BloodHound Pre-Built Queries Explained
A practical guide for pentesters
Domain Information
• Find all Domain Admins
What it does: Lists all users in the Domain Admins group.
Why use it: Identifying Domain Admins is critical — compromising any of them often means full domain takeover.
When to use: Early recon, privilege targeting.
• Map Domain Trusts
What it does: Displays trust relationships between different domains or forests.
Why use it: Helps you understand lateral movement potential between domains.
When to use: If you’re in a multi-domain/forest environment.
• Find Computers with Unsupported Operating Systems
What it does: Lists machines running out-of-date or unsupported Windows OS versions.
Why use it: Legacy systems are often unpatched and vulnerable.
When to use: During attack surface analysis.
Dangerous Privileges
• Find Principals with DCSync Rights
What it does: Shows users/groups that can replicate AD credentials (mimicking a domain controller).
Why use it: If compromised, this gives you the entire NTDS.dit hash dump without touching a DC.
When to use: Escalation or data collection phase.
• Users with Foreign Domain Group Membership
What it does: Finds users from another domain added to groups in the current domain.
Why use it: Reveals trust misuse and potential external attack paths.
When to use: Cross-domain audits or privilege mapping.
• Groups with Foreign Domain Group Membership
What it does: Lists domain groups that contain users from other domains.
Why use it: Highlights risky or misconfigured access from other domains.
When to use: Trust audits and access control review.
• Find Computers where Domain Users are Local Admin
What it does: Finds hosts where the Domain Users group has local admin rights.
Why use it: Great target for lateral movement or privilege escalation.
When to use: After domain user compromise.
• Find Computers where Domain Users can read LAPS passwords
What it does: Lists systems where LAPS passwords can be retrieved.
Why use it: If readable, these passwords can give you local admin access.
When to use: Post-enumeration of misconfigurations.
• Find All Paths from Domain Users to High Value Targets
What it does: Shows chained access paths from low-priv users to high-priv targets.
Why use it: Helps map realistic attack paths.
When to use: Privilege escalation planning.
• Find Workstations where Domain Users can RDP
What it does: Identifies machines where Domain Users can use Remote Desktop.
Why use it: Enables quiet lateral movement.
When to use: After compromising a domain user.
• Find Servers where Domain Users can RDP
What it does: Like the above, but for servers.
Why use it: Servers may hold sensitive data or have more privileges.
When to use: Post-compromise movement planning.
• Find Dangerous Privileges for Domain Users Groups
What it does: Highlights risky access or roles granted to the Domain Users group.
Why use it: Misconfigured Domain Users group = broad attack surface.
When to use: During risk assessment or recon.
• Find Domain Admin Logons to non-Domain Controllers
What it does: Finds workstations or servers where Domain Admins have logged in.
Why use it: Target these hosts to steal DA tokens or hashes.
When to use: Privilege escalation via token hunting.
Kerberos Interaction
• Find Kerberoastable Members of High Value Groups
What it does: Finds privileged users with SPNs (i.e., roastable).
Why use it: Combine Kerberoasting with high-priv escalation.
When to use: After initial access when gathering service accounts.
• List all Kerberoastable Accounts
What it does: Lists any user with an SPN attribute (can be roasted).
Why use it: Basic Kerberoasting prep.
When to use: Credential hunting.
• Find Kerberoastable Users with Most Privileges
What it does: Ranks roastable users by how powerful they are.
Why use it: Focus cracking efforts on highest-value accounts.
When to use: Before launching hash cracking campaigns.
• Find AS-REP Roastable Users (DontReqPreAuth)
What it does: Finds users without Kerberos pre-authentication enabled.
Why use it: You can request encrypted tickets without creds and crack them offline.
When to use: Early recon and password attack planning.
Shortest Paths
• Shortest Paths to Unconstrained Delegation Systems
What it does: Maps quickest access paths to systems with unconstrained delegation enabled.
Why use it: These systems can be exploited for full impersonation.
When to use: Lateral movement and token abuse.
• Shortest Paths from Kerberoastable Users
What it does: Starts from roastable users and maps where you can get if you crack their password.
Why use it: Combine Kerberoasting with pathfinding to targets.
When to use: After getting a TGS hash.
• Shortest Paths to Domain Admins from Kerberoastable Users
What it does: Specific path to DA accounts starting from roastable users.
Why use it: If hash cracked, this shows potential domain takeover.
When to use: Active Kerberoasting escalation planning.
• Shortest Path from Owned Principals
What it does: You tell BloodHound which accounts you “own”, and it shows where you can go from there.
Why use it: Plan next step from your current foothold.
When to use: Post-exploitation strategy.
• Shortest Paths to Domain Admins from Owned Principals
What it does: Same as above, but focused on DA accounts.
Why use it: Your path to total control.
When to use: When escalating to domain-level access.
• Shortest Paths to High Value Targets
What it does: Maps out the closest access paths to sensitive users or systems.
Why use it: General privilege escalation mapping.
When to use: Any phase where you want to map high-impact access.
• Shortest Paths from Domain Users to High Value Targets
What it does: Starts from low-priv users (like most end-users) and shows how they could reach high-value targets.
Why use it: Identifies hidden escalation paths from “harmless” accounts.
When to use: Initial foothold and privilege evaluation.
• Find Shortest Paths to Domain Admins
What it does: Universal query to find all possible shortest paths to domain admin accounts.
Why use it: Always useful to check — this is your master key route.
When to use: Always.