BloodHound uses graph theory to reveal the hidden and often unintended relationships within Active Directory and Entra ID (formerly known as Azure AD). Both defenders/blue teams and attackers/red teams can use BloodHound to easily gain a deeper understanding of privileged relationships in an environment.
BloodHound is released as two different products; BloodHound Community Edition (CE) for red teams and BloodHound Enterprise for blue teams.
BloodHound Community Edition
BloodHound CE is the newest version of the original BloodHound tool. It is free, open-source, and focused on the same mission as the original tool: enabling penetration testers and red teams to more rapidly evaluate the Attack Paths within Active Directory and Entra ID (formerly known as Azure AD).
BloodHound Enterprise is a SaaS offering by SpecterOps and the BloodHound Enterprise engineering team, the creators and maintainers of the original BloodHound. After releasing the original BloodHound tool in 2016, our team immediately recognized the defensive opportunity of BloodHound and began the process of determining the best way to do so. Over the course of the following years, through much trial and error, we developed the concept of Attack Path Management, a framework designed to help organizations measure and remediate the risk created by Attack Paths.
BloodHound Enterprise is our answer to the need for Attack Path Management and is the only tool available that offers this capability to help defenders easily identify and eliminate highly complex attack paths that would otherwise be impossible to manage.
Attack Path Management in BloodHound Enterprise
Andy Robbins, Product Architect of BloodHound Enterprise and co-founder of the BloodHound project, provided a full explanation of the concepts behind successfully remediating the risks posed by Attack Paths in the Attack Path Management Manifesto, What is Attack Path Management? Although we recommend reading the full paper, some specific excerpts are provided below:
Continuous, Comprehensive Attack Path Mapping
Enterprise networks are not static. Privileged users log on to different systems daily (leaving behind tokens and credentials that can be abused by an adversary), new applications require newly granted permissions, and security group memberships change to accommodate business requirements. These individual changes and events don’t just affect the principals and objects directly involved — they have far-reaching effects on the creation of Attack Paths.
When continuously mapping Attack Paths, every relationship / connection must be charted. From critical servers like Domain Controllers to individual endpoints, comprehensive enumeration of relationships and connections enables a full understanding of the real permissions against any given object, computer, user, etc., and also enables the empirical measurement and impact of any particular connection.
Empirical Impact Assessment of Attack Path Choke Points
Attack Path Management must assess and describe (in simple language) the impact any particular Choke Point has. This is done by comprehensively walking the Attack Paths backward to discover how many users and computers have access and pathways to each Choke Point. One Choke Point may enable 100% of users to access Tier Zero, while another Choke Point only enables 2% of users to access Tier Zero — this makes prioritization and urgency immediately clear.
Practical, Precise, and Safe Remediation Guidance
The primary objective of Attack Path Management is to help organizations eliminate key Choke Points such that it’s no longer worth the adversary’s effort to try to enumerate or execute Attack Paths in that organization’s network. With this end goal in mind, it is vital that Attack Path Management produce practical, precise, and safe remediation guidance that organizations can easily implement.