In the December v6.3.0 release, we introduced a new analysis algorithm under Early Access. In this release, all customers who have not manually disabled the feature after our last hotfix will have the algorithm enabled in preparation for general availability shortly. This feature:
Improve risk scoring fidelity for all finding types (including a significant enhancement for scoring Large Default Group and Kerberos Abuse findings).
Measure risk at each individual finding, enabling users to understand more granularly which paths to focus on first.
Support the inclusion of hybrid paths in risk scoring (Azure assets will now contribute to measured risk in AD and vice versa) and introduce new associated finding types.
If you encounter any issues, you may revert to the previous analysis algorithm under the Administration -> Early Access configuration screen. Please contact your TAM with any problems you encounter!
Just-in-time user provisioning and role assertion via Single Sign-On (SSO) - Manual user-creation processes be gone; BloodHound now optionally supports just-in-time user provisioning via all SSO provider types. Additionally, Administrators may allow identity providers to assert the role assigned to a BloodHound user during the SSO sign-in process. Enable these settings today under Administration -> SSO Configuration.
SSO providers are now updateable - If you need to move to a new SSO provider or want to enable the new just-in-time provisioning features, SSO providers are now updateable! Administrators may browse to Administration -> SSO Configuration and click on the 3-dot hamburger menu next to any SSO configuration to update its configuration, including updating new metadata.xml for SAML updates.
Download SAML SP Certificate - For our customers who plan want to implement additional restrictions on SAML login flows, such as pinning or encrypted assertions, the SP certificate is now available for download by clicking on any configured SAML SSO configuration in BloodHound.
Administrators may no longer modify their own accounts - To prevent accidental lockouts or other issues, Administrators may no longer modify their own role assignment or delete their own accounts.
Removed Performance Log Users, DNSAdmins, and Distributed COM Users from default Tier Zero / High Value - We are removing these groups from default Tier Zero for various reasons. Microsoft has patched the issues that allowed escalation from the Performance Log Users and Distributed COM Users group. Separately, DNSAdmins only allowed escalation for environments running Microsoft DNS via Active Directory; this did not apply to customers running alternative DNS solutions. For BloodHound users who do run Active Directory DNS, we strongly recommend manually adding this group to Tier Zero.
[BHE Only] Enabled Improved Analysis Algorithm by default on all environments that have not manually disabled it.
[BHE Only] Improved finding sort order on the Attack Paths page.
[BHE Only] Multiple consistency improvements on the updated Posture page.