Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

BloodHound Cheatsheet

Active Directory relationship visualization and attack path discovery tool.

Components

ComponentDescription
BloodHoundGUI for visualizing and querying AD relationships
SharpHoundC# data collector (runs on Windows domain-joined hosts)
bloodhound-pythonPython-based remote collector (runs from Linux)
Neo4jGraph database backend

Installation

BloodHound + Neo4j (Linux)

sudo apt install bloodhound neo4j
sudo neo4j console

Default Neo4j credentials: neo4j:neo4j (change on first login at http://localhost:7474)

bloodhound-python (Linux Collector)

pip install bloodhound

Data Collection

SharpHound (Windows)

All Collection Methods

.\SharpHound.exe -c All --zipfilename output

Specific Collection Methods

.\SharpHound.exe -c DCOnly
.\SharpHound.exe -c Session,LoggedOn
.\SharpHound.exe -c Group,Trusts,ACL

With Credentials

.\SharpHound.exe -c All -d domain.local --ldapusername user --ldappassword pass

Loop Session Collection

.\SharpHound.exe -c Session --Loop --LoopDuration 02:00:00 --LoopInterval 00:05:00

SharpHound Collection Methods

MethodDescription
DefaultGroup membership, domain trusts, local admin, sessions
AllAll collection methods
DCOnlyCollectable from DC only (no host enumeration)
SessionSession data
LoggedOnPrivileged session collection
GroupGroup membership
TrustsDomain trust data
ACLACL data
ObjectPropsObject properties
ContainerOU/GPO container structure
RDPRemote Desktop access
DCOMDCOM access
PSRemotePowerShell Remoting access
SPNTargetsSPN targets

Additional SharpHound Flags

FlagDescription
--zipfilename NAMECustom output zip file name
-s / --searchforestSearch all domains in the forest
--stealthStealth collection (prefer DCOnly)
-f FILTERAdd LDAP filter to pregenerated filter
--computerfile FILEFile with specific computer targets

bloodhound-python (Linux)

Basic Collection

bloodhound-python -u user -p 'Password123' -d domain.local -ns 172.16.5.5 -c All

With Specific DNS Server

bloodhound-python -u user -p 'Password123' -d domain.local -dc dc01.domain.local -ns 172.16.5.5 -c All

Using the BloodHound GUI

Start BloodHound

sudo neo4j start
bloodhound

Import Data

  1. Click the “Upload Data” button (up arrow icon)
  2. Select the .json or .zip files from SharpHound/bloodhound-python

Built-in Queries

QueryDescription
Find all Domain AdminsMaps DA group members
Find Shortest Paths to Domain AdminsAttack paths to DA
Find Principals with DCSync RightsUsers that can perform DCSync
Find Computers with Unsupported OSLegacy systems
Find Kerberoastable AccountsSPNs set on user accounts
Find AS-REP Roastable UsersPre-auth disabled accounts
Shortest Paths to High Value TargetsQuickest escalation paths
Find Computers Where Domain Users are Local AdminOver-permissioned hosts

Custom Cypher Queries

Find All Kerberoastable Users

MATCH (u:User) WHERE u.hasspn=true RETURN u.name, u.serviceprincipalnames

Find Users with Admin Count

MATCH (u:User) WHERE u.admincount=true RETURN u.name

Shortest Path from Owned User to Domain Admin

MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"})) RETURN p

Find All Sessions

MATCH p=(c:Computer)-[:HasSession]->(u:User) RETURN p

Tips

  • Mark compromised users/computers as “Owned” to find paths from your current position
  • Mark high-value targets to focus path discovery
  • Use “Shortest Paths from Owned Principals” after marking owned nodes
  • Session data is time-sensitive — re-collect periodically with --Loop
  • DCOnly collection is stealthier (no host enumeration)
  • Export graphs and paths for inclusion in reports