SpecterOps BloodHound Enterprise

What is it?

BloodHound Enterprise is an attack path management tool for Active Directory and Entra ID (formerly Azure AD) environments. It ingests data from your directory services, builds a graph of all identities, permissions, group memberships, GPO applications, and trust relationships, then computes every attack path from any user or computer to your most critical assets (domain controllers, tier zero servers, global admin roles, tenant objects).

The open source version of BloodHound has been used by penetration testers for years to find attack paths during engagements. BloodHound Enterprise is the defensive counterpart: it enumerates paths continuously, measures overall exposure as a percentage, and provides specific remediation steps to eliminate those paths.

How does attack path analysis work?

BloodHound Enterprise collects data from Active Directory and Entra ID via collectors. It builds a directed graph where nodes are principals (users, computers, groups, service principals, app registrations) and edges are privileges or relationships (local admin, group membership, GPO application, credential access, Entra ID role assignments, MS Graph app roles).

The platform then computes all paths from every principal to designated tier zero assets. It ranks remediations by impact: which single configuration change will eliminate the most paths. This converts what would be an overwhelming number of findings into a prioritised list of specific actions.

A typical first finding: a GPO controlled by “Authenticated Users” (every account in the forest) that applies to a tier zero server like an Azure AD Connect box. Removing that one permission takes 30 minutes and can eliminate thousands of attack paths.

What does it find in Entra ID?

Entra ID introduces attack paths that do not exist in on-prem AD. The main concern is OAuth application permissions. App registrations can hold credentials, and service principals (the instantiation of an app in a tenant) can be granted MS Graph app roles that are equivalent to global admin.

The critical permission is “AppRoleAssignment.ReadWrite.All”, which allows an application to grant other applications high-privilege app roles, bypassing the admin consent process that normally requires a human to click a button in the Azure portal. This is the mechanism Russia’s SVR (Midnight Blizzard) used in the 2024 Microsoft breach: they added a credential to a test tenant app registration, used its cross-tenant service principal with elevated privileges to grant further apps access to Exchange Web Services, and read executive email inboxes.

BloodHound Enterprise surfaces which applications in your tenant hold these dangerous permissions and shows the full chain of who can control those app registrations (through Entra ID roles, ownership, or service principal permissions).

What does a typical remediation look like?

Most remediations are small configuration changes, not architectural overhauls:

  • Remove “Authenticated Users” from GPO ACLs that apply to tier zero assets
  • Remove unnecessary local admin group memberships on servers
  • Reduce MS Graph app roles on service principals to least privilege
  • Audit and cull foreign app registrations with elevated Entra ID permissions

SpecterOps reports that customers can reach 0% exposure (zero attack paths to any tier zero asset). The first deployment typically reveals what SpecterOps calls “20 years of misconfiguration debt”, but the highest-impact changes are often trivial to implement.

What does it cost?

Pricing starts at approximately $20,000 per year. Large enterprises with 50,000 to 100,000 users typically pay between $100,000 and $300,000 per year.

What does it not do?

BloodHound Enterprise maps attack paths in Active Directory and Entra ID. It does not cover cloud infrastructure permissions (AWS IAM, GCP IAM) or SaaS application permissions outside of the Microsoft identity ecosystem. SpecterOps is working on cross-platform attack path analysis via BloodHound’s OpenGraph capability.

Risky Business appearances

Sources

SpecterOps is a recurring Risky Business sponsor.