BloodHound changed offensive AD. Before BloodHound (2016, by SpecterOps), attack paths were discovered manually by experienced operators. After BloodHound, any pentester with domain user credentials runs a data collection + GUI query and has the shortest path to Domain Admin visualized in minutes. This module explains why BloodHound works — graph theory applied to AD’s inherent relationships — and why the visualization is often more valuable than the exploitation.

Why this matters

AD is a graph. Users are in groups. Groups contain other groups. Computers are owned by principals. Principals have ACL rights on objects. Delegation exists between principals and SPNs. Trusts connect forests. Every object has a permission (ACL) relationship with every other.

Before BloodHound, most defenders assumed their domain was a forest of trees: users → groups → rights. But AD has thousands of ACL-based edges. WriteDacl, GenericAll, GenericWrite, WriteOwner — any of these on a sensitive target is a privilege escalation path. Graph theory finds paths across these edges in milliseconds.

The data collection

# BloodHound Python (cross-platform, runs from attacker Linux)
bloodhound-python -u alice.smith -p Password1 -d corp.local -c All -ns 10.1.1.1

# SharpHound C# (runs from Windows, often in-memory for evasion)
SharpHound.exe --CollectionMethods All -d corp.local

# Collection methods:
# - DCOnly: minimal, LDAP only
# - Default: LDAP + session enum
# - All: everything (ACL, session, local group, loggedon)

# Output: JSON files per object type (users.json, groups.json, etc.)
# Import to BloodHound GUI via Neo4j backend

The collection itself is noisy (many LDAP queries, SMB enumeration for sessions and local groups). Detection rules exist; most environments don’t deploy them. Defensive tools (Falcon Insight, Microsoft Defender for Identity) detect SharpHound specifically.

Key edge types

MemberOf: user in group, group in group. Classic privilege inheritance.
AdminTo: principal is local admin on computer. Enables RCE via PsExec/WMI.
HasSession: user has active session on computer. Compromise computer = extract cached credentials.
GenericAll: full control of object. Can reset password, set SPN, modify ACLs.
GenericWrite: write any property. Can set Kerberos delegation, modify attributes.
WriteDacl: modify ACL. Can grant self any right.
WriteOwner: change owner. New owner can grant any right.
ForceChangePassword: can reset password without knowing current (classic helpdesk power).
AddMember: can add members to group.
AllowedToDelegate: constrained delegation target.
AllowedToAct: RBCD — can act on behalf of this resource.
DCSync: can replicate directory changes (extract all hashes).
CanPSRemote: PowerShell Remoting access.

Real attack paths BloodHound finds

# Example 1: 3-hop path
#   alice.smith (user)
#     → MemberOf → HELPDESK_GROUP
#     → ForceChangePassword → IT_ADMIN (user, Domain Admin)
#
# Execution:
#   net rpc password IT_ADMIN "NewPassword123!" -U alice.smith
#   → Login as IT_ADMIN → full DA power

# Example 2: ACL abuse
#   alice (user) → GenericWrite → SVC_SQL (service account)
#   → Set SPN on SVC_SQL, Kerberoast, crack → SQL service admin
#   → From SQL server: extract credentials, find DA session cached

# Example 3: Delegation chain
#   bob (user) → AddMember → Computer WEB01
#   → bob makes himself allowed on WEB01 via RBCD
#   → WEB01 has unconstrained delegation or access to DA credentials
#   → Chain to DA

# Example 4: Computer as attacker
#   Any computer in Domain Computers → DCSync (unusual but happens)
#   → Any compromised computer → krbtgt hash → Golden Ticket

Advanced BloodHound queries

# Find paths ignoring group membership (pure ACL-based)
MATCH p=shortestPath((n {owned:true})-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|AddMember|ForceChangePassword*1..]->(m:Group {name:'DOMAIN ADMINS@CORP.LOCAL'}))
RETURN p

# Find shortcuts via Kerberoastable users
MATCH p=shortestPath((n:User {owned:true})-[r*1..]->(m:User {hasspn:true}))
WHERE m.enabled=true
RETURN p

# Find computers where DA session is cached
MATCH (u:User)-[:MemberOf*1..]->(g:Group {name:'DOMAIN ADMINS@CORP.LOCAL'})
MATCH (u)-[:HasSession]->(c:Computer)
RETURN c

# Find users owned + all their delegation rights
MATCH (u:User {owned:true})-[r:AllowedToDelegate|AllowedToAct]->(c:Computer)
RETURN u, r, c

BloodHound Community Edition vs Enterprise

Community Edition (free, still updated): the version most pentesters use. Neo4j backend, PNG graph export, Cypher queries, built-in attack-path queries.

BloodHound Enterprise (SpecterOps, paid): continuously monitors your AD; tracks attack path count over time; risk scoring; remediation recommendations. For defenders.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

3 more sections locked below

Module 3 · BloodHound — Graph Theory Meets AD 🔒

Why this matters

The data collection

Key edge types

Real attack paths BloodHound finds

Advanced BloodHound queries

BloodHound Community Edition vs Enterprise

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 9 · Hybrid AD — On-Prem Meets Cloud <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 10 · AD Detection — What Good Looks Like <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Trusts — Legacy Merger Paths <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>