Active Directory · Term

What is BloodHound?

BloodHound turns Active Directory data into a graph and finds the shortest path from any account to Domain Admin. Attackers use it to plan, and defenders use it to find and cut those paths first. Here is what BloodHound is and how to use it defensively.

Active Directory · TermAll services
TL;DR

BloodHound is an open-source tool that maps Active Directory attack paths. Its collector (SharpHound) gathers users, groups, sessions, and permissions, and BloodHound stores them as a graph to compute the shortest path to Domain Admin through abusable rights like GenericAll, WriteDACL, and group membership. Because the same map helps attackers and defenders, running BloodHound against your own directory is one of the highest-value Active Directory exercises.

By John Dill, Red Team Lead, SecureLayer7Updated

What BloodHound is

BloodHound has two parts: a collector and a graph.

  • SharpHound (or the Python collector) reads the directory, mostly using normal authenticated queries, and gathers objects, sessions, and permissions.
  • BloodHound loads that data into a graph database where nodes are users, groups, and computers, and edges are relationships like "member of," "can reset password of," or "has a session on."

The headline feature is the query shortest path to Domain Admins, which turns thousands of permissions into a clear, walkable route.

How it is used and payload

Attackers run BloodHound after a foothold to plan the fastest route up; defenders run it to find the same routes first.

  • Collect the data: SharpHound.exe -c All or bloodhound-python -d corp.local -u user -p pass -c All
  • Load the output into BloodHound and run the built-in "Shortest Path to Domain Admins" query.
  • Each highlighted edge (GenericWrite, WriteDACL, AddMember, ForceChangePassword) is a step to investigate.

Collection is non-destructive reconnaissance, but the output is a literal map of how to take over the domain, so treat it as sensitive.

How to defend with it

  • Run it against your own directory and review the shortest paths to Domain Admins and other Tier 0 assets.
  • Cut needless edges: remove WriteDACL/GenericAll on sensitive objects, empty over-privileged groups, and prune stale delegations.
  • Re-run after major changes to catch new short paths.
  • Protect the collected data, since it is a complete attack map.
  • Monitor for mass LDAP collection, a sign someone else is running it.

References

  1. [1]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.