Tools
T1087BloodHound
How BloodHound maps Active Directory attack paths, collection methods, edge analysis, and blue team use cases for finding and fixing AD security weaknesses before attackers exploit them.
View on Graph
What BloodHound Is and Why Both Sides Use It
BloodHound is an open-source AD attack path mapping tool developed by SpecterOps. It uses graph theory to visualize relationships between AD objects — users, groups, computers, sessions, ACLs, and GPOs — and identifies attack paths to high-value targets like Domain Admins.
- BloodHound answers the question: “What can this user do, directly or indirectly, to get to Domain Admin?” The answer is rarely direct — it chains together group memberships, computer access, session control, ACL abuse, and privilege escalation.
- The tool consists of three components: a collector (runs on a domain-joined system and gathers data), a graph database (Neo4j backend storing the relationships), and a user interface (Electron-based GUI for visualizing and querying attack paths).
- For blue teams, BloodHound is a continuous security assessment tool. Run it monthly, compare outputs, and track the reduction in attack paths over time.
MITRE ATT&CK maps AD enumeration to T1087 (Account Discovery) and T1069 (Permission Groups Discovery). BloodHound automates both.
Collection Methods
SharpHound (Windows Collector)
SharpHound is the primary BloodHound collector. It runs on any domain-joined Windows system and gathers AD data using LDAP queries, WinRM, and RPC.
Collection methods:
| Method | Data Collected | Speed | Requires |
|---|---|---|---|
| Basic | Users, groups, computers, OUs, GPOs, domains | Fast (minutes) | Standard domain user |
| Group | Group membership, nested groups | Fast | Standard domain user |
| Local Group | Local Administrators, RDP, and PSRemote group membership on targets | Slow (minutes per host) | Admin rights on target machines, WinRM enabled |
| Session | Active user sessions on remote computers | Medium | Standard domain user, WinRM enabled |
| ACL | Active Directory ACLs (who has what permissions on which objects) | Medium | Standard domain user |
| RDP | RDP connections and capabilities | Slow | Admin rights, WinRM |
| DCOM | DCOM connections and capabilities | Slow | Admin rights, WinRM |
| PSRemote | PowerShell remoting connections | Slow | Admin rights, WinRM |
| Container | Container objects (for Azure AD hybrid) | Medium | Azure AD permissions |
| GPOLocalGroup | GPO security filtering local group membership | Slow | Admin rights, SMB/File System |
Running SharpHound
# Basic collection (most common — users, groups, computers, sessions, ACLs)
SharpHound.exe --CollectionMethod Default
# Full collection (all methods — takes longer but gives complete picture)
SharpHound.exe --CollectionMethod All
# Specific collection — just ACLs and sessions
SharpHound.exe --CollectionMethod ACL,Sessions
# Encrypted collection (zip file with password)
SharpHound.exe --CollectionMethod Default --ZipPassword
# Collect from a specific domain (multidomain environments)
SharpHound.exe --Domain target.corp.localAzureHound (Azure AD Collector)
AzureHound collects Azure AD and Azure RBAC data, mapping attack paths in cloud environments.
# Authenticate to Azure
Connect-AzureAD
# Run AzureHound collection
Import-Module AzureHound.psd1
Invoke-AzureHound -OutputDirectory C:\BloodHound\What Data to Collect (Blue Team Focus)
For blue team assessments, start with:
| Collection | Why | Frequency |
|---|---|---|
| Default | Covers users, groups, computers, sessions, ACLs | Monthly |
| Local Group | Finds local admin sprawl — should be minimal | Quarterly |
| Session | Finds where admins are logged in — high-value session targets | Monthly |
Key BloodHound Graph Edges
BloodHound models relationships as edges between AD objects. Each edge represents an attack path.
Primary Attack Path Edges
| Edge | Source → Target | What It Means | Abuse Technique |
|---|---|---|---|
| MemberOf | User → Group | User is a member of this group | Group nesting — indirect admin via nested groups |
| AdminTo | Computer → Computer | User/group has local admin on target computer | Local admin access — install malware, steal creds |
| HasSession | Computer → User | User has an active session on this computer | Session theft — steal the user’s Kerberos ticket (also done via Mimikatz) |
| CanRDP | Computer → Computer | User can RDP to target computer | Remote desktop access for lateral movement |
| ExecuteDCOM | Computer → Computer | User can execute DCOM on target | Lateral movement via DCOM |
| SQLAdmin | Computer → Computer | User is SQL admin on target | SQL Server lateral movement |
| ForceChangePassword | Object → User | User can change target’s password without knowing current password | Password reset — take over account |
| AddMember | Object → Group | User can add members to a group | Add self to privileged group |
| WriteOwner | Object → Object | User can change object owner | Take ownership of high-value object |
| WriteDACL | Object → Object | User can modify object ACL | Grant self any privilege on the object |
| AllExtendedRights | Object → Object | User has all extended rights on object | Full ACL abuse — reset passwords, modify attributes |
| GenericAll | Object → Object | User has full control over object | Complete object takeover |
| GenericWrite | Object → Object | User can modify any non-protected attribute | Write to user’s scriptPath, servicePrincipalName (kerberoasting), group membership |
| Owns | Object → Object | User is the owner | Change ACLs as object owner |
| GetChanges | Object → Domain | User has DS-Replication-GetChanges right | DCSync capability — replicate AD database (detectable with Elastic Security) |
| GetChangesAll | Object → Domain | User has DS-Replication-GetChanges-All right | Full DCSync — dump all password hashes |
| AddAllowedToAct | Object → Computer | User can configure Kerberos resource-based constrained delegation | Resource-based delegation abuse |
| AllowedToDelegate | Computer → Computer | Computer is trusted for Kerberos delegation | Unconstrained/constrained delegation abuse |
Blue Team Priority Edge Check
For blue teams, these edges should be flagged as findings:
| Edge | Why It Matters | Remediation |
|---|---|---|
| GetChanges + GetChangesAll | Any user with this can DCSync and dump all hashes | Remove replication rights from non-DC accounts |
| ForceChangePassword | Any user/group controlling a Domain Admin account = instant DA compromise | Audit who has reset rights on privileged accounts |
| MemberOf (to Domain Admins) | Users in Domain Admins — should be 2-3 break-glass accounts | Reduce DA count. Use tiering model. |
| AddMember (to Domain Admins) | Groups/users who can add members to Domain Admins | Control delegation on privileged groups — verify with Nmap enumeration |
| HasSession (Admin sessions on workstations) | DA logged into a non-DA workstation = credential theft risk | Enforce tiering — DA logs in only on DCs and DA workstations |
| AdminTo (to Domain Controllers) | Anyone with admin rights on a DC = effective DA | Remove non-DA admin rights from domain controllers |
| Unconstrained Delegation | Computers with unconstrained delegation allow Kerberos ticket theft | Switch to constrained or resource-based delegation |
Blue Team Workflow — Finding and Fixing Attack Paths
Step 1: Collect and Import
# Run SharpHound on a domain-joined system
SharpHound.exe --CollectionMethod Default --OutputPrefix "corp-monthly"
# Import the resulting zip file into BloodHound UI or API
# File → Upload → Select corp-monthly_*.zipStep 2: Run Built-In Queries (Analyst Focus)
BloodHound has pre-built queries. For blue team analysis:
| Query | What It Finds | Why |
|---|---|---|
| Find all Kerberoastable Users | Users with servicePrincipalName set | These accounts can be kerberoasted — password strength matters |
| Find Computers where Domain Users are Local Admin | Workstations/servers where all domain users have admin | Over-permissive local groups |
| Find all Users with DCSync Rights | Users who can replicate AD database | Contains DCSync attack path |
| Find all Edges from a Specific User | Complete attack path from a compromised user to Domain Admin | Understand blast radius of a single account compromise |
| Shortest Paths to Domain Admins | Quickest escalation paths from any starting point | Prioritize remediation — fix the shortest paths first |
| Find all Unconstrained Delegation Systems | Computers with unconstrained Kerberos delegation | These compromise anyone who authenticates to them |
Step 3: Analyze the Attack Graph
Cypher query — find all users who can reach Domain Admin in 3 hops or fewer:
MATCH (u:User)-[r1*1..3]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
RETURN u.name, count(r1) as pathCount
ORDER BY pathCount DESCCypher query — find all kerberoastable accounts that are Domain Admins:
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
RETURN u.name, u.displayname, u.samaccountnameStep 4: Remediate Priority Findings
| Finding | Remediation | Verification |
|---|---|---|
| User in Domain Admins when not required | Remove from DA group. Grant just the rights needed via delegated permissions. | Re-run BloodHound and verify DA membership reduced. |
| Unconstrained delegation on a computer | Switch to constrained delegation or resource-based constrained delegation. | Re-run collection, check delegation edges. |
| Excessive ACL abuse path | Audit the AD ACL. Remove unnecessary WriteOwner/WriteDACL/GenericAll. | Re-run ACL collection and verify edges removed. |
| DA sessions on non-DA workstations | Enforce AD tiering — DA should only log into DCs and DA workstations. | Check HasSession edges post-enforcement. |
| Kerberoastable DA service accounts | Change service account passwords. Use Group Managed Service Accounts (gMSA) where possible. | Verify service accounts removed from SPN tracking. |
BloodHound CE (Community Edition)
BloodHound CE is the current version (replacing the legacy BloodHound 4.x). Key differences:
| Feature | Legacy BloodHound | BloodHound CE |
|---|---|---|
| Architecture | Electron app + Neo4j | Web-based UI + Neo4j + API |
| Installation | Manual install per analyst | Docker containers (docker compose up) |
| Collection | SharpHound standalone | SharpHound collector + AzureHound |
| Queries | Cypher queries in GUI | Cypher queries + pre-built analysis panels |
| Auto-analysis | Manual | Auto-markdown findings for common attack paths |
| Multi-tenancy | One database per deployment | Multi-env support via API |
Quick Start with BloodHound CE
# Clone and start BloodHound CE
git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound/examples/docker-compose
docker compose up -d
# Access the UI at http://localhost:8080
# Upload SharpHound zip files via the Web UIBlue Team Automation — Continuous BloodHound Assessment
For production blue team use, BloodHound should run on a schedule:
# Example automation using task scheduler (weekly)
Schedule: Every Monday at 2:00 AM
Action:
1. PowerShell: Download latest SharpHound
2. PowerShell: Run SharpHound --CollectionMethod Default --OutputPrefix "corp-weekly"
3. PowerShell: Upload zip to BloodHound CE API
4. Automated analysis: Compare with previous week's data
5. Report: Generate finding diff report (new edges discovered, old edges remediated)SPL query — track BloodHound findings over time (if findings logged to SIEM, or via Metasploit automation):
index=splunk sourcetype="bloodhound_findings"
| stats count by finding_type, severity, host
| eval remediation_status = if(count > 0 AND count = latest_count, "UNCHANGED", if(count < latest_count, "IMPROVED", "WORSENED"))
| table finding_type, host, severity, count, remediation_statusRelated
- Azure Sentinel — detection and response for T1654 techniques
- Burp Suite — detection and response for T1592 techniques
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques