BloodHound: Mapping Active Directory
If Active Directory is a jungle, BloodHound is your thermal vision.
When you breach a domain-joined machine, the real challenge begins — finding a path to Domain Admin. Active Directory environments are complex, with hundreds of users, groups, computers, permissions, trusts, and policies all tangled together. BloodHound was built to make sense of this chaos. It lets you visualize relationships and misconfigurations so you can exploit them like a pro.
What is BloodHound?
BloodHound is an Active Directory (AD) enumeration tool that uses graph theory to reveal hidden relationships and attack paths in an AD environment. It helps you answer questions like:
- “Who has local admin rights on this machine?”
- “Which users can escalate to Domain Admin?”
- “How can I move laterally without triggering alarms?”
Originally developed by SpecterOps, it’s open source and widely used in red teaming and internal pentests.
How It Works
BloodHound uses ingestors to collect AD data (users, groups, sessions, ACLs, trust relationships, etc.) and imports it into a Neo4j graph database. You then query the data visually or with Cypher (graph query language).
Setup: Getting BloodHound Running
Step 1: Download BloodHound
GitHub repo:
https://github.com/BloodHoundAD/BloodHound
Download the BloodHound GUI and ingestors from the release page.
Step 2: Install Dependencies
Install Neo4j (the graph database BloodHound uses):
sudo apt install neo4j
Start Neo4j and set credentials on first launch.
Then launch the BloodHound GUI and connect it to Neo4j.
Step 3: Choose an Ingestor
Depending on your access level and OPSEC needs, choose one:
| Ingestor | Use Case |
|---|---|
SharpHound.exe | Most common Windows ingestor (full collection) |
SharpHound.ps1 | PowerShell variant |
AzureHound | For Azure environments |
BloodHound.py | Python version for Linux/Mac or remote use |
Step 4: Import the Zip into BloodHound GUI
Once imported, the BloodHound GUI populates the AD graph. You’re now ready to hunt.
Common Collection Methods with SharpHound
Run this on a domain-joined machine (or a machine where you’ve compromised a domain user):
SharpHound.exe -c All
Other options:
SharpHound.exe -c Session,ACL,LocalAdmin,Group,Trusts
Allcollects everything (noisy but thorough)Session= who is logged into whatACL= access control lists (object-level permissions)LocalAdmin= who is local admin whereGroup= AD group membershipsTrusts= domain trusts
Results are exported as .zip files with JSON inside.
Common BloodHound Queries for Pentesters
Here’s where the magic happens. Click the “Analysis” tab or use pre-built queries.
1. Find Paths to Domain Admin
- Use:
Find shortest paths to domain admins - Output: Visual attack paths showing privilege escalation chains
2. Users with Local Admin Access
- Use:
List all Domain Users with Local Admin Rights on Computers - Lateral movement goldmine
3. ACL-Based Escalation
- Use:
List Principals with DCSync Rights - Use:
List Object Control Attacks
You can own the domain without touching a DA account — just abuse misconfigured permissions (e.g., GenericAll, WriteOwner, etc.).
4. Lateral Movement Paths
- Use:
Shortest paths from user X to high value target - Combine with RDP/SMB data from tools like CrackMapExec for live moves
Abuse What You Find
BloodHound shows you what’s possible — not how to do it. Use other tools to exploit your findings:
| Technique | Tool |
|---|---|
| DCSync | secretsdump.py, mimikatz |
| RDP | xfreerdp, mstsc, rdesktop |
| Admin rights | PsExec, smbexec, WinRM, CrackMapExec |
| ACL abuse | PowerView, PowerSploit, SetOwner |
OPSEC Considerations
BloodHound can be noisy. Especially -c All will trigger:
- EDR alerts (e.g., PowerShell injection, LSASS access)
- Event logs (LDAP queries, session enumeration)
For stealth:
- Use
Stealthcollection mode - Limit queries (
-c Session,Grouponly) - Run ingestors in-memory (
SharpHound.ps1withInvoke-ReflectivePEInjection) - Rotate user agents and modify SharpHound source
Pro Tips
- Use Cypher Queries: BloodHound GUI has limited search power — unlock full potential using Cypher.
- Tag high-value users (like Domain Admins) to spot them faster.
- Export graphs for reporting or C2 planning.
- Pair with other tools: Combine BloodHound intel with Mimikatz, Rubeus, and CME to dominate AD.
Conclusion
BloodHound is one of the most powerful tools in an Active Directory pentester’s toolkit. It doesn’t exploit — it illuminates. It shows you relationships and attack paths that would take days or weeks to find manually.
Mastering BloodHound means thinking like a graph hacker. Once you see how everything connects, you stop guessing… and start owning domains with surgical precision.