BloodHound
Collect data with SharpHound
Run on domain-joined machine — Generates ZIP for BloodHound
.\SharpHound.exe -c All
# Or PowerShell:
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp
Collect with BloodHound.py (from Linux)
Remote collection without touching target — Uses LDAP
bloodhound-python -u user -p 'password' -d domain.local -ns $DC_IP -c all
Start BloodHound
Launch Neo4j and BloodHound GUI — Import collected data
sudo neo4j console &
bloodhound &
# Drag and drop the ZIP file into BloodHound
Key queries to run
Find attack paths — These reveal the fastest routes to DA
- Find all Domain Admins
- Shortest Paths to Domain Admins from Owned Principals
- Find Kerberoastable Users with Most Privileges
- Find AS-REP Roastable Users
- Shortest Paths to High Value Targets
- Find Computers with Unconstrained Delegation
- Find Principals with DCSync Rights
Mark owned users
Right-click users you've compromised — BloodHound recalculates paths
Right-click user > Mark User as Owned
Then run: "Shortest Paths to Domain Admins from Owned Principals"