Bloodhound, a walk through the domain

Table of Contents

What is BloodHound exactly?

BloodHound is a tool for Red and Blue teams. It is used for graphical representation domain and the possible attack vectors. It shows the relationships between the individual objects and can also be used for Azure. The tool itself works on Windows, Linux, macOS and requires a neo4j database.

BloodHound was created by @_wald0, @CptJesus and @harmj0y.

The following picture shows the graphical user interface (GUI)

Bloodhound GUI


The default data collector for BloodHound. It is an executable file that contains all the data of the domain can read and saves them in .json format for BloodHound. It should be run from a domain-integrated client. Since both BloodHound and SharpHound are classified as pentesting or hacking tools, many antivirus programs and some browsers classify them as malicious. As a pentester or RedTeamer you should use an AV Evasion technique and run it in-memory. As a BlueTeam, I can define an exception for the moment of execution, which I should remove again after data collection. The collected .json files can be dragged and dropped into the GUI and thus loaded into the database.


The AzureHound is a PowerShell script that can access the Azure via the AZ and Azure AD modules and collects the data there. Also the tool creates .json files like the SharpHound. Like most Powershell scripts, this one should also get stuck on the PowershellScriptExecution Policy and therefore not be executed. Therefore, an exception must also be defined here.

The Python ingestor based on Impacket can be run on all systems but does not have all the features of the SharpHound. BloodHound Python can be installed via git or pip and is compatible with BloodHound version 4.1 or later. There is now one too Docker containers, which you can spawn and use the BloodHound python from there. Data from an Azure cannot be read with it.


A tool by @ly4k_ for one to that Active Directory tethered Public Key Infrastructure with ADCS read out. Using the find parameter, an output is then generated for Bloodhound.

Visualization with graphs

BloodHound knows two different object types. Nodes which the objects from the domain like users and groups with all their properties: name, ID, last login and much more.

The other type are the edges, which represent the connections or relationships between the nodes


attack routes

The advantage for the attacker is that he can have the complete path shown to him with additional markings on the nodes and his own queries.

Bloodhound GUI

The way up to domain from already adopted nodes (the skull icon)

Bloodhound GUI

Possible paths to High Value Goals (the Diamond).

Custom Queries

BloodHound supports attackers and defenders with many good queries, which are then turned into graphs. If the existing ones are not enough for you, you can use the relatively simple language and write your own queries. As an example here to show all high value targets:

					MATCH (m) WHERE m.highvalue=TRUE RETURN m
Bloodhound GUI


BloodHound is very good for attackers, but also for the defenders, for checking and finding possible privilege escalations. But also like from @_wald0 published such a misconfiguration on Twitter.

Bloodhound GUI
Bloodhound GUI

The "Unrolled Members" means that users or computers are in child groups. Due to this misconfiguration exist in the domain 43622 domain admins.

Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!