BloodHound Cheat Sheet

BloodHound is one of the most powerful tools in any red teamer's arsenal. Built on graph theory and Active Directory enumeration, it visually maps attack paths that would take days to uncover manually. Whether you are new to offensive security or a seasoned penetration tester, having a reliable BloodHound cheat sheet saves hours during engagements.

This guide walks through everything from installation to advanced Cypher queries, giving you actionable commands you can use immediately in real-world engagements.

If your organization needs expert-led offensive security testing, Redfox Cybersecurity's penetration testing services deliver the depth and precision your environment demands.

What Is BloodHound and Why Does It Matter

BloodHound uses graph-based analysis to identify relationships within Active Directory and Azure AD environments. It maps users, computers, groups, GPOs, OUs, and sessions to reveal attack paths from low-privilege footholds to Domain Admin.

Attackers use it. Defenders use it. Penetration testers use it to show clients exactly how a real adversary would escalate privileges and move laterally across their infrastructure.

The tool consists of two main components:

SharpHound is the data collector (ingestor) that runs on Windows and pulls AD data.

BloodHound GUI is the Neo4j-powered graph interface where you analyze the collected data.

BloodHound Installation and Setup

Installing BloodHound on Kali Linux

sudo apt update && sudo apt install bloodhound -y


[cta]

Start the Neo4j database before launching BloodHound:

sudo neo4j console


[cta]

Then open a new terminal and launch BloodHound:

bloodhound


[cta]

Default Neo4j credentials are neo4j:neo4j. You will be prompted to change the password on first login.

Installing BloodHound CE (Community Edition)

BloodHound CE is the newer Docker-based version:

git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound
docker-compose -f docker-compose.yml up


[cta]

Access the web UI at http://localhost:8080. Default credentials are admin:bloodhoundcommunityedition.

SharpHound Data Collection Commands

SharpHound is the collector you run on a domain-joined machine or with valid credentials. It outputs a zip file containing JSON files that you import into the BloodHound GUI.

Basic Collection

.\SharpHound.exe -c All


[cta]

This runs all collection methods including Sessions, ACLs, LocalGroups, Trusts, and ObjectProps.

Specifying a Domain

.\SharpHound.exe -c All -d target.local


[cta]

Using Alternate Credentials

.\SharpHound.exe -c All --ldapusername jdoe --ldappassword 'P@ssw0rd!' -d target.local


[cta]

Running from a Non-Domain Machine

runas /netonly /user:target.local\jdoe "powershell.exe -c '.\SharpHound.exe -c All -d target.local'"


[cta]

Stealth Collection (Session Loop)

To reduce noise, avoid full collection and instead loop session enumeration:

.\SharpHound.exe -c Session --Loop --LoopDuration 02:00:00 --LoopInterval 00:05:00


[cta]

This collects sessions every 5 minutes for 2 hours, building a more complete session map without blasting every collection method at once.

Exclude Domain Controllers from Session Enumeration

.\SharpHound.exe -c All --ExcludeDCs


[cta]

Collecting Specific Objects Only

.\SharpHound.exe -c ACL,ObjectProps,Trusts


[cta]

Running BloodHound with Python (Linux/Non-Windows)

For engagements where you cannot drop a binary on a host, use bloodhound-python:

pip install bloodhound
bloodhound-python -u jdoe -p 'P@ssw0rd!' -d target.local -ns 192.168.1.10 -c All


[cta]

With Kerberos authentication:

bloodhound-python -u jdoe -k -no-pass -d target.local -ns 192.168.1.10 -c All --kerberos


[cta]

Collecting from a specific Domain Controller:

bloodhound-python -u jdoe -p 'P@ssw0rd!' -d target.local -dc dc01.target.local -c All


[cta]

BloodHound GUI Navigation and Key Features

Once your data is ingested, the GUI gives you multiple ways to analyze the environment.

Marking High Value Targets

Right-click any node and select "Mark as High Value" to flag critical assets. BloodHound will then include them in shortest path queries automatically.

Owned Nodes

Right-click a node and select "Mark as Owned" once you have compromised an account or machine. This unlocks the "Shortest Paths from Owned Principals" query.

Pre-Built Queries

BloodHound ships with built-in queries accessible from the Analysis tab:

• Find All Domain Admins
• Shortest Paths to Domain Admins
• Find Principals with DCSync Rights
• Shortest Paths to High Value Targets
• Find Computers with Unsupported Operating Systems
• Find AS-REP Roastable Users
• Find Kerberoastable Users with Most Privileges

Essential Custom Cypher Queries

The real power of BloodHound comes from writing your own Cypher queries directly in the search bar or the Raw Query box.

Find All Kerberoastable Accounts

MATCH (u:User {hasspn:true}) RETURN u.name, u.serviceprincipalnames


[cta]

Find Kerberoastable Accounts That Are Domain Admins

MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group) WHERE g.name =~ "(?i).*domain admins.*" RETURN u.name


[cta]

Find AS-REP Roastable Users

MATCH (u:User {dontreqpreauth:true}) RETURN u.name


[cta]

Find Users with Password Never Expires

MATCH (u:User {pwdneverexpires:true}) WHERE u.enabled = true RETURN u.name


[cta]

Find All Computers Running Unsupported OS

MATCH (c:Computer) WHERE c.operatingsystem =~ "(?i).*(windows xp|windows 2000|windows 2003|windows vista|windows 7|windows server 2008).*" RETURN c.name, c.operatingsystem


[cta]

Find All Users with AdminCount Set

MATCH (u:User {admincount:true}) RETURN u.name


[cta]

Find Computers Where Domain Users are Local Admins

MATCH p = (g:Group)-[:AdminTo]->(c:Computer) WHERE g.name =~ "(?i).*domain users.*" RETURN p


[cta]

Find ACL Paths to Domain Admins

MATCH p = shortestPath((u:User)-[:MemberOf|GenericAll|GenericWrite|WriteOwner|WriteDacl|AllExtendedRights*1..]->(g:Group)) WHERE g.name =~ "(?i).*domain admins.*" AND NOT u=g RETURN p


[cta]

Find Owned Users That Can Reach Domain Admin

MATCH p = shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@TARGET.LOCAL"})) RETURN p


[cta]

Find All GPO Apply Paths

MATCH p = (g:GPO)-[:GPLink]->(c) RETURN p


[cta]

Find Groups with DCSync Rights

MATCH p = (n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p


[cta]

Find Users with WriteDACL on Domain

MATCH p = (u:User)-[:WriteDacl]->(d:Domain) RETURN p


[cta]

Identify Shortest Path from a Specific User

MATCH p = shortestPath((u:User {name:"JDOE@TARGET.LOCAL"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@TARGET.LOCAL"})) RETURN p


[cta]

Common Attack Paths BloodHound Reveals

Understanding how BloodHound exposes attack chains helps you explain findings clearly to clients. This is where professional penetration testing from Redfox Cybersecurity translates raw graph data into business-level risk reports.

GenericAll Abuse

When a user or group has GenericAll over another object, they can:

• Reset the target user's password
• Add themselves to a target group
• Take full control of a computer object

Detection in BloodHound:

MATCH p = (u:User)-[:GenericAll]->(t) RETURN p


[cta]

WriteDACL Escalation

WriteDACL allows an attacker to grant themselves additional permissions on an object, including DCSync rights on a domain object.

MATCH p = (n)-[:WriteDacl]->(d:Domain) RETURN p


[cta]

Unconstrained Delegation

Computers with unconstrained delegation store TGTs in memory for any user that authenticates to them. If you can compromise that machine, you can extract those tickets and impersonate high-privilege users.

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name


[cta]

Constrained Delegation with Protocol Transition

MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c.name, c.allowedtodelegate


[cta]

Resource-Based Constrained Delegation (RBCD)

MATCH p = (u)-[:AllowedToAct]->(c:Computer) RETURN p


[cta]

BloodHound Operational Tips for Engagements

Tip 1: Always Prioritize Owned Paths First

After marking compromised accounts as owned, run "Shortest Paths from Owned Principals" before exploring any other query. This immediately shows you what is reachable.

Tip 2: Look at Edge Types, Not Just Paths

Focus on edges like HasSession, AdminTo, GenericAll, WriteDACL, AllExtendedRights, and CanRDP. These represent real, actionable relationships rather than group memberships alone.

Tip 3: Combine BloodHound with Impacket

After identifying a DCSync-capable user:

impacket-secretsdump target.local/jdoe:'P@ssw0rd!'@192.168.1.10 -just-dc


[cta]

After extracting a TGT from an unconstrained delegation attack:

impacket-ticketer -nthash <hash> -domain-sid <SID> -domain target.local Administrator


[cta]

Tip 4: Cross-Domain Trust Attacks

BloodHound maps inter-domain trusts. Filter for trust edges:

MATCH p = (d1:Domain)-[:TrustedBy]->(d2:Domain) RETURN p


[cta]

Then look for users in one domain that have admin rights in another:

MATCH p = (u:User)-[:AdminTo]->(c:Computer) WHERE u.domain <> c.domain RETURN p


[cta]

Tip 5: Export and Document Findings

Export individual paths as PNG from the GUI for client reports. For large graphs, use the Cypher query output as raw evidence in reporting tools.

Professional teams at Redfox Cybersecurity take BloodHound findings further, providing remediation-mapped reports that prioritize risk by business impact rather than just technical severity.

Clearing and Resetting BloodHound Data

When switching between engagements, always purge old data:

MATCH (n) DETACH DELETE n


[cta]

Or use the GUI by going to the gear icon and selecting "Clear Database."

BloodHound Defense and Detection Considerations

While this cheat sheet focuses on offensive use, defenders should monitor for:

• SharpHound execution artifacts: Look for SharpHound.exe, SharpHound.ps1, or any process making excessive LDAP queries to Domain Controllers in a short window.
• Unusual LDAP enumeration: SIEM rules that alert on a single source making hundreds of LDAP queries within minutes are effective at catching collection activity.
• Session enumeration noise: Monitor for repeated remote registry access or SMB connections to many hosts in rapid succession.
• Review ACL anomalies regularly: Use BloodHound defensively on a scheduled basis to audit your own environment before attackers do.

Wrapping Up

BloodHound fundamentally changes how penetration testers and red teamers approach Active Directory environments. The commands and Cypher queries in this cheat sheet cover everything from basic collection to identifying nuanced delegation misconfigurations and ACL abuse chains that most automated scanners miss entirely.

Keeping this cheat sheet bookmarked will accelerate your workflow during time-limited engagements, help you build stronger client deliverables, and deepen your understanding of AD attack surfaces overall.

If you want to see how BloodHound findings translate into a full-scope penetration test with expert analysis and remediation guidance, the team at Redfox Cybersecurity is ready to help. From internal AD assessments to red team operations, Redfox Cybersecurity provides the coverage modern organizations need to stay ahead of adversaries who already know these techniques.

Explore Redfox Cybersecurity's penetration testing services today and find out what your network looks like through an attacker's eyes.