This chapter covers BloodHound, a powerful open-source tool for analyzing and visualizing attack paths within Active Directory environments. For the PT0-002 exam, BloodHound is a critical tool under Domain 2.2 (Recon Enumeration), specifically for enumerating Active Directory trust relationships, group memberships, and ACLs to identify privilege escalation paths. Expect 5-8% of exam questions to reference BloodHound or SharpHound, either directly or in scenario-based questions about AD enumeration. You must understand not only how to run BloodHound but also how to interpret its output and use it to plan attacks.
Jump to a section
Imagine you are a consultant hired to assess the security of a large corporation. You are given a list of all employees, their job titles, their managers, and which doors they can unlock with their badges. This raw data is like the LDAP queries BloodHound uses to collect Active Directory objects. Now, you need to understand the hidden power structures: who can approve expense reports for whom, who can override badge permissions, and which managers have the ability to grant themselves access to the CEO's office. Manually tracing these relationships across thousands of employees is impossible. Instead, you feed the data into a program that builds an interactive org chart, automatically highlighting every path from a lowly intern to the CEO's office. The program also color-codes nodes: red for highly privileged users, yellow for users with delegation rights, and green for standard users. It then computes the shortest, easiest, and most dangerous paths an attacker could take, such as 'Intern -> Group Membership -> Help Desk -> Reset Password -> Domain Admin'. This is exactly what BloodHound does: it ingests Active Directory data via SharpHound collectors, builds a graph database of users, groups, computers, and their relationships (edges), and then uses graph theory to find attack paths. The 'Doors' are ACLs (Access Control Entries) that allow operations like 'ForceChangePassword', 'AddMember', or 'GenericAll'. BloodHound's attack path queries (e.g., 'Shortest Paths to Domain Admins') are like the program's feature that highlights the most direct route from any employee to the CEO's office, considering all badge permissions and managerial overrides.
What is BloodHound and Why Does It Exist?
BloodHound is an open-source, graph-based Active Directory (AD) reconnaissance tool developed by Andy Robbins, Rohan Vazarkar, and Will Schroeder (SpecterOps). It uses graph theory to reveal hidden and often unintended relationships within AD that can be exploited for privilege escalation. Traditional enumeration tools (e.g., PowerView, ADExplorer) list objects but do not automatically chain relationships. BloodHound solves this by ingesting AD data into a Neo4j graph database and providing a web-based UI that allows attackers (and defenders) to query for attack paths.
How BloodHound Works Internally
BloodHound operates in two phases: data collection and analysis.
Phase 1: Data Collection with SharpHound SharpHound is the data collector that runs on a domain-joined Windows machine. It can be executed as a binary, PowerShell script, or via Cobalt Strike's execute-assembly. SharpHound performs LDAP queries to gather:
Users and their attributes (e.g., password last set, sid, memberOf)
Groups and their members (nested groups are enumerated recursively)
Computers and their properties (e.g., operating system, service accounts)
ACLs (Access Control Lists) on objects, which define permissions like GenericAll, WriteOwner, ForceChangePassword, AddMember, etc.
Domain trusts (inbound and outbound)
Group Policy Objects (GPOs) and their links to OUs
Sessions (logged-on users) via NetSessionEnum and NetWkstaUserEnum
SharpHound outputs JSON files (e.g., 20250101000000_users.json) that contain nodes (objects) and edges (relationships). The collector can run in different collection methods:
- Default: Users, Groups, Computers, ACLs, Group Membership, Local Admin, Sessions
- DCOnly: Domain Controller only, no session collection (faster, less noisy)
- Session: Only session data
- LoggedOn: Session data from remote machines
- Trusts: Domain trust information
- ACL: Only ACL data
- Group: Only group membership data
- All: Everything
Phase 2: Analysis with BloodHound The JSON files are imported into BloodHound's UI, which communicates with a Neo4j database. The UI displays a graph where nodes represent AD objects (users, groups, computers, domains) and edges represent relationships (e.g., MemberOf, AdminTo, HasSession, ForceChangePassword). BloodHound's analysis engine uses Cypher queries to find attack paths. Key built-in queries include:
Shortest Paths to Domain Admins
Shortest Paths from Domain Users
Find Computers where Domain Users are Local Admin
Find Users with Most Admin Rights
Find Kerberoastable Users (users with SPNs)
Find AS-REP Roastable Users (users without Kerberos pre-authentication)
Find Paths from High Value Targets
Key Components, Values, and Defaults
Neo4j Database: BloodHound requires Neo4j (version 3.x or 4.x). Default credentials: neo4j:neo4j (must be changed on first login).
BloodHound UI: Runs as a Python Flask web app or Electron standalone app. Default port: http://127.0.0.1:8080.
SharpHound.exe: The .NET binary collector. Default output folder: C:\Users\<username>\AppData\Local\Temp\BloodHound\ (or current directory if no output specified).
Collection Interval: -c flag (e.g., -c All). No default; must be specified.
Throttling: -d flag for delay in milliseconds between requests (default 0).
Loop: --loopinterval <minutes> to run collection repeatedly (useful for session data).
Encryption: SharpHound can use --EncryptedZip to encrypt output with a password.
Configuration and Verification Commands
Installing Neo4j (Linux example):
wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
echo 'deb https://debian.neo4j.com stable latest' | sudo tee /etc/apt/sources.list.d/neo4j.list
sudo apt update
sudo apt install neo4j
sudo systemctl start neo4j
sudo systemctl enable neo4jStarting BloodHound UI:
cd BloodHound-linux-x64
./BloodHound --no-sandboxRunning SharpHound (as domain user):
SharpHound.exe -c All -d 500 --EncryptedZip --ZipPassword MyPassVerifying collection:
Check the output folder for .json files. If --EncryptedZip used, you will get a .zip file. Import into BloodHound by dragging and dropping the zip onto the UI.
Interaction with Related Technologies
BloodHound complements other enumeration tools:
- PowerView: Can be used to manually verify BloodHound findings (e.g., Get-DomainUser -Identity <user>).
- Impacket: Tools like GetUserSPNs.py can confirm Kerberoastable users.
- ldapdomaindump: Provides LDAP dump that can be imported into BloodHound via custom scripts.
- PlumHound: A wrapper that runs BloodHound queries automatically for reporting.
- AzureHound: Extension for Azure AD and Azure RBAC enumeration.
Advanced Features
Custom Queries: Users can write Cypher queries to find specific paths, e.g., MATCH p=(u:User)-[:MemberOf*1..]->(g:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}) RETURN p.
Marking Nodes as High Value: Users can tag nodes (e.g., Domain Admins, Enterprise Admins) to prioritize paths.
Session Collection: Captures active sessions to find computers where high-value users are logged in, enabling lateral movement via token theft or pass-the-hash.
Group Membership Resolution: SharpHound resolves nested group memberships up to 10 levels deep by default.
ACL Analysis: BloodHound visualizes ACL edges like ForceChangePassword, AddMember, GenericAll, WriteDacl, WriteOwner, AllExtendedRights. These edges represent permissions that allow an attacker to take control of a target object.
Common Attack Paths BloodHound Reveals
Group Membership: A user is a member of a group that has admin rights on a computer where a Domain Admin is logged in. Attacker compromises user -> uses token to compromise Domain Admin.
ACL Abuse: User A has GenericAll on User B -> User A can change User B's password or add User B to a privileged group.
Kerberoasting: User has SPN -> attacker requests TGS ticket and cracks it offline.
AS-REP Roasting: User has DONT_REQ_PREAUTH flag -> attacker requests AS-REP and cracks it.
GPO Abuse: User has Write permissions on a GPO that applies to a Domain Controller -> attacker can add a scheduled task to execute code as SYSTEM.
Domain Trusts: Inbound trust from a compromised domain allows attacker to escalate to the trusting domain.
Limitations and OPSEC Considerations
Noise: SharpHound generates LDAP queries that may trigger detection (e.g., Microsoft Defender for Identity alerts on (samAccountType=805306368) queries).
Session Collection: Requires admin rights on target machines for NetSessionEnum.
ACL Collection: Requires LDAP read access; some ACLs may not be retrievable without replication rights.
False Positives: Some paths may be theoretical (e.g., ACL abuse requires user to be able to authenticate to the target).
Graph Size: Large domains (50k+ objects) can slow down Neo4j and UI.
Defense Considerations
Defenders can use BloodHound to find and fix attack paths:
Reduce ACL sprawl by removing unnecessary permissions.
Implement Tier 0 administration model (no admin rights on non-Tier 0 systems).
Monitor for SharpHound execution (detect LDAP queries with objectClass=* and (samAccountType=805306368)).
Use honeytokens (fake users with high privileges) to detect enumeration.
Restrict who can run LDAP queries via ADSI edit permissions.
Install Neo4j and BloodHound
First, install Neo4j database (version 3.5.x recommended for stability) on your attack machine (Linux or Windows). Start the Neo4j service and change the default password from 'neo4j' to something else. Then download the BloodHound binary for your OS (pre-built releases available on GitHub). Run BloodHound; it will connect to Neo4j at localhost:7687. Verify the connection by logging into the UI at http://127.0.0.1:8080. If the UI shows a blank graph, the connection succeeded. If you see a 'Neo4j not found' error, ensure Neo4j is running and the credentials in BloodHound's settings match.
Deploy SharpHound Collector
On a domain-joined Windows machine, transfer SharpHound.exe or SharpHound.ps1 (avoiding AMSI if possible). Run SharpHound with desired collection method; for a full picture, use `-c All`. Optionally set a delay (`-d 200`) to throttle requests and reduce noise. Use `--EncryptedZip` with a password to protect output. If you cannot run a binary, use the PowerShell version: `Invoke-BloodHound -CollectionMethod All`. The collector will output JSON files to the current directory or a temp folder. For session collection, you need admin rights on target machines; otherwise, skip session data to avoid errors.
Import Data into BloodHound
Retrieve the output files (e.g., zip or JSON folder) from the target machine. In the BloodHound UI, click the 'Upload Data' button (or drag and drop the zip file). BloodHound will parse the JSON and insert nodes and edges into Neo4j. For large domains, this may take minutes. Check the console for errors; common issues include duplicate nodes (if importing multiple times) or connection timeouts. After import, the UI will show a summary of objects (users, groups, computers, etc.). You can now run queries.
Run Pre-built Queries
In the BloodHound UI, go to the 'Analysis' tab. Select 'Shortest Paths to Domain Admins' from the dropdown. BloodHound will execute a Cypher query that finds all paths from any node to the Domain Admins group. The graph will display nodes and edges; you can click on a node to see its properties (e.g., SID, password age, group memberships). Hover over edges to see the relationship type (e.g., MemberOf, AdminTo). The path length is shown; shorter paths are more dangerous. Other useful queries: 'Find Kerberoastable Users', 'Find AS-REP Roastable Users', 'Find Computers where Domain Users are Local Admin'.
Analyze and Exploit Paths
Identify the most promising attack paths. For example, if a path shows UserA -> ForceChangePassword -> UserB -> MemberOf -> Domain Admins, you can change UserB's password and authenticate as them. Verify the ACL using PowerView: `Get-DomainObjectAcl -Identity UserB | ? {$_.ActiveDirectoryRights -match 'GenericAll'}`. Execute the attack: use `net user UserB NewPass /domain` or `Set-DomainUserPassword -Identity UserB -AccountPassword (ConvertTo-SecureString 'NewPass' -AsPlainText -Force)`. Once you have Domain Admin access, you can optionally run SharpHound again to collect additional data (e.g., sessions) for further lateral movement.
In a 10,000-user enterprise with multiple domains and trusts, BloodHound is indispensable for penetration testers. One common scenario is assessing the security of a merger or acquisition where two AD forests are connected via a trust. The tester deploys SharpHound on a workstation in the acquired company's domain, collects data, and imports it into BloodHound. The graph reveals that a helpdesk group in the acquired domain has 'GenericWrite' permissions on a user who is a member of 'Administrators' in the parent domain via a group from the parent domain being nested in a local group. This path would be nearly impossible to find manually. The tester then exploits it by resetting the user's password and logging into the parent domain.
Another scenario: A financial institution uses a tiered administration model, but BloodHound uncovers that a Tier 2 server has a local admin account whose password is stored in a Group Policy Preference (GPP) that is readable by all domain users. The path shows: Domain Users -> Read GPO -> SYSVOL share -> cpassword decryption -> local admin on Tier 2 server -> session with Tier 0 admin. The tester exploits the GPP vulnerability (MS14-025) to extract the password and pivot to Tier 0.
Performance considerations: For domains with 100,000+ objects, Neo4j may require a dedicated server with 16GB+ RAM. SharpHound collection can take hours if session collection is enabled across many machines. Testers often run collection in chunks (e.g., sessions only during business hours, ACLs overnight). Misconfiguration example: A tester runs SharpHound without specifying -d, causing LDAP queries to flood the domain controller, triggering an alert and locking the account. Another common mistake: importing data from multiple runs without clearing the database, leading to duplicate nodes and incorrect path calculations. Best practice: use --ClearCache flag or restart Neo4j with a fresh database for each engagement.
The PT0-002 exam tests BloodHound under Objective 2.2 (Given a scenario, analyze the output from a reconnaissance tool). You must be able to interpret BloodHound graph output and identify attack paths. Specifically:
Recognize that a red node indicates a high-value target (like Domain Admins).
Understand that edges like 'ForceChangePassword', 'AddMember', 'GenericAll', 'WriteOwner' represent ACL abuse opportunities.
Know that 'Shortest Paths to Domain Admins' is the most common query.
Identify Kerberoastable users (those with an SPN) from BloodHound's 'Find Kerberoastable Users' query.
Identify AS-REP Roastable users (those with 'Does not require pre-authentication' flag).
Common wrong answers: 1. 'BloodHound can crack passwords' - Wrong. BloodHound only identifies accounts vulnerable to Kerberoasting/AS-REP roasting; cracking is done offline with Hashcat or John. 2. 'BloodHound requires admin privileges on the target domain' - Wrong. SharpHound only needs a domain user account with LDAP read access (default for all domain users). Session collection may need admin, but basic collection does not. 3. 'BloodHound is a vulnerability scanner' - Wrong. It maps relationships, not vulnerabilities (though it can highlight misconfigurations). 4. 'BloodHound can only be used for attack, not defense' - Wrong. Blue teams use BloodHound to find and fix attack paths.
Exam edge cases:
BloodHound can enumerate multiple domains in a forest if the user has appropriate rights.
The 'Group' collection method does not collect ACLs; 'ACL' method does not collect groups.
SharpHound's loop mode (--loopinterval) is for session collection only, not for ACLs.
If the domain controller is Linux-based (Samba), SharpHound may not work due to schema differences.
Elimination strategy: If a question asks 'Which tool would you use to find an attack path from a standard user to Domain Admin?' the answer is BloodHound (not PowerView, which lists but does not graph paths; not Nessus, which is a vulnerability scanner; not Nmap, which is for network scanning).
BloodHound uses graph theory to map AD relationships and find privilege escalation paths.
SharpHound is the data collector; it only needs a standard domain user account for basic collection.
Key ACL edges: ForceChangePassword, AddMember, GenericAll, WriteOwner, WriteDacl, AllExtendedRights.
Built-in queries include Shortest Paths to Domain Admins, Find Kerberoastable Users, Find AS-REP Roastable Users.
BloodHound does not crack passwords; it identifies accounts vulnerable to Kerberoasting/AS-REP roasting.
Session collection requires admin rights on target machines.
BloodHound can be used for both offensive and defensive security assessments.
Common attack paths: group nesting, ACL abuse, Kerberoasting, AS-REP roasting, GPO abuse, domain trusts.
These come up on the exam all the time. Here's how to tell them apart.
BloodHound
Graph-based visualization of relationships
Automatically finds attack paths (e.g., shortest path to DA)
Requires Neo4j database and separate UI
Data collection via SharpHound (binary/PS)
Better for large-scale analysis and reporting
PowerView
Command-line PowerShell tool for AD enumeration
Manual queries to list objects and permissions
No database needed, runs in PowerShell session
Directly queries LDAP via PowerShell cmdlets
Better for quick, ad-hoc enumeration
Mistake
BloodHound requires administrative privileges on the domain.
Correct
BloodHound's SharpHound collector only requires a standard domain user account with LDAP read access, which is granted by default to all authenticated users. Session collection may require admin on target machines, but the core data collection (users, groups, ACLs) does not.
Mistake
BloodHound can crack passwords or hashes.
Correct
BloodHound identifies accounts that are vulnerable to Kerberoasting or AS-REP roasting, but it does not perform the cracking. Attackers must use tools like Hashcat or John the Ripper on the extracted tickets or AS-REPs.
Mistake
BloodHound only works in a single domain environment.
Correct
BloodHound supports multi-domain and multi-forest environments. SharpHound can collect trust relationships and BloodHound can visualize cross-domain attack paths, provided the user has appropriate permissions.
Mistake
BloodHound is a vulnerability scanner like Nessus.
Correct
BloodHound is a relationship mapper that reveals attack paths based on AD configurations and permissions. It does not scan for CVEs or missing patches. It complements vulnerability scanners by focusing on privilege escalation paths.
Mistake
BloodHound is only useful for attackers.
Correct
Defenders use BloodHound to identify and remediate attack paths. By running BloodHound from a domain user perspective, blue teams can find unintended privilege escalation routes and harden AD configurations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SharpHound is the data collector that runs on a domain-joined machine to gather AD information (users, groups, ACLs, sessions, etc.) and outputs JSON files. BloodHound is the analysis tool that imports these JSON files into a Neo4j graph database and provides a UI to visualize attack paths. In short, SharpHound collects the data; BloodHound analyzes it.
No, SharpHound requires a domain account to authenticate to the domain controller and perform LDAP queries. However, if you have a compromised machine on the domain, you can run SharpHound from that machine using the context of the logged-on user. Without any domain credentials, you cannot collect data.
This edge means the source node (user or group) has the permission to change the password of the target node (user) without knowing the current password. This is a powerful privilege because the attacker can set a new password for the target user and then authenticate as that user. To exploit, use `net user <target> NewPassword /domain` or PowerView's `Set-DomainUserPassword`.
This is a built-in BloodHound query that uses Cypher to find all paths from any node in the graph to the Domain Admins group, ordered by path length (shortest first). Each path shows the sequence of relationships (e.g., MemberOf, AdminTo, ForceChangePassword) that an attacker could use to escalate privileges. It is the most common starting point for analysis.
BloodHound itself is for on-premises Active Directory. For Azure AD, there is a separate tool called AzureHound that collects Azure AD objects (users, groups, apps, roles) and imports them into BloodHound's Neo4j database. AzureHound uses the Microsoft Graph API and requires an Azure AD user account with appropriate permissions.
Use throttling (`-d 200` or higher) to slow down LDAP queries. Run during off-peak hours. Use `--EncryptedZip` to protect output. Avoid session collection if unnecessary (it is noisy). Consider using the PowerShell version with obfuscation. Some testers run SharpHound from a Cobalt Strike beacon using execute-assembly to evade AMSI. Note that advanced EDR may still detect SharpHound's LDAP query patterns.
Both are powerful ACL permissions. 'GenericAll' grants full control over the object, including the ability to change any attribute, reset password, and modify security descriptors. 'AllExtendedRights' grants all extended rights (e.g., 'User-Force-Change-Password' for users, 'DS-Replication-Get-Changes' for domain objects). In practice, 'GenericAll' is more dangerous because it includes 'AllExtendedRights' plus write access to all properties.
You've just covered BloodHound and Active Directory Enumeration — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?