BloodHound Active Directory: Finding Hidden Attack Paths
BloodHound is an Active Directory (AD) reconnaissance tool that uses graph theory to reveal hidden, unintended relationships and attack paths within an AD environment. By mapping out how users, groups, computers, and permissions interact, it allows red teamers and defenders to identify the shortest path to high-value targets like Domain Admin or Enterprise Admin. If you're performing a security assessment on a Windows environment, BloodHound is the most efficient way to visualize risk and find privilege escalation routes that manual enumeration would almost certainly miss.
Why BloodHound Active Directory is Essential for Modern Pentesters
Manual Active Directory enumeration is a tedious process of querying LDAP, checking group memberships, and looking for logged-on users. While you can find a lot of information using built-in PowerShell modules or net.exe commands, these methods provide a flat view of the network. You see the pieces, but you don't necessarily see the bridge between them.
BloodHound changes the game by shifting the focus from individual objects to the relationships between them. It treats AD as a giant graph where users, computers, and groups are nodes, and their permissions (like "GenericAll" or "MemberOf") are edges. This perspective allows you to ask complex questions, such as "Which path allows a help desk user to become a Domain Admin through three jumps?"
Key Takeaway: BloodHound doesn't find new vulnerabilities in the traditional sense; it identifies misconfigurations and the "chaining" of legitimate permissions that lead to total domain compromise.
In many environments, security teams focus on patching software vulnerabilities while neglecting the complex web of Access Control Lists (ACLs). I've seen domains where every system was fully patched, yet a standard user could gain Domain Admin rights in minutes because of a circular group membership or an overly permissive GPO. BloodHound makes these invisible risks impossible to ignore.
For a broader look at the tactical side of these engagements, check out our guide on Network Penetration Testing Methodology: A Pro Pentester's Guide.
Core Components of the BloodHound Ecosystem
To use BloodHound effectively, you need to understand its three main parts. It isn't just a single executable; it's a data collection and visualization suite that relies on a specific backend architecture.
- SharpHound (The Ingestor): This is the data collector. It's a C# tool (or a PowerShell script) that you run on a domain-joined machine. It queries the Domain Controller via LDAP and scans individual computers for active sessions and local admin rights.
- Neo4j (The Database): BloodHound uses Neo4j, a graph database, to store the collected data. Unlike a standard SQL database, Neo4j is designed to handle millions of complex relationships and perform "shortest path" calculations instantly.
- BloodHound GUI: This is the frontend interface where you visualize the data. It's built on Electron and uses the Cypher query language to talk to Neo4j, presenting the results in an easy-to-read map.
Recently, the project has shifted toward BloodHound Community Edition (CE), which offers a more modern, web-based interface and better multi-user support. However, the underlying logic of using SharpHound to feed a graph database remains the same. Understanding these components is vital for troubleshooting why your data isn't showing up or why a specific query is running slowly.
Setting Up Your BloodHound Environment
Before you can start hunting for attack paths, you need a functional environment. While you can install Neo4j directly on your host, using Docker is generally much cleaner and avoids Java dependency headaches. I recommend using the official BloodHound CE Docker compose file for a quick start.
Once your Neo4j instance is running, you'll need to log in and change the default password. The GUI will prompt you for these credentials. After the connection is established, you're ready to import data. Remember that BloodHound is only as good as the data you give it. If you only collect data from a single workstation, you won't see the full picture of the domain.
If you're looking for more ways to escalate your privileges once you've identified a target system, our Windows Privilege Escalation Cheatsheet provides a list of techniques to use once you land on a box.
Data Collection with SharpHound
The collection phase is where most pentesters get caught. Running SharpHound isn't exactly silent. It generates a significant amount of LDAP traffic and, depending on the flags you use, it might attempt to connect to every computer in the domain to see who is logged in. This "Session Hunting" is often what triggers EDR alerts.
Common SharpHound Collection Methods
You can run SharpHound as a standalone .exe or via the Invoke-BloodHound PowerShell cmdlet. In most modern assessments, the .exe is preferred because it's easier to wrap with obfuscation or run through a C2 framework like Cobalt Strike or Sliver.
| Collection Method | Command Example | Pros/Cons |
|---|---|---|
| Default (All) | SharpHound.exe -c All |
Comprehensive but very noisy. Collects everything. |
| DCOnly | SharpHound.exe -c DCOnly |
Stealthy. Only talks to the DC. No session data. |
| Session Only | SharpHound.exe -c Session |
Finds where users are logged in. Triggers EDR on workstations. |
| LoggedOn | SharpHound.exe -c LoggedOn |
Requires local admin on targets. Very detailed session data. |
From my experience, if I'm on a red team engagement, I start with -c DCOnly. This allows me to map out the group memberships and ACLs without touching a single workstation. If I can't find a path to Domain Admin through permissions alone, then I might risk a -c Session run to see where the Domain Admins are logged in, which might allow for a credential harvesting attack using tools like Mimikatz.
Analyzing High-Value Edges and Attack Paths
Once you've uploaded your SharpHound ZIP file into the BloodHound GUI, it's time to analyze the data. The power of BloodHound lies in its "Edges." An edge represents a specific permission or relationship between two nodes. Understanding these is critical for interpreting the graph.
Critical Edges to Watch For
- MemberOf: The most basic edge. Shows which users are in which groups. This is recursive, meaning if User A is in Group B, and Group B is in Group C, BloodHound shows that User A is effectively in Group C.
- AdminTo: This edge indicates that a user or group has local administrative rights on a specific computer. This is often the starting point for lateral movement.
- HasSession: This shows that a user is currently logged into a computer. If you have AdminTo rights on that computer, you can likely steal that user's credentials.
- GenericAll / GenericWrite: These are "Full Control" or "Write" permissions over an object. If you have GenericAll over a user, you can reset their password and take over their account.
- AddMember: This allows you to add any user to a specific group. If you have this right over the "Domain Admins" group, the game is over.
A classic attack path identified by BloodHound looks like this: You start as a compromised IT-Support user. BloodHound shows that IT-Support is MemberOf the Workstation-Admins group. That group has AdminTo rights on DESKTOP-01. There is a HasSession edge from SQL-Service-Account on DESKTOP-01. Finally, SQL-Service-Account has DCSync rights on the domain. By following this path, you move from a low-level tech to a full domain takeover.
This type of chained attack is covered extensively in our guide on Active Directory Attack Techniques.
Advanced Cypher Queries for Custom Hunting
While the built-in queries in BloodHound (like "Find Shortest Paths to Domain Admins") are great, the real power comes from writing your own Cypher queries. Cypher is Neo4j's query language, and it allows you to hunt for very specific misconfigurations that aren't included in the default menu.
For example, if you want to find all users who have the "Password Not Required" flag set, you can use a custom query. Or, perhaps you want to find all computers where a specific "HelpDesk" group has local admin rights, but excluding the Domain Controllers.
// Find all users with DCSync privileges
MATCH (n)-[r:DCSync]->(m:Domain) RETURN n.name, m.name
// Find all users that can reach Domain Admin with 3 or fewer hops
MATCH (n:User),(m:Group {name: 'DOMAIN [email protected]'}),
p=shortestPath((n)-[*..3]->(m)) RETURN p
Learning basic Cypher syntax will make you a significantly more effective AD pentester. It allows you to filter out the noise and focus on the most exploitable paths in large environments with tens of thousands of nodes. I often use custom queries to find "Shadow Admins"—users who aren't in the Domain Admins group but have enough ACL permissions to grant themselves those rights at any time.
Defending Against BloodHound-Driven Attacks
If you're on the blue team, BloodHound is your best friend for remediation. You can use it to visualize your "blast radius." If a single workstation is compromised, how much of the domain can the attacker reach? If the answer is "everything," you have a flat network problem.
Remediation Strategies
- Implement a Tiered Administration Model: This is the most effective defense. Domain Admins should only log into Domain Controllers. Server Admins should only log into servers. Workstation Admins should only log into workstations. This breaks the
HasSessionchains that BloodHound loves to find. - Clean Up ACLs: Regularly audit your AD permissions. Use BloodHound yourself to find users with
GenericAllorWriteDaclrights over sensitive objects and remove them if they aren't strictly necessary. - Use Protected Users Group: For high-value accounts, add them to the "Protected Users" group in AD. This prevents their credentials from being cached on workstations, neutralizing many lateral movement paths.
- LAPS (Local Administrator Password Solution): Ensure every workstation has a unique, random local admin password. This prevents an attacker from using a single compromised local admin credential to move laterally across the entire fleet.
Expert Tip: Don't just look for paths to Domain Admin. Look for paths to your "Crown Jewels"—sensitive databases, HR systems, or financial software. Attackers often care more about the data than the domain rights.
For more information on the official documentation and the latest updates to the tool, you can visit the BloodHound GitHub repository or check the SpecterOps BloodHound Enterprise page for professional-grade features.
Detecting BloodHound Activity
As a defender, you can also detect SharpHound while it's running. SharpHound's default behavior is to rapidly query LDAP for a large number of objects. Monitoring for a single source IP making an unusual volume of LDAP queries (especially for nTSecurityDescriptor attributes) is a high-fidelity indicator of a SharpHound run.
Additionally, if SharpHound is performing session hunting, it will attempt to connect to the Srvsvc pipe on remote workstations via SMB. Seeing a single internal host attempting to connect to hundreds of other workstations over port 445 in a short window is a massive red flag. Most modern EDRs have built-in detections for the SharpHound executable's signature, but even obfuscated versions can be caught by these behavioral patterns.
If you're interested in how attackers might try to bypass these network-level detections, you might find our Burp Suite Tutorial interesting, as it covers different types of traffic manipulation, though focused on the web application layer.
Comparison: BloodHound Legacy vs. BloodHound CE
With the release of BloodHound Community Edition (CE), many users are wondering which version to use. While the core graph logic remains the same, the architecture has changed significantly.
| Feature | BloodHound Legacy | BloodHound CE |
|---|---|---|
| Interface | Electron Desktop App | Web-Based Browser UI |
| Database | Local Neo4j Instance | Dockerized Neo4j & Postgres |
| Multi-User | No (Single User) | Yes (Role-Based Access) |
| API Support | Limited | Full REST API |
| Performance | Good for small/medium AD | Optimized for very large AD |
For most modern labs and professional engagements, BloodHound CE is the way to go. The ability to have multiple team members log into the same instance and collaborate on the same graph is a huge productivity boost. Plus, the API support allows for much easier integration with other tools in your pipeline.
Common Pitfalls and How to Avoid Them
One of the biggest mistakes I see new users make is trusting "stale" data. Active Directory is a living environment. If you collected data on Monday and the sysadmins changed group memberships on Wednesday, your BloodHound graph is lying to you. Always look at the "Collection Time" in the node properties.
Another issue is "The Ghost Session." SharpHound identifies sessions based on things like registry keys and netstat-like info. Sometimes, these sessions persist in the OS even after a user has logged out. If you find an attack path that doesn't seem to work, it's possible that the HasSession edge is a remnant of a user who is no longer there. Always verify your path before committing to a noisy lateral movement technique.
Finally, remember that BloodHound is a heavy tool. In very large environments (over 100,000 objects), a full SharpHound collection can take hours and generate gigabytes of data. In these cases, focus your collection on specific OUs or use the -c DCOnly flag first to identify specific areas of interest before doing a deeper dive.
Frequently Asked Questions
What is the difference between BloodHound and SharpHound?
BloodHound is the GUI and database (Neo4j) used to visualize and analyze data, while SharpHound is the "ingestor" or collector tool that actually runs on the target network to gather the Active Directory information.
Is BloodHound illegal to use?
BloodHound is a legitimate security tool used by professionals for authorized penetration testing and internal auditing. Using it on a network you do not have explicit, written permission to test is illegal and can lead to criminal charges.
How do I stop BloodHound from being detected by antivirus?
SharpHound is frequently flagged by AV/EDR. To avoid detection, you can use obfuscation techniques, run the tool purely in memory via a C2 framework, or use the Invoke-BloodHound PowerShell script with AMSI bypasses.
Does BloodHound work on Azure/Entra ID?
Yes, the BloodHound ecosystem includes a tool called AzureHound, which is specifically designed to collect data from Azure AD (now Entra ID) and map relationships between cloud users, groups, roles, and applications.
Conclusion
Whether you're a red teamer looking for the path of least resistance or a defender trying to close the gaps in your domain security, BloodHound is an essential tool. It moves us away from a "list-based" security mindset and into a "graph-based" mindset, which is how modern attackers think. By mastering the collection process, understanding critical edges, and learning to write custom Cypher queries, you can uncover risks that were previously invisible.