ForceHound extracts Salesforce identity and entitlement data and uploads it into BloodHound so defenders and attackers can query graph paths that reveal transitive privilege escalation and connected‑app exposures. Using targeted Cypher queries, the tool exposes paths from standard users to high‑value capabilities (e.g., ModifyAllData, AuthorApex, ApiEnabled) and highlights legacy Connected App authorizations that remain dangerous despite Salesforce’s 2025 restrictions. #ForceHound #Salesforce
Keypoints
- ForceHound can collect Salesforce identity and entitlement data (Aura mode) and upload it to BloodHound for graph analysis.
- Transitive privilege escalation is demonstrated: ManageUsers or AssignPermissionSets can enable a standard user to grant themselves ModifyAllData via permission sets.
- Connected Apps that are not profile‑restricted create implicit CanAccessApp edges from every profile, expanding the blast radius for OAuth consent abuse.
- Cypher queries allow precise discovery of who can reach capabilities like ModifyAllData, AuthorApex, ApiEnabled, and which users can create or CRUD specific objects.
- Salesforce’s September 2025 Connected App installation restrictions improve new integrations’ security but do not remediate legacy authorizations already present in org graphs.
- ForceHound is open source (github.com/NetSPI/ForceHound) and intended to make misconfigurations visible so admins can make informed remediation decisions.
MITRE Techniques
- [T0000 ] No specific MITRE ATT&CK technique identifiers referenced – The article focuses on Salesforce permissions, identity graphs, and Connected App authorization risks rather than naming ATT&CK TIDs (‘ForceHound doesn’t fix misconfigurations. It makes them visible.’)
Indicators of Compromise
- [Domain/URL ] Tool and target endpoints referenced – github.com/NetSPI/ForceHound, https://targetorg.lightning.force.com (example org URL), and http://localhost:8080 shown as a BloodHound upload endpoint.
- [Session tokens / cookies ] Authentication artifacts used for unauthorized access – “$STOLEN_SID” (stolen session cookie placeholder), “$AURA_TOKEN” (Aura token placeholder) as examples of credentials an attacker could use.
- [Configuration indicators ] Risky permissions and entitlements observed in the graph – ModifyAllData, ApiEnabled (permission names that indicate high privilege or ability to authorize Connected Apps).