BloodHound
Maps Active Directory attack paths so you can see — and prove — how a low-priv user becomes Domain Admin
⚡ TL;DR
🎯 The Problem It Solves
Blue and red teams both drown in Active Directory: hundreds of users, GPOs, trusts and Kerberos quirks. The question \'who can reach Domain Admin, and how?\' is nearly impossible to answer by hand. BloodHound ingests AD/Entra ID state and graphs every transitive path to privilege, turning a week of manual ACL reading into a 5-minute query.
🔧 How It Works
SharpHound (or AzureHound) runs from a domain-joined host and collects principals, group membership, ACLs, GPO links, sessions, and AD Certificate Services data via LDAP. That lands in a Neo4j graph database. The BloodHound UI then runs Cypher queries (and ships curated ones like \'Shortest Paths to Domain Admins\') to surface attack paths. Recent versions add pathfinding APIs and the \'BloodHound Enterprise\' tier for continuous posture.
🚀 Installation & Quick Start
Installation
# Install Neo4j (required backend)\nsudo apt install neo4j community\n\n# Install BloodHound desktop\n# Download from GitHub releases: SpecterOps/BloodHound\n\n# SharpHound collector (run on Windows domain-joined host)\n# Download from SpecterOps/BloodHound/SharpHound.exe\n\n# PowerShell alternative (if .exe is blocked)\nImport-Module .\\SharpHound.ps1Quick Start
- Spin up the stack: docker run -p 7474:7474 -p 7687:7687 specterops/bloodhound
- Download SharpHound and run: SharpHound.exe -c All (or -c DCOnly for a fast first pass)
- Open http://localhost:7474, log in (neo4j/BloodHound), import the ZIP SharpHound produced
- Run a built-in query: 'Shortest Paths to Domain Admins from Owned Principals'
- Pin the top paths and hand them to the team as remediation tickets
✅ Pros
- •Makes the impossible question — 'who can reach DA?' — answerable in minutes
- •Visual, defensible output that non-technical stakeholders actually understand
- •Covers AD CS (certificate) abuse paths that almost nobody audits by hand
- •Free and open source; the graph model is the industry standard
❌ Cons
- •Neo4j + collector setup is fiddly the first time (RAM-hungry graph store)
- •You must learn enough Cypher to write your own queries, or you'll only use the defaults
- •A snapshot is a point in time — paths drift as the domain changes
- •Raw output is noisy; tuning the collectors and pruning is real work
💬 Practitioner Verdict
"If you do anything with Active Directory — attacking it, defending it, or just owning it — BloodHound is non-negotiable. It is the single best force-multiplier for AD assessment on the list. The only real cost is learning to read the graph; once you do, you\'ll wonder how you ever did AD work without it."
📊 Specifications
- Language
- Go
- License
- Apache-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Privilege Escalation / Lateral Movement / Domain Dominance
- MITRE ATT&CK
- T1484, T1558, T1098
💰 Pricing Reality
Open source BloodHound Community is free (Apache-2.0). SpecterOps sells \'BloodHound Enterprise\' for continuous monitoring, attack-path prioritization and remediation tracking — enterprise pricing, not published. SharpHound remains free.