SpecterOps adds new Attack Paths to BloodHound Enterprise

SpecterOps announced updates to BloodHound Enterprise (BHE) that add new Attack Paths focused on Active Directory Certificate Services (ADCS). These updates make BHE the most advanced tool on the market today for securing ADCS.

ADCS is the Public Key Infrastructure implementation of Microsoft Active Directory and is widely used in enterprise environments including most of the Fortune 1000. If attackers can abuse it to give themselves false authentication certificates, they can gain account and domain-level privileges and establish deep persistence. Unfortunately, misconfigurations in ADCS are common and pose an enormous security risk, but have traditionally been overlooked by the security community with few tools available to help secure it.

These new ADCS attack paths are based on work by SpecterOps researchers Will Schroeder and Lee Chagolla-Christensen, first released in 2021. They discovered many common misconfigurations in enterprise ADCS environments that allow attackers to steal certificates, achieve account persistence, and achieve full control over an Active Directory domain. These updates allow BHE users to easily identify and remediate these misconfigurations and significantly reduce their risk.

“In months of research, nearly every environment with ADCS we looked at was vulnerable to domain escalation – I can’t overstate how serious these issues are,” said Will Schroeder, Security Researcher at SpecterOps. “These updates arm security and IAM teams with the power to find and fix these misconfigurations, shut down these attack paths and dramatically reduce their risk of ADCS abuse.”

ADCS provides the mechanism used for encrypting file systems, digital signatures, user authentication and more. The nature of ADCS makes it very difficult for defenders to detect or respond to attacks on it after they’ve been executed. Removing misconfigurations and weaknesses in ADCS is the best way to reduce the risk of these serious attacks.

In response, SpecterOps is adding multiple attack paths related to ADCS to BloodHound Enterprise. Three of them are available in the product now in Early Access with three to follow later in January. BHE customers can enable these paths through their Early Access page. Additional paths will be added throughout early 2024 as additional research is completed.

BloodHound Enterprise (BHE) is the industry’s first platform for comprehensively removing identity attack paths in Microsoft’s Active Directory (AD) and Entra/Azure AD. It experienced rapid customer adoption in 2022 and 2023 with significant product revenue growth and new customer acquisition growing by more than 600%. Today, BloodHound Enterprise is used worldwide by companies like Capital Group, the University of Texas at Austin and Woodside Energy.

SpecterOps raised a $33.5 million Series A funding round from Decibel and Ballistic Ventures in 2023. This update is one of many projects that funding has enabled or accelerated.