🔒SecurityRepoIndex

BloodHound

Maps Active Directory attack paths so you can see — and prove — how a low-priv user becomes Domain Admin

4.8/ 53,183 GitHub starsGoApache-2.0

⚡ TL;DR

What
Maps Active Directory attack paths so you can see — and prove — how a low-priv user becomes Domain Admin
Who
Red teams, Blue teams / defenders, Active Directory engineers, SOC analysts doing AD threat hunting
Catch
Neo4j + collector setup is fiddly the first time (RAM-hungry graph store)
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Blue and red teams both drown in Active Directory: hundreds of users, GPOs, trusts and Kerberos quirks. The question \'who can reach Domain Admin, and how?\' is nearly impossible to answer by hand. BloodHound ingests AD/Entra ID state and graphs every transitive path to privilege, turning a week of manual ACL reading into a 5-minute query.

🔧 How It Works

SharpHound (or AzureHound) runs from a domain-joined host and collects principals, group membership, ACLs, GPO links, sessions, and AD Certificate Services data via LDAP. That lands in a Neo4j graph database. The BloodHound UI then runs Cypher queries (and ships curated ones like \'Shortest Paths to Domain Admins\') to surface attack paths. Recent versions add pathfinding APIs and the \'BloodHound Enterprise\' tier for continuous posture.

🚀 Installation & Quick Start

Installation

# Install Neo4j (required backend)\nsudo apt install neo4j community\n\n# Install BloodHound desktop\n# Download from GitHub releases: SpecterOps/BloodHound\n\n# SharpHound collector (run on Windows domain-joined host)\n# Download from SpecterOps/BloodHound/SharpHound.exe\n\n# PowerShell alternative (if .exe is blocked)\nImport-Module .\\SharpHound.ps1

Quick Start

  1. Spin up the stack: docker run -p 7474:7474 -p 7687:7687 specterops/bloodhound
  2. Download SharpHound and run: SharpHound.exe -c All (or -c DCOnly for a fast first pass)
  3. Open http://localhost:7474, log in (neo4j/BloodHound), import the ZIP SharpHound produced
  4. Run a built-in query: 'Shortest Paths to Domain Admins from Owned Principals'
  5. Pin the top paths and hand them to the team as remediation tickets

✅ Pros

  • Makes the impossible question — 'who can reach DA?' — answerable in minutes
  • Visual, defensible output that non-technical stakeholders actually understand
  • Covers AD CS (certificate) abuse paths that almost nobody audits by hand
  • Free and open source; the graph model is the industry standard

❌ Cons

  • Neo4j + collector setup is fiddly the first time (RAM-hungry graph store)
  • You must learn enough Cypher to write your own queries, or you'll only use the defaults
  • A snapshot is a point in time — paths drift as the domain changes
  • Raw output is noisy; tuning the collectors and pruning is real work

💬 Practitioner Verdict

"If you do anything with Active Directory — attacking it, defending it, or just owning it — BloodHound is non-negotiable. It is the single best force-multiplier for AD assessment on the list. The only real cost is learning to read the graph; once you do, you\'ll wonder how you ever did AD work without it."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
Apache-2.0
Platform
Linux, macOS, Windows
Kill Chain
Privilege Escalation / Lateral Movement / Domain Dominance
MITRE ATT&CK
T1484, T1558, T1098

💰 Pricing Reality

Open source BloodHound Community is free (Apache-2.0). SpecterOps sells \'BloodHound Enterprise\' for continuous monitoring, attack-path prioritization and remediation tracking — enterprise pricing, not published. SharpHound remains free.

👥 Community Health

Stars3,183
Forks337
Contributors91
Health Score9.2/10

🏷️ Tags

Active DirectoryOpen SourceFree

🔗 Similar Tools