Bloodhound (new)¶
BloodHound Community Edition (CE) & Legacy Cheatsheet¶
BloodHound Community Edition Setup¶
Docker Installation (Recommended)¶
# Quick start with Docker Compose
curl -L https://ghst.ly/bloodhoundcommunityedition | docker compose -f - up
# Or clone and run
git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound/examples/docker-compose
docker compose up
# Access at: https://localhost:8080
# Default: admin@bloodhound / admin (change on first login)
Manual Installation¶
# Download latest release
wget https://github.com/SpecterOps/BloodHound/releases/download/v5.0.0/BloodHound-linux-x64.tar.gz
tar -xzf BloodHound-linux-x64.tar.gz
# Install PostgreSQL
sudo apt install postgresql postgresql-contrib
# Start BloodHound
./BloodHound
BloodHound Legacy (v4.x with Neo4j)¶
Installation¶
# Install Neo4j 4.x
wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
echo 'deb https://debian.neo4j.com stable 4.4' | sudo tee /etc/apt/sources.list.d/neo4j.list
sudo apt update && sudo apt install neo4j
# Download BloodHound Legacy
wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.3.1/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip
# Start services
sudo systemctl start neo4j
./BloodHound --no-sandbox
Data Collection Tools¶
SharpHound for CE¶
# Download latest SharpHound
# https://github.com/BloodHoundAD/SharpHound/releases
# All collection (CE compatible)
.\SharpHound.exe -c All --zipfilename ce_data.zip
# Session loop collection
.\SharpHound.exe -c Session --loop --loopduration 2:00:00 --loopinterval 00:05:00
# LDAP collection only (fastest)
.\SharpHound.exe -c DCOnly --zipfilename dc_data.zip
# Stealth collection
.\SharpHound.exe -c All --stealth --outputdirectory C:\Windows\Temp
# Exclude domain controllers
.\SharpHound.exe -c All --excludedomaincontrollers
# With specific domain
.\SharpHound.exe -c All --domain domain.local --domaincontroller dc01.domain.local
# Memory optimization
.\SharpHound.exe -c All --memcache
AzureHound for CE¶
# Azure collection
.\AzureHound.exe -r "Az" list
# With specific tenant
.\AzureHound.exe -t "tenant-id" list
# All Azure data
.\AzureHound.exe list --tenant "contoso.onmicrosoft.com" -o azure_data.json
# Specific collections
.\AzureHound.exe list users -o users.json
.\AzureHound.exe list groups -o groups.json
.\AzureHound.exe list applications -o apps.json
.\AzureHound.exe list service-principals -o sps.json
.\AzureHound.exe list administrative-units -o aus.json
.\AzureHound.exe list devices -o devices.json
bloodhound.py for Linux¶
# Install latest version
pip install bloodhound
# Collection with all methods
bloodhound-python -u 'user' -p 'pass' -d domain.local -dc dc01.domain.local -c all --zip
# With Kerberos
bloodhound-python -u 'user' -k -d domain.local -dc dc01.domain.local -c all
# With NS
bloodhound-python -u 'user' -p 'password' -d domain.local -ns DC_IP -c all --zip
# Specific collections for CE
bloodhound-python -u 'user' -p 'pass' -d domain.local -dc dc01.domain.local \
-c Group,LocalADmin,RDP,DCOM,PSRemote,DCOnly,Session,Acl,Trusts,ObjectProps
# With DNS over TCP
bloodhound-python -u 'user' -p 'pass' -d domain.local -dc dc01.domain.local -c all --dns-tcp
# Authentication with hash
bloodhound-python -u 'user' --hashes aad3b435b51404eeaad3b435b51404ee:hash \
-d domain.local -dc dc01.domain.local -c all
BloodHound CE Query Syntax¶
Search Bar Queries (CE)¶
User Searches
# Find specific user
name:john.doe@domain.local
# Find users with SPN
hasspn:true
# Find ASREP roastable users
dontreqpreauth:true
# Find enabled users
enabled:true
# Find high value users
system_tags:"high_value"
# Find owned users
user_tags:"owned"
# Find admin count users
admincount:true
# Password never expires
pwdneverexpires:true
Computer Searches
# Find specific computer
name:DC01.DOMAIN.LOCAL
# Find domain controllers
is_dc:true
# Find computers with LAPS
haslaps:true
# Find unconstrained delegation (non-DCs)
unconstraineddelegation:true AND is_dc:false
# Find constrained delegation
allowedtodelegate:*
# Find owned computers
computer_tags:"owned"
# Operating system search
operatingsystem:*Server*2019*
Group Searches
# Find domain admins
name:*admin*
# Find high value groups
system_tags:"high_value"
# Find custom groups
name:IT-*
Delete Neo4J DB¶
MATCH (n) DETACH DELETE n
Pathfinding Queries (CE)¶
In the Explore/Pathfinding Tab
# Source: Select starting node(s)
# Target: Select destination node(s)
# Edge Filters: Select relationship types to include/exclude
Common pathfinding scenarios:
- From: Owned Users → To: Domain Admin Groups
- From: Kerberoastable Users → To: High Value Targets
- From: Any User → To: Specific Computer (for access paths)
- From: Owned Computers → To: Domain Controllers
BloodHound CE Cypher Queries¶
Custom Cypher in CE¶
# Access via: Analysis → Custom Queries → Raw Query
# Path to DC/Admin from X User
MATCH p = shortestPath((n)-[*1..]->(c))
WHERE n.name =~ '(?i).*p\\.agila.*' AND NOT c=n
RETURN p
# Find all Domain Admins
MATCH (g:Group {name: 'DOMAIN ADMINS@DOMAIN.LOCAL'})-[:MemberOf*1..]->(u:User)
RETURN u
# Kerberoastable users with paths to DA
MATCH p=shortestPath((u:User {hasspn:true})-[*1..]->(g:Group {name: 'DOMAIN ADMINS@DOMAIN.LOCAL'}))
RETURN p
# Computers with sessions from Domain Admins
MATCH p=(c:Computer)<-[:HasSession]-(u:User)-[:MemberOf*1..]->(g:Group {name: 'DOMAIN ADMINS@DOMAIN.LOCAL'})
RETURN p
# Find all owned users' admin rights
MATCH p=(u:User)-[:AdminTo]->(c:Computer)
WHERE u.user_tags CONTAINS 'owned'
RETURN p
# ASREP roastable with admin rights
MATCH p=(u:User {dontreqpreauth:true})-[:AdminTo]->(c:Computer)
RETURN p
BloodHound CE Pre-Built Queries¶
Platform Queries (Built-in)¶
Active Directory:
├── Domains
│ ├── All Domain Admins
│ ├── All Enterprise Admins
│ ├── All Domain Controllers
│ └── Trusts
├── Computers
│ ├── Unconstrained Delegation
│ ├── Constrained Delegation
│ ├── RBCD Configured
│ ├── LAPS Enabled
│ └── Sessions
├── Users
│ ├── Kerberoastable
│ ├── ASREP Roastable
│ ├── Password Not Required
│ ├── Password Never Expires
│ └── Enabled Users
├── Groups
│ ├── High Value Groups
│ ├── Custom Groups
│ └── Nested Groups
└── ACLs
├── Dangerous Rights
├── DCSync Rights
├── Interesting ACLs
└── RBCD Rights
Azure:
├── Tenants
│ ├── Global Administrators
│ ├── Privileged Role Administrators
│ └── Application Administrators
├── Users
│ ├── Guest Users
│ ├── Synced Users
│ └── Cloud Only Users
├── Applications
│ ├── High Privilege Apps
│ └── Service Principals
└── Devices
├── Intune Enrolled
└── Hybrid Joined
BloodHound CE API Usage¶
Authentication¶
# Get API token
curl -X POST https://localhost:8080/api/v2/login \
-H "Content-Type: application/json" \
-d '{"username":"admin@bloodhound","password":"password"}' \
-k
# Set token
export BH_TOKEN="your-token-here"
API Queries¶
# Get all domains
curl -X GET https://localhost:8080/api/v2/domains \
-H "Authorization: Bearer $BH_TOKEN" -k
# Get domain admins
curl -X GET "https://localhost:8080/api/v2/search?q=name:DOMAIN%20ADMINS*" \
-H "Authorization: Bearer $BH_TOKEN" -k
# Get attack paths
curl -X POST https://localhost:8080/api/v2/pathfinding \
-H "Authorization: Bearer $BH_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"start_node": "S-1-5-21-xxx-1105",
"end_node": "S-1-5-21-xxx-512",
"relationship_kinds": ["MemberOf", "AdminTo", "HasSession"]
}' -k
# Upload data via API
curl -X POST https://localhost:8080/api/v2/upload \
-H "Authorization: Bearer $BH_TOKEN" \
-F "file=@bloodhound_data.zip" -k
BloodHound CE Analysis Workflows¶
Attack Path Analysis¶
1. Import Data
- Upload ZIP from SharpHound/AzureHound
- Check import status in UI
2. Mark Owned Assets
- Search for compromised user/computer
- Right-click → Add Tag → "owned"
3. Pathfinding
- Navigate to Explore → Pathfinding
- Set Source: Owned principals
- Set Target: High value targets
- Apply edge filters as needed
4. Analyze Results
- Review shortest paths
- Check alternative paths
- Export findings
Tier Zero Mapping¶
1. Identify Tier Zero
- Domain Controllers
- Domain Admins
- Enterprise Admins
- Schema Admins
- KRBTGT account
- GPOs linked to DCs
2. Tag as High Value
- Select assets
- Add system tag: "high_value"
3. Find Attack Paths
- Source: Any owned/low-privilege
- Target: Tagged Tier Zero assets
Kerberos Attack Analysis¶
1. Kerberoasting
- Search: hasspn:true
- Analyze paths from these users
- Check their current permissions
2. ASREP Roasting
- Search: dontreqpreauth:true
- Review account privileges
- Find delegation possibilities
3. Delegation Abuse
- Unconstrained: unconstraineddelegation:true
- Constrained: allowedtodelegate:*
- RBCD: Check incoming AllowedToAct
BloodHound CE Custom Queries¶
Creating Custom Queries¶
{
"name": "Find Kerberoastable Admins",
"category": "Custom",
"description": "Users with SPN that have admin rights",
"query": "MATCH p=(u:User {hasspn:true})-[:AdminTo]->(c:Computer) RETURN p",
"version": "CE"
}
Import Custom Queries¶
# Location for custom queries
~/.config/bloodhound/customqueries.json # Linux
%APPDATA%\bloodhound\customqueries.json # Windows
# Format
[
{
"name": "Query Name",
"category": "Category",
"queryList": [
{
"final": true,
"query": "MATCH ... RETURN ..."
}
]
}
]
BloodHound CE vs Legacy Comparison¶
Query Syntax Differences¶
# Legacy (Neo4j)
MATCH (u:User) WHERE u.owned=true RETURN u
# CE (PostgreSQL backend)
MATCH (u:User) WHERE u.user_tags CONTAINS 'owned' RETURN u
# Legacy
WHERE n.name =~ '(?i).*admin.*'
# CE
WHERE n.name =~ '.*(?i)admin.*'
# OR use search: name:*admin*
Feature Differences¶
CE Advantages:
- Modern UI with dark mode
- Better performance with large datasets
- Built-in Azure support
- API-first architecture
- Tagging system (owned, high_value, custom)
- Saved queries and workspaces
- Multi-tenancy support
- Better search functionality
Legacy Advantages:
- More mature custom queries
- Direct Neo4j access
- Extensive community queries
- Simpler setup for small assessments
- Raw Cypher query support
Troubleshooting¶
Common Issues - CE¶
# Docker connection issues
docker compose down
docker compose up --force-recreate
# Clear CE data
docker volume rm bloodhound_postgres_data
docker volume rm bloodhound_neo4j_data
# Check logs
docker compose logs -f bloodhound
docker compose logs -f postgres
# API connection issues
# Ensure using HTTPS and accepting self-signed cert
curl -k https://localhost:8080/api/v2/health
# Upload failures
# Check file size limits in docker-compose.yml
# Default is usually 500MB
Common Issues - Legacy¶
# Neo4j connection issues
sudo systemctl status neo4j
sudo journalctl -u neo4j -f
# Reset Neo4j password
sudo neo4j-admin set-initial-password newpassword
# Database locked
sudo systemctl stop neo4j
sudo rm /var/lib/neo4j/data/databases/neo4j/*.lock
sudo systemctl start neo4j
# Memory issues
# Edit /etc/neo4j/neo4j.conf
dbms.memory.heap.initial_size=512m
dbms.memory.heap.max_size=2G
dbms.memory.pagecache.size=512m
BloodHound Tips & Best Practices¶
Performance Optimization¶
CE:
- Use PostgreSQL indexing
- Limit pathfinding depth
- Use edge filtering
- Clear old sessions regularly
- Use tags instead of complex queries
Legacy:
- Create Neo4j indexes
- Increase heap memory
- Use shortestPath vs allShortestPaths
- Warm up cache before analysis
- Periodic database maintenance
Operational Security¶
Collection:
- Use --stealth flag
- Randomize collection times
- Use domain user, not admin
- Collect from domain-joined host
- Use LDAP-only collection when possible
Analysis:
- Run BloodHound offline
- Use encrypted volumes
- Clear data after engagement
- Document findings immediately
- Export critical paths
Reporting¶
Export Options:
- Screenshots for reports
- JSON for automation
- CSV for spreadsheets
- GraphML for other tools
- API export for integration
Key Metrics:
- Shortest path length to DA
- Number of kerberoastable users
- Percentage of users with admin rights
- Number of unconstrained delegation systems
- Cross-domain trust paths
Integration with Other Tools¶
Covenant Integration¶
# Run SharpHound via Covenant
Assembly /assemblypath:"SharpHound.exe" /parameters:"-c All"
Empire Integration¶
# Load SharpHound module
usemodule situational_awareness/network/bloodhound3
execute
Cobalt Strike Integration¶
# Execute SharpHound
execute-assembly /path/to/SharpHound.exe -c All --outputdirectory C:\Temp
Mythic Integration¶
# Upload and execute SharpHound
upload_file /path/to/SharpHound.exe
shell SharpHound.exe -c All
Quick Reference¶
Collection Methods¶
All - All collection methods
DCOnly - LDAP queries to DC (no SMB)
Session - Session information
LoggedOn - Logged on users
Computer - Computer objects
User - User objects
Group - Group objects
ACL - ACL information
Container - Container objects
GPO - Group Policy Objects
Trust - Domain trusts
LocalAdmin - Local admin rights
RDP - RDP rights
DCOM - DCOM rights
PSRemote - PowerShell remoting rights
Edge Types (Relationships)¶
Access Control:
- GenericAll
- GenericWrite
- Owns
- WriteDacl
- WriteOwner
- ReadLAPSPassword
- ReadGMSAPassword
- ForceChangePassword
- AddMember
- AddSelf
Delegation:
- AllowedToDelegate
- AllowedToAct
- TrustedBy
Local Access:
- AdminTo
- CanRDP
- CanPSRemote
- ExecuteDCOM
- SQLAdmin
Group Membership:
- MemberOf
- Contains
Special:
- HasSession
- HasSIDHistory
- DCSync
- SyncedToADUser
Node Properties¶
Common:
- name
- domain
- objectid
- distinguishedname
- description
Users:
- enabled
- lastlogon
- pwdlastset
- hasspn
- dontreqpreauth
- admincount
- sensitive
Computers:
- operatingsystem
- unconstraineddelegation
- allowedtodelegate
- haslaps
- is_dc
Groups:
- admincount
All nodes:
- system_tags (CE)
- user_tags (CE)
- owned (Legacy)
- highvalue (Legacy)