BloodHound Cheat Sheet

Overview

BloodHound is an open-source tool that uses graph theory to reveal hidden and often unintended relationships within an Active Directory (AD) environment. It helps security professionals identify complex attack paths that would otherwise be impossible to find manually. BloodHound consists of two main components:

1. SharpHound: The data collector that gathers information from Active Directory
2. BloodHound GUI: The graphical interface that visualizes and analyzes the collected data

Installation

Windows

Neo4j Installation

# Download Neo4j from https://neo4j.com/download/
# Extract the ZIP file
# Open command prompt as administrator
cd C:\path\to\neo4j\bin
neo4j.bat install-service
neo4j.bat start

BloodHound Installation

# Download BloodHound from https://github.com/BloodHoundAD/BloodHound/releases
# Extract the ZIP file
# Run BloodHound.exe

Linux (Kali)

sudo apt update
sudo apt install bloodhound neo4j

# Start Neo4j service
sudo neo4j start

# Launch BloodHound
bloodhound

macOS

# Install Homebrew if not already installed
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Neo4j and BloodHound
brew install neo4j bloodhound

# Start Neo4j service
brew services start neo4j

# Launch BloodHound
bloodhound

BloodHound Community Edition (Docker)

# Install BloodHound CLI
curl -L https://github.com/SpecterOps/BloodHound/releases/latest/download/bloodhound-cli-linux-amd64 -o bloodhound-cli
chmod +x bloodhound-cli
sudo mv bloodhound-cli /usr/local/bin/

# Deploy BloodHound CE
bloodhound-cli deploy

Data Collection

SharpHound (Windows Executable)

Basic Collection

# Download SharpHound
Invoke-WebRequest -Uri https://github.com/BloodHoundAD/SharpHound/releases/latest/download/SharpHound.exe -OutFile SharpHound.exe

# Run SharpHound with default collection methods
.\SharpHound.exe --CollectionMethods All

Collection Methods

Method	Description
All	Collect all data
Group	Collect group membership information
LocalGroup	Collect local admin information
GPOLocalGroup	Collect local admin information via GPO
Session	Collect session information
LoggedOn	Collect logged-on user information
Trusts	Collect domain trust information
ACL	Collect ACL information
Container	Collect container information
RDP	Collect Remote Desktop Users information
ObjectProps	Collect object properties
DCOM	Collect DCOM information
SPNTargets	Collect Service Principal Name information
PSRemote	Collect PowerShell Remoting information

Advanced Collection Options

# Collect specific data types
.\SharpHound.exe --CollectionMethods Group,LocalGroup,Session,ACL

# Collect data with stealth options (slower but less noisy)
.\SharpHound.exe --CollectionMethods All --Stealth

# Collect data from specific domain
.\SharpHound.exe --CollectionMethods All --Domain example.com

# Collect data with LDAP filtering
.\SharpHound.exe --CollectionMethods All --LdapFilter "(objectClass=user)"

# Collect data from specific OU
.\SharpHound.exe --CollectionMethods All --SearchBase "OU=Servers,DC=example,DC=com"

# Collect data with specific naming context
.\SharpHound.exe --CollectionMethods All --DomainController dc01.example.com

SharpHound PowerShell Module

Basic Collection

# Import SharpHound module
Import-Module .\SharpHound.ps1

# Run SharpHound with default collection methods
Invoke-BloodHound -CollectionMethod All

Advanced Collection Options

# Collect specific data types
Invoke-BloodHound -CollectionMethod Group,LocalGroup,Session,ACL

# Collect data with stealth options
Invoke-BloodHound -CollectionMethod All -Stealth

# Collect data from specific domain
Invoke-BloodHound -CollectionMethod All -Domain example.com

# Collect data with LDAP filtering
Invoke-BloodHound -CollectionMethod All -LdapFilter "(objectClass=user)"

# Collect data from specific OU
Invoke-BloodHound -CollectionMethod All -SearchBase "OU=Servers,DC=example,DC=com"

BloodHound.py (Linux/macOS)

Installation

pip install bloodhound

Basic Collection

bloodhound-python -u username -p password -d domain.local -ns 10.10.10.10 -c All

Advanced Collection Options

# Collect specific data types
bloodhound-python -u username -p password -d domain.local -ns 10.10.10.10 -c Group,LocalAdmin,Session,ACL

# Collect data with Kerberos authentication
bloodhound-python -u username -p password -d domain.local -ns 10.10.10.10 -c All --kerberos

# Collect data with specific domain controller
bloodhound-python -u username -p password -d domain.local -ns 10.10.10.10 -c All --dns-tcp

# Collect data with LDAP SSL
bloodhound-python -u username -p password -d domain.local -ns 10.10.10.10 -c All --secure

AzureHound (Azure AD)

Installation

# Download AzureHound
Invoke-WebRequest -Uri https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-windows-amd64.zip -OutFile azurehound.zip
Expand-Archive -Path azurehound.zip -DestinationPath .

Basic Collection

# Authenticate to Azure
Connect-AzAccount

# Run AzureHound
.\azurehound.exe -o azure_data.zip

Using BloodHound

Neo4j Database Connection

• Default URL: bolt://localhost:7687
• Default credentials: neo4j/neo4j (first login requires password change)

Data Import

1. Launch BloodHound
2. Connect to Neo4j database
3. Drag and drop the ZIP file containing SharpHound data
4. Wait for import to complete

Pre-Built Queries

BloodHound comes with several pre-built queries accessible from the "Queries" tab:

Finding Privileged Users

• Find all Domain Admins
• Find all Enterprise Admins
• Find Shortest Paths to Domain Admins
• Find Shortest Paths to High Value Targets

Finding Attack Paths

• Find Shortest Paths to Domain Admins
• Find Shortest Paths to High Value Targets
• Find Shortest Paths to Unconstrained Delegation Systems

Finding Vulnerable Configurations

• Find Kerberoastable Users
• Find AS-REP Roastable Users
• Find Computers with Unconstrained Delegation
• Find Computers with Constrained Delegation
• Find Domain Trusts

Custom Cypher Queries

Find Shortest Paths to Domain Admins

MATCH (n:User),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

Find Kerberoastable Users with Path to Domain Admins

MATCH (n:User {hasspn:true}),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

Find Computers with Local Admin Rights

MATCH (u:User),(c:Computer),p=(u)-[:AdminTo]->(c) RETURN p

Find Users with DCSync Rights

MATCH (u:User),(d:Domain),p=(u)-[:DCSync]->(d) RETURN p

Find Computers with Constrained Delegation

MATCH (c:Computer {trustedtoauth:true}) RETURN c

Find Attack Paths from Specific User

MATCH (n:User {name:'USER@DOMAIN.LOCAL'}),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

Find All Users with Path to High Value Targets

MATCH (u:User),(g:Group),p=shortestPath((u)-[*1..]->(g)) WHERE g.highvalue=true RETURN p

Find Computers Where Domain Users Have Local Admin Rights

MATCH (g:Group {name:'DOMAIN USERS@DOMAIN.LOCAL'}),(c:Computer),p=(g)-[:AdminTo]->(c) RETURN p

Find Computers with RDP Rights

MATCH (u:User),(c:Computer),p=(u)-[:CanRDP]->(c) RETURN p

Find Users with Password Never Expires

MATCH (u:User {pwdneverexpires:true}) RETURN u

Attack Techniques

Kerberoasting

Targets service accounts with SPNs to extract service ticket hashes for offline cracking.

Finding Kerberoastable Users

MATCH (u:User {hasspn:true}) RETURN u

Finding Kerberoastable Users with Path to Domain Admins

MATCH (n:User {hasspn:true}),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

AS-REP Roasting

Targets user accounts with "Do not require Kerberos preauthentication" setting enabled.

Finding AS-REP Roastable Users

MATCH (u:User {dontreqpreauth:true}) RETURN u

ACL Abuse

Exploits misconfigured access control lists to gain elevated privileges.

Finding WriteDacl Permissions

MATCH (n:User),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=(n)-[:WriteDacl]->(m) RETURN p

Finding GenericAll Permissions

MATCH (n:User),(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'}),p=(n)-[:GenericAll]->(m) RETURN p

Unconstrained Delegation

Exploits computers with unconstrained delegation to steal user tickets.

Finding Computers with Unconstrained Delegation

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Constrained Delegation

Exploits misconfigured constrained delegation to impersonate users to specific services.

Finding Computers with Constrained Delegation

MATCH (c:Computer {trustedtoauth:true}) RETURN c

Resource-Based Constrained Delegation

Exploits misconfigured resource-based constrained delegation to gain access to resources.

Finding Computers with Resource-Based Constrained Delegation

MATCH (c:Computer)-[:AllowedToAct]->(t:Computer) RETURN c,t

DCSync

Exploits replication rights to perform domain controller synchronization and extract password hashes.

Finding Users with DCSync Rights

MATCH (u:User),(d:Domain),p=(u)-[:DCSync]->(d) RETURN p

BloodHound Edge Types

Edge Type	Description
MemberOf	User/Group is a member of a group
AdminTo	User/Group has local admin rights on a computer
HasSession	User has a session on a computer
CanRDP	User can RDP to a computer
ExecuteDCOM	User can execute DCOM on a computer
AllowedToDelegate	Computer is allowed to delegate to a service
AddAllowedToAct	Computer can act on behalf of another principal
AllowedToAct	Principal is allowed to act on behalf of another principal
Contains	OU/Container contains an object
GpLink	GPO is linked to an OU/Domain/Site
HasSIDHistory	Object has SID history of another object
TrustedBy	Domain is trusted by another domain
DCSync	User has rights to perform DCSync operation
GenericAll	User has full control over an object
GenericWrite	User can write to certain properties of an object
WriteDacl	User can modify the security descriptor of an object
WriteOwner	User can take ownership of an object
AddMember	User can add members to a group
ForceChangePassword	User can change another user's password

Operational Security Considerations

Minimizing Detection Risk

• Use the --Stealth parameter to reduce noise
• Collect data during business hours when network activity is high
• Avoid collecting all data at once; spread collection over time
• Use LDAP filtering to limit the scope of collection
• Consider using BloodHound.py instead of SharpHound in sensitive environments

Cleaning Up

• Delete SharpHound binaries and output files after use
• Clear PowerShell history: Clear-History
• Remove SharpHound module from memory: Remove-Module SharpHound
• Delete Neo4j database when analysis is complete

Troubleshooting

Common Issues

Neo4j Connection Issues

• Ensure Neo4j service is running: neo4j.bat status or systemctl status neo4j
• Check if the correct bolt URL is being used (default: bolt://localhost:7687)
• Verify credentials (default: neo4j/neo4j)
• Check if another process is using port 7687

SharpHound Collection Issues

• Ensure you have sufficient privileges (domain user at minimum)
• Try running with elevated privileges
• Check network connectivity to domain controllers
• Verify LDAP/LDAPS connectivity
• Try specifying a domain controller with --DomainController

Data Import Issues

• Ensure the ZIP file contains valid JSON files
• Check if the Neo4j database has sufficient disk space
• Try clearing the database before import: MATCH (n) DETACH DELETE n
• Verify that the ZIP file is not corrupted

Resources

• BloodHound Documentation
• BloodHound GitHub Repository
• SharpHound GitHub Repository
• BloodHound Community Edition
• SpecterOps Blog
• Cypher Query Language Reference