How to Use BloodHound for Defensive Active Directory Path Analysis

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
BloodHound was built by attackers for attackers: it answers the question 'given this compromised account, what is the fastest path to Domain Admin?' Every competent red team and APT group runs it against target environments. Defenders who have not run it themselves are operating blind.
Running BloodHound on your own environment reveals relationships that AD administrators do not know exist: the nested group membership that gives a helpdesk tier-1 account local admin rights on a server in a sensitive VLAN, the service account with AdminTo on 400 workstations because it was added to the local admins group at deployment and never removed, the domain admin who regularly logs into a workstation where their session can be hijacked.
Setup: BloodHound CE and SharpHound Collection
BloodHound Community Edition (self-hosted):
# Install via Docker Compose (simplest setup)
git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound/examples/docker-compose
docker compose up -d
# Access the web UI
open http://localhost:8080
# Default credentials are set during first login
Collect AD data with SharpHound:
SharpHound is the data collector: it enumerates AD objects, sessions, ACLs, and trust relationships using standard LDAP and SMB queries that generate Windows Event IDs 4624 (network logons) on every machine it queries. Defenders should document that SharpHound collection runs are authorized to avoid SIEM alerts during the scan.
# Download SharpHound from BloodHound GitHub releases
# Run as a domain user (does not require Domain Admin)
.\SharpHound.exe --CollectionMethods All --ZipFilename bloodhound-$(Get-Date -Format yyyyMMdd).zip
# Collection methods:
# All = Default + ACL + Container + GPOLocalGroup + LoggedOn
# Default = Sessions, LocalGroups, ObjectProps, Trusts
# LoggedOn = Find current user sessions on machines (more aggressive, requires local admin on targets)
# ACL = Collect full ACL data (slower, but reveals control paths)
# For stealth (minimal network noise, shorter collection window):
.\SharpHound.exe --CollectionMethods ObjectProps,Default --Stealth
Import the collected zip into BloodHound:
- In the BloodHound UI: Administration > File Ingest > Upload file
- Select the SharpHound zip file
- Wait for processing (~5-20 minutes depending on AD size)
Run SharpHound regularly: AD relationships change as groups are modified, systems are added, and users authenticate to different hosts. Run monthly to track whether remediated paths have re-appeared.
The Most Valuable Defensive Queries
BloodHound's power is in its pre-built and custom Cypher queries. These are the highest-value queries for defenders:
1. Shortest path from any owned principal to Domain Admin:
-- In BloodHound GUI: Pathfinding > From: any user > To: Domain Admins
-- Or via Cypher:
MATCH p=shortestPath(
(u:User {enabled: true})-[*1..]->(g:Group {name: "DOMAIN ADMINS@CORP.LOCAL"})
)
WHERE NOT u.name STARTS WITH 'krbtgt'
RETURN p LIMIT 10
2. Find all Kerberoastable users with paths to high-value targets:
MATCH (u:User {enabled: true, hasspn: true})
MATCH p=shortestPath(
(u)-[*1..]->(g:Group {name: "DOMAIN ADMINS@CORP.LOCAL"})
)
RETURN u.name, length(p) as PathLength
ORDER BY PathLength
This finds service accounts that are Kerberoastable AND have a path to Domain Admin: the highest-priority accounts to migrate to gMSAs or reset with 25+ character passwords.
3. Find accounts with AdminTo on many computers:
MATCH (u:User)-[r:AdminTo]->(c:Computer)
WHERE u.enabled = true
WITH u, count(c) as adminCount, collect(c.name)[..5] as sampleHosts
WHERE adminCount > 10
RETURN u.name, adminCount, sampleHosts
ORDER BY adminCount DESC
Service accounts or user accounts with local admin on many hosts are extremely high-value attack pivots. Any Kerberoastable account in this list should be treated as a critical finding.
4. Find computers with Domain Admin sessions (HasSession):
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*..]->(g:Group {name: "DOMAIN ADMINS@CORP.LOCAL"})
RETURN c.name, u.name
ORDER BY c.name
HasSession means BloodHound observed a domain admin account logged into that workstation or server during collection. An attacker who compromises that machine can steal the admin session. This is how most real-world AD compromises occur: compromise a workstation, find a domain admin session, steal the credentials.
5. Find principals that can reset Domain Admin passwords (GenericAll, GenericWrite, ForceChangePassword):
MATCH (n)-[r:GenericAll|GenericWrite|ForceChangePassword]->(u:User)
WHERE u.admincount = true
RETURN n.name, type(r), u.name
6. Find ACL attack paths (WriteDacl, Owns, GenericAll on sensitive groups):
MATCH p=(n)-[r:WriteDacl|Owns|GenericAll|WriteOwner|GenericWrite]->(g:Group)
WHERE g.name IN [
"DOMAIN ADMINS@CORP.LOCAL",
"ENTERPRISE ADMINS@CORP.LOCAL",
"SCHEMA ADMINS@CORP.LOCAL",
"GROUP POLICY CREATOR OWNERS@CORP.LOCAL"
]
RETURN p LIMIT 20
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Prioritizing and Remediating Findings
BloodHound will surface many findings. Prioritization should focus on the paths with the shortest length and highest exploitability:
Priority 1: Paths length 1-2 (immediate exploit):
- User directly MemberOf Domain Admins who should not be (remove from group)
- Domain Admin HasSession on a workstation (enforce admin tiering: domain admins should only log into Tier 0 assets like DCs and PAWs, never workstations)
Priority 2: Kerberoastable accounts with short paths to Domain Admin:
# For each identified high-risk Kerberoastable account:
# Option 1: Migrate to gMSA
New-ADServiceAccount -Name "gMSA-$ServiceName" \
-DNSHostName "$ServiceName.corp.local" \
-PrincipalsAllowedToRetrieveManagedPassword "ServiceHosts-SG"
# Option 2: Reset to a 25+ character random password
$pw = -join ((33..126) | Get-Random -Count 30 | ForEach-Object {[char]$_})
Set-ADAccountPassword -Identity svc-webapp \
-NewPassword (ConvertTo-SecureString $pw -AsPlainText -Force) -Reset
Priority 3: AdminTo relationships that should not exist:
# For each account with excessive AdminTo relationships:
# Audit via Group Policy which groups are in the local Administrators group
# Use Restricted Groups GPO to enforce a clean local admin list:
# Computer Configuration > Windows Settings > Security Settings >
# Restricted Groups > Administrators > Members: Only Domain\Domain Admins + Domain\Local-Server-Admins
Priority 4: ACL paths (WriteDacl, GenericAll on privileged groups):
# Review and remove excess permissions on sensitive AD objects
# Remove GenericAll from any user/service account not needing it:
$acl = Get-Acl "AD:\CN=Domain Admins,CN=Users,DC=corp,DC=local"
$acl.Access | Where-Object {
$_.IdentityReference -notmatch "Domain Admins|Enterprise Admins|SYSTEM"
} | ForEach-Object { Write-Host $_.IdentityReference, $_.ActiveDirectoryRights }
Track remediation: Export BloodHound query results to CSV, create Jira/Linear tickets for each finding category, and re-run BloodHound monthly to verify paths are eliminated.
The bottom line
BloodHound reveals AD attack paths that are invisible in standard AD tools: the nested group chain that gives a helpdesk account admin access to a CFO's laptop, or the service account that is Kerberoastable and has AdminTo on 200 hosts. Run SharpHound with 'All' collection methods monthly as a domain user, import to BloodHound CE, and prioritize findings by path length. The three highest-value remediation actions: enforce domain admin tiering (no DA sessions on workstations), migrate Kerberoastable accounts with short paths to DA into gMSAs, and remove unintended AdminTo relationships via Restricted Groups GPO.
Frequently asked questions
How do defenders use BloodHound?
Defenders use BloodHound to find Active Directory attack paths before attackers do. Run SharpHound to collect AD relationship data, import it into BloodHound CE, then query for: shortest paths from domain users to Domain Admin, Kerberoastable service accounts with short paths to privileged groups, accounts with HasSession on systems with domain admin sessions, and users with excessive AdminTo relationships. Remediate the shortest-path findings first, as these are immediately exploitable.
What does BloodHound find in Active Directory?
BloodHound maps AD relationships including: MemberOf (group membership, including nested), AdminTo (local admin rights), HasSession (logged-in user sessions), CanRDP (RDP access), and ACL edges (GenericAll, WriteDacl, ForceChangePassword). Combined, these reveal the attack paths an attacker needs to escalate from any user to Domain Admin: paths that are invisible in standard AD reporting but obvious in BloodHound's graph visualization.
How do defenders use BloodHound to reduce Active Directory attack surface?
Defense-focused BloodHound workflow: run SharpHound to collect data, import to BloodHound, then run the built-in analysis queries: 'Shortest Paths to Domain Admins', 'Find Computers where Domain Users are Local Admin' (a common over-privilege finding), and 'Find Principals with DCSync Rights'. For each attack path found, eliminate the shortest paths first: remove direct edges rather than trying to remove the destination node. Common remediations include removing excessive group membership, eliminating unnecessary local admin rights using LAPS, and fixing ACL misconfigurations that allow GenericWrite or WriteDacl on privileged accounts.
What is the difference between BloodHound Community Edition and BloodHound Enterprise?
BloodHound Community Edition (BHCE) is the original free, open-source version for point-in-time analysis: you collect data, import it, and analyze attack paths in a Neo4j database. It requires manual operation and does not track changes over time. BloodHound Enterprise (BHE, commercial) provides continuous Attack Path Management: automated data collection on a schedule, trend tracking showing whether attack paths are increasing or decreasing, integration with ticketing systems, and prioritized remediation guidance with business context. For most organizations, Community Edition is sufficient for an initial Active Directory security assessment. BloodHound Enterprise is justified when Active Directory security requires continuous governance and tracking.
What is SharpHound and is it safe to run in production?
SharpHound is the official BloodHound data collector: a C# executable that queries Active Directory via LDAP and remotely enumerates local administrators and active sessions. Running SharpHound in production generates LDAP queries and remote registry/SMB connections to domain-joined hosts, which may trigger EDR or SIEM alerts (the behavior is identical to legitimate BloodHound use by attackers). Before running: inform your security team and suppress false positive alerts for the collection window. SharpHound does not make any changes to Active Directory and does not require Domain Admin: standard domain user credentials are sufficient for most data collection. All data stays local and is never transmitted to external systems.
How do you remediate attack paths identified in BloodHound without breaking legitimate IT operations?
Prioritize paths by exploitability and blast radius: start with any path that gives a low-privileged user a route to Domain Admin in three hops or fewer, since these represent the highest-risk exposures. For each path, identify the weakest link -- typically an over-permissioned group membership, an unconstrained delegation setting, or a local admin relationship on a tier-0 adjacent server. Before removing group memberships or delegations, confirm with the system owner which business function the permission supports. Use a staging approach: document the current state, implement the change in a test or lower-tier environment first, then move to production during a maintenance window. Common remediations include: removing accounts from AdminSDHolder-protected groups they do not need, replacing broad local admin assignments with LAPS-managed local credentials, converting unconstrained delegation to resource-based constrained delegation, and enforcing Protected Users security group membership for privileged accounts. After changes, re-run SharpHound and verify the path no longer appears in BloodHound before closing the remediation ticket.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
