Individual AD misconfigurations look innocuous on their own. A group with a few extra members. A computer with delegation enabled. A user with GenericWrite on a colleague’s account. In isolation, each is a “maybe low risk.” When graph-analysed together, they form attack paths — concrete, stepwise routes from any foothold to Domain Admin.
BloodHound is the tool that turns this relationship graph into a queryable database. In defence or offence, if you run it against your own AD once, you will know more about your environment than most internal teams.
What BloodHound is
BloodHound is two parts:
- Collectors — SharpHound (Windows), AzureHound (for Entra ID / Azure AD), BloodHound.py (cross-platform). These enumerate AD and collect: users, groups, computers, ACLs, sessions, local-admin rights, trust relationships, delegation settings, GPO links, and more. Output: JSON files.
- Analyzer / visualiser — a Neo4j-backed web interface that ingests the JSON and renders the directory as a graph. Nodes are principals and resources; edges are relationships. The graph is queryable with Cypher and comes with pre-built queries for common attack paths.
Since 2023, the community standard is BloodHound Community Edition (BHCE) from SpecterOps — a cleaner, actively-maintained rebuild of the original. BloodHound Enterprise is the commercial version with continuous monitoring and remediation workflow.
Running a collection
On Windows, from any authenticated user:
# Default collection (most data)
SharpHound.exe -c All
# Minimal stealth (useful for EDR-watched environments)
SharpHound.exe -c Group,Trusts,ACL
# Target specific collection types
SharpHound.exe -c DCOnly,Session
# Output zip
SharpHound.exe -c All -OutputDirectory C:\Temp\bh --ZipFileName bh-data.zipFrom Linux (no Windows session needed):
bloodhound-python -u priya -p Password123 \
-d corp.example.com -ns 10.0.0.1 -c AllTime to collect: seconds to a few minutes for a small domain; tens of minutes for 10,000+ users.
Defender signals: SharpHound collection creates LDAP traffic (often visible in DC logs), SMB queries to enumerate sessions (if running Session collection), and specific LDAP query patterns some EDRs now fingerprint. Against mature defences, use collection-type subsets and throttle timing.
Loading and exploring the graph
Start Neo4j and the BloodHound UI. Drag the zip into the browser. Wait for import to finish (a minute for most mid-size AD).
Left sidebar gives you pre-built queries:
Continue reading with Basic tier (₹499/month)
You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.