BloodHound
Overview
BloodHound maps Active Directory relationships and identifies attack paths to high-value targets. It collects data about users, groups, computers, sessions, ACLs, and trusts, then uses graph theory to find privilege escalation paths. BloodHound has two components: a data collector (ingestor) and a GUI for analysis. bloodhound-python is the Linux-based ingestor; SharpHound is the Windows ingestor.
ATT&CK Mapping
- Tactic: TA0007 - Discovery
- Technique: T1087.002 - Account Discovery: Domain Account
Prerequisites
- Valid domain credentials (any domain user)
- BloodHound GUI or Community Edition for analysis
- On Kali:
sudo apt install -y bloodhound bloodhound.py
Techniques
Data Collection (Linux — bloodhound-python)
# bloodhound-python
# https://github.com/dirkjanm/BloodHound.py
# Default collection (Group, LocalAdmin, Session, Trusts)
bloodhound-python -u '<user>' -p '<password>' -d '<domain>' -dc <dc_ip> -c Default
# All collection methods
bloodhound-python -u '<user>' -p '<password>' -d '<domain>' -dc <dc_ip> -c All
# DC-only (no computer connections — stealthier)
bloodhound-python -u '<user>' -p '<password>' -d '<domain>' -dc <dc_ip> -c DCOnly
# With hash
bloodhound-python -u '<user>' --hashes ':<ntlm_hash>' -d '<domain>' -dc <dc_ip> -c All
# Custom nameserver
bloodhound-python -u '<user>' -p '<password>' -d '<domain>' -dc <dc_ip> -ns <dc_ip> -c All
# Compress output to ZIP
bloodhound-python -u '<user>' -p '<password>' -d '<domain>' -dc <dc_ip> -c All --zip
Data Collection (NetExec)
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --bloodhound --dns-server <dc_ip> -c All
Data Collection (Windows — SharpHound)
# SharpHound
# https://github.com/BloodHoundAD/SharpHound
# Default collection
.\SharpHound.exe -c All
# Specific collection
.\SharpHound.exe -c DCOnly
# With domain/credentials
.\SharpHound.exe -c All -d domain.local --ldapusername user --ldappassword pass
Collection Methods
| Method | What It Collects | Notes |
|---|---|---|
Default |
Group, LocalAdmin, Session, Trusts | Good starting point |
All |
Everything except LoggedOn | Most complete |
DCOnly |
Group, Trusts, ObjectProps, ACL, Container | No computer connections (stealthier) |
Group |
Group memberships | |
LocalAdmin |
Local admin relationships | Requires SMB access |
Session |
Active sessions | Requires SMB access |
ACL |
Object DACLs | Identifies permission-based attack paths |
Trusts |
Domain trust relationships | |
ObjectProps |
Object properties (description, etc.) | |
LoggedOn |
Logged-on users (requires admin) | Noisy |
Analysis — Key Queries
After importing data into BloodHound GUI:
Pre-built queries (Analysis tab): - Find all Domain Admins - Find Shortest Paths to Domain Admins - Find Principals with DCSync Rights - Find Computers where Domain Users are Local Admin - Shortest Paths to High Value Targets - Find Kerberoastable Users with Most Privileges
Custom Cypher queries:
// Find all Kerberoastable users
MATCH (u:User {hasspn: true}) RETURN u.name, u.serviceprincipalnames
// Users with paths to Domain Admins
MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}))
WHERE NOT u.name STARTS WITH "ADMIN"
RETURN p
// Computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation: true}) RETURN c.name
// Users with GenericAll on other users
MATCH (u1:User)-[:GenericAll]->(u2:User) RETURN u1.name, u2.name
// Find AS-REP roastable users
MATCH (u:User {dontreqpreauth: true}) RETURN u.name
BloodHound Community Edition
BloodHound CE on Kali uses a native package (neo4j + PostgreSQL backend, no Docker required):
# Install BloodHound CE
sudo apt install -y bloodhound
# First-time setup (initializes neo4j, PostgreSQL, and the API config)
sudo bloodhound-setup
# Start BloodHound CE
sudo bloodhound
# Access the web UI at http://localhost:8080/ui/login
# Default credentials: admin / admin (you will be prompted to change on first login)
Upload collected JSON/ZIP files through the web interface.
Detection Methods
Network-Based Detection
- LDAP queries for all users, groups, trusts, and ACLs in rapid succession
- SMB connections to many computers querying local group membership and sessions
Host-Based Detection
- Event 4661/4662 (Directory Service Access) — mass LDAP enumeration
- SharpHound process on Windows endpoints
- .NET assembly loading patterns consistent with SharpHound
Mitigation Strategies
- Reduce attack paths — fix ACL misconfigurations, remove unnecessary group memberships
- Tier your admin accounts — prevent DA credentials on workstations
- Monitor LDAP queries — alert on mass enumeration of AD objects
- Network segmentation — limit which systems can query LDAP