94%
of ransomware incidents involve lateral movement through AD
6
edge types account for the majority of Tier 0 shortestPath routes in real environments
72 hours
median time from initial access to Domain Admin in incidents involving AD misconfigurations
3x
more attack paths exposed after enabling constrained delegation than before

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every Active Directory environment has attack paths. The question is whether your team finds them first. BloodHound ingests the relationships between users, computers, groups, GPOs, and OUs into a graph database, then answers the question attackers ask: what is the shortest chain of permissions from this compromised account to Domain Admin? The tool has been in attacker toolkits since 2016, but most defenders still use it reactively, if at all. This guide is for security engineers who want to run BloodHound CE offensively against their own environment, understand what the graph is telling them, and fix the exposures before someone else does.

Safe Collection: Running SharpHound Without Alerting the SOC

SharpHound is the ingestor that collects AD relationship data. Running it without coordination will generate LDAP query noise and may trigger anomaly-based alerts. Coordinate with the SOC before collection, or use a service account in an exclusion list. Run collection from a domain-joined machine with a read-only standard user account. SharpHound does not require elevated privileges for most collection methods.

Command for a standard collection:

SharpHound.exe -c All --zipfilename bloodhound_$(hostname)_$(date +%Y%m%d).zip

This collects groups, local admins, sessions, ACLs, trusts, and object properties. The All method runs each collector in sequence. For large environments (100k+ objects), add --SkipPasswordCheck and collect in batches using --SearchBase to scope to a specific OU.

For stealth-conscious environments, use --CollectionMethods DCOnly first. This hits only the Domain Controller via LDAP, skips session enumeration (which touches every workstation), and is far less noisy. You lose session data but retain the full ACL and group membership graph, which is where most high-value paths live.

The Six Edge Types That Create Most Tier 0 Paths

BloodHound CE expresses relationships as edges. After ingestion, the graph contains hundreds of edge types, but six account for the overwhelming majority of exploitable paths to Domain Admin in real environments:

GenericAll / GenericWrite / WriteProperty: These ACEs allow an attacker controlling account A to modify account B's attributes. GenericAll is equivalent to full control. GenericWrite allows writing specific properties. In practice, GenericWrite on a user allows shadow credential attacks (writing msDS-KeyCredentialLink), setting a target SPN for targeted Kerberoasting, or forcing a password reset if WritePasword is also set.

AddMember / WriteSelf on groups: If account A can add members to a privileged group, account A effectively has that group's rights. This is often misconfigured on distribution groups that were promoted to security groups over time.

AllowedToDelegate / AllowedToAct (constrained/resource-based delegation): Delegation allows a service to impersonate any user against a target service. Unconstrained delegation exposes TGTs. Constrained delegation with protocol transition allows S4U2Self abuse. Resource-based constrained delegation (RBCD) is the most dangerous because it is writable by anyone with WriteProperty on msDS-AllowedToActOnBehalfOfOtherIdentity.

CanPSRemote / AdminTo: Direct administrative access to a machine. If that machine hosts a privileged process, or if a Tier 0 admin has an active session, local admin is a stepping stone.

HasSIDHistory: Objects migrated from a legacy domain may retain SID history pointing to Tier 0 groups in the old domain. If trusts are still in place, this is a direct privilege escalation.

ADCS edges (Enroll, GenericWrite on certificate templates): With ADCS deployed, ESC1 through ESC8 attack paths appear as edges. Any user who can enroll in a misconfigured template that allows SAN override can issue themselves a certificate for any identity, including Domain Admin.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Key Cypher Queries for Defenders

BloodHound CE exposes a Cypher query console. These queries surface the highest-priority exposures:

Find all shortest paths from Domain Users to Tier 0:

MATCH p=shortestPath((g:Group {name:"DOMAIN USERS@YOURDOMAIN.LOCAL"})-[*1..]->(t:Group {name:"DOMAIN ADMINS@YOURDOMAIN.LOCAL"}))
RETURN p

Find all principals with GenericAll on Tier 0 objects:

MATCH (n)-[:GenericAll]->(m:Group)
WHERE m.name STARTS WITH "DOMAIN ADMINS"
RETURN n.name, m.name
ORDER BY n.name

Find computers with unconstrained delegation (non-DCs):

MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name STARTS WITH "DC"
RETURN c.name, c.operatingsystem

Find RBCD write paths (WriteProperty on msDS-AllowedToActOnBehalfOfOtherIdentity):

MATCH p=(a)-[:WriteDacl|WriteOwner|GenericAll|GenericWrite|Owns]->(b:Computer)
RETURN a.name, b.name, type(relationships(p)[0])
LIMIT 50

Find users with a path to Domain Admin in fewer than 4 hops:

MATCH p=shortestPath((u:User)-[*1..4]->(g:Group {name:"DOMAIN ADMINS@YOURDOMAIN.LOCAL"}))
RETURN u.name, length(p) AS hops
ORDER BY hops ASC
LIMIT 25

Run each query and export the results to a CSV. Group by edge type to identify which remediation action breaks the most paths.

Prioritizing What to Fix: The Tier Model and Blast Radius

Not every attack path requires the same urgency. Prioritize remediation using two criteria: how close the starting node is to the edge of the organization (internet-facing, phishable users, compromised vendor accounts) and how many paths pass through a given intermediate node.

Use the BloodHound node degree query to find chokepoint nodes:

MATCH (n)-[r]->(m)
WHERE NOT n:Base AND NOT m:Base
RETURN n.name, labels(n), count(r) AS outbound_edges
ORDER BY outbound_edges DESC
LIMIT 20

Nodes with high outbound edge counts are chokepoints. Removing or tightening a single ACE on a chokepoint node can sever dozens of attack paths simultaneously.

For ACE-based paths (GenericWrite, AddMember), the fix is to remove the ACE. Open ADSI Edit, navigate to the object, open Properties, go to Security, and remove the specific ACE. Document the change in your change management system with the ticket that authorized the original grant.

For delegation-based paths, disable delegation on accounts that do not need it. In AD PowerShell:

Set-ADUser -Identity svc_webservice -TrustedForDelegation $false
Set-ADAccountControl -Identity svc_webservice -AccountNotDelegated $true

For service accounts with SPNs that have RBCD misconfiguration, verify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute is null if not intentionally configured:

Get-ADComputer -Identity WEBSERVER01 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity |
Select-Object Name, msDS-AllowedToActOnBehalfOfOtherIdentity

Verifying Remediation Closed the Path

After making changes, re-run SharpHound and re-ingest the data. BloodHound CE keeps ingestion sessions separate, so you can compare old and new graphs. Run the same Cypher queries from before remediation and confirm the paths are gone.

For ACE changes, allow up to 15 minutes for AD replication before re-running SharpHound. If you made changes to multiple domain controllers directly, replication latency can cause inconsistent results. Force replication if needed:

repadmin /syncall /AdeP

Document each remediation in a structured format:

  • Date of finding
  • Edge type and source/target nodes
  • ACE or delegation attribute changed
  • Account that held the permission and how it was granted (delegation, inherited, explicit)
  • Ticket number for the change
  • Date of verification re-run
  • Result: path present or path absent

Schedule quarterly BloodHound runs as a recurring control. Attack paths re-emerge from provisioning mistakes, group policy changes, and shadow IT. Treat BloodHound output like a vulnerability scan: the finding is not closed until re-verification shows the path is gone.

The bottom line

BloodHound tells you what attackers already know about your environment. Defenders who run it quarterly and close the shortest paths to Tier 0 are orders of magnitude harder to compromise than those who rely on periodic penetration tests. Start with a DCOnly collection, query for GenericAll and AddMember paths to Domain Admins, fix the highest-degree chokepoint nodes first, and re-verify. The graph does not lie.

Frequently asked questions

Does running BloodHound/SharpHound alert defenders or generate SIEM events?

SharpHound generates LDAP queries that can appear as anomalous enumeration activity in environments with LDAP query monitoring enabled. To avoid false-positive alerts, coordinate with the SOC before collection, run from a known service account, and use DCOnly collection mode to minimize noise. Add the collection account and source host to a temporary SIEM exclusion for the duration of the run.

What is the difference between BloodHound CE and BloodHound Enterprise?

BloodHound Community Edition is the open-source version maintained by SpecterOps. It requires self-hosted infrastructure (Docker Compose), manual SharpHound runs, and manual analysis. BloodHound Enterprise is a SaaS platform that adds continuous collection, automated path scoring, Tier 0 posture tracking over time, and ticketing integrations. For defenders running ad-hoc quarterly assessments, CE is sufficient. For ongoing operational awareness, Enterprise provides persistent graph state.

How do I find ADCS ESC1 attack paths in BloodHound?

ESC1 paths appear when a certificate template allows the enrollee to specify a Subject Alternative Name (SAN) and the template is published on an Enterprise CA. In BloodHound CE with the ADCS edge support enabled, look for Enroll edges from broad groups (Domain Users, Authenticated Users) to certificate templates, then check the template for ENROLLEE_SUPPLIES_SUBJECT in the msPKI-Certificate-Name-Flag attribute. Certify.exe from SpecterOps can enumerate these directly: `Certify.exe find /vulnerable`.

How often should defenders run BloodHound collection?

At minimum, quarterly. After any significant AD change (domain or OU restructuring, service account provisioning projects, migration from legacy domains, merger activity), run a fresh collection immediately. Attack paths re-emerge from routine operations: a helpdesk technician granting GenericWrite to help a user reset their password, a provisioning script that grants AddMember to a service account, or a new computer object added to a delegation group.

Can BloodHound find attack paths that cross forest trusts?

Yes. SharpHound has a `--CollectionMethods Trusts` option that enumerates forest and domain trusts. For cross-forest paths to appear in the graph, you must run SharpHound in each trusted domain and ingest all ZIP files into the same BloodHound CE instance. The graph will then surface paths that leverage ExternalTrustedBy or CrossForestTrust edges, which are common in post-merger environments with legacy trust relationships that were never cleaned up.

How do I prioritize which BloodHound attack paths to remediate first?

Sort attack paths by shortest path length to a Tier 0 target (Domain Admin, Enterprise Admin, KRBTGT, Domain Controller computer objects). A 2-hop path from a service account to Domain Admin is a higher priority than a 15-hop path from a low-privileged user. Use BloodHound CE's built-in shortest path queries: 'Shortest Paths to Domain Admins' and 'Shortest Paths to Unconstrained Delegation Systems' expose the most critical paths. Within paths of equal length, prioritize removing edges from accounts with no interactive login requirement (service accounts, computer accounts) because those accounts are rarely monitored for suspicious behavior and provide persistent footholds. Breaking a single high-value edge in multiple paths provides compounding remediation value.

Sources & references

  1. BloodHound CE Documentation: SpecterOps
  2. An ACE Up the Sleeve: Designing Active Directory DACL Backdoors: Will Schroeder & Andy Robbins
  3. Certified Pre-Owned: Abusing Active Directory Certificate Services: SpecterOps
  4. Microsoft Tier Model for Active Directory Administrative Accounts

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.