  • [BHE Only] TrustedBy edges should now reconcile appropriately

SharpHound (v2.3.5 - BHE, v2.3.2 - CE)

New and Improved Features

  • Additional support for ADCS collection capabilitiesSharpHound will now collect additional information required to analyze and generate ADCS Attack Paths.

Bug Fixes

  • Resolved issues with hitting KERNELFAULT errors during collection
  • Improved handling and retries for LDAP ServerDown responses, preventing cross-trust collection

AzureHound (v2.1.7)

New and Improved Features

  • Memory usage reduction - AzureHound will now utilize significantly less memory when processing Azure group membership information

Bug Fixes

  • [BHE Only] AzureHound will now properly respect the verbosity setting set in config.json