Listen to this Post
The latest release of BloodHound (v7.1.0) brings significant advancements in identity security, particularly in addressing NTLM relay attacks. This version introduces new features that allow administrators to visualize and remediate NTLM coercion and relay attack paths directly within the graph. Key updates include:
- NTLM Relay Attack Paths: Now visible in the graph, enabling administrators to detect and address vulnerabilities related to LDAPS, LDAP, SMB, and more.
- Owns/WriteOwner Attack Path Primitives: Rebuilt for improved accuracy.
- Empty Group Support: Enhanced ingestion of empty local group objects, especially useful for Citrix RDP environments.
- Cross-Domain Edge Logic: Refined handling of edges across domains, particularly for special groups like “Authenticated Users” in ADCS.
- IDP Role Assignments: Full support for IDP role assignments on every SSO login.
- Default Admin User Recreation: Added ability to recreate a default admin user via an environment variable.
- BloodHound Enterprise Enhancements: Posture page chart now allows sorting findings by Severity and Count, and includes a new Splunk SOAR integration for faster incident response.
You Should Know:
Here are some practical commands and codes to leverage BloodHound v7.1.0 for identity security:
1. Ingesting Data into BloodHound:
bloodhound-python -d domain.local -u username -p password -c All
2. Visualizing NTLM Relay Attack Paths:
neo4j start bloodhound
3. Remediating NTLM Vulnerabilities:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DisableNTLM" -Value 1
4. Handling Empty Groups:
Get-LocalGroup | Where-Object { $_.Members.Count -eq 0 } | Remove-LocalGroup
5. Cross-Domain Edge Handling:
Get-ADGroupMember -Identity "Authenticated Users" -Server domain2.local
6. Recreating Default Admin User:
$env:BloodHoundDefaultAdmin = "admin"
7. Sorting Findings by Severity in BloodHound Enterprise:
Sort-Object -Property Severity -Descending
8. Integrating with Splunk SOAR:
splunk add search-head -auth admin:changeme -remote-server bloodhound-enterprise.local
What Undercode Say:
BloodHound v7.1.0 is a game-changer for identity security, providing administrators with powerful tools to visualize and remediate complex attack paths. The addition of NTLM relay attack path visualization, improved cross-domain edge handling, and enhanced support for empty groups make this release indispensable for securing Active Directory environments. The integration with Splunk SOAR further enhances its utility, enabling faster and more effective incident response. By leveraging the commands and practices outlined above, organizations can significantly bolster their defenses against identity-based attacks.
For more information, visit the official BloodHound documentation: BloodHound Docs
References:
Reported By: Kdaskalakis Greatidentitysecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



