BloodHound Attack Path Analysis
Graph-based analysis tool that reveals hidden attack paths in Active Directory by mapping relationships between domain objects.
Continue your mission
Graph-based analysis tool that reveals hidden attack paths in Active Directory by mapping relationships between domain objects.
# BloodHound Attack Path Analysis
BloodHound is an open-source tool that uses graph theory to reveal hidden and complex attack paths within Active Directory environments. It maps relationships between AD objects to identify the shortest path an attacker could take from any compromised account to domain admin privileges or other high-value targets.
BloodHound exists because Active Directory attack paths are fundamentally invisible to traditional security tools. Security teams can see individual ACL entries, group memberships, and user sessions, but they cannot see the transitive relationships that create unintended privilege escalation paths. A helpdesk user might have password reset permissions on a service account that has local admin rights on a server where a domain admin has an active session. Each individual permission appears benign, but the combination creates a path from helpdesk to domain admin that remains invisible until mapped as a graph.
The tool emerged from the offensive security community as a way to automate the tedious manual process of AD enumeration and privilege analysis. Attackers had been following these logical paths for years, but doing so required deep expertise and significant time investment. BloodHound automated the discovery process, making sophisticated AD attack techniques accessible to less experienced operators.
For defenders, BloodHound represents the first practical tool for proactive AD hardening at scale. Organizations with thousands of users and complex nested group structures can now identify dangerous privilege paths before attackers discover them. The tool transforms AD security from reactive patching to proactive architecture analysis, fundamentally changing how security teams approach identity infrastructure protection.
BloodHound operates through a two-phase process: data collection via SharpHound and analysis through a Neo4j graph database interface. Understanding both phases is essential for effective deployment.
Data Collection Phase
The SharpHound collector is a .NET assembly that queries Active Directory through standard LDAP and SMB protocols. SharpHound does not exploit vulnerabilities or use privileged access beyond what any domain user possesses. It queries publicly readable AD attributes and attempts SMB connections to enumerate local group memberships and active sessions.
SharpHound collects six primary data types. User objects include standard attributes like group memberships, password policies, and Kerberos settings. Group objects capture membership hierarchies and nested group relationships. Computer objects include operating system details, local admin group memberships, and service principal names. Session data identifies where users have active or recent logon sessions. ACL data captures discretionary access control lists that define who can modify AD objects. Trust relationships map inter-domain and inter-forest trust configurations.
The collector can run in multiple modes depending on operational requirements. Stealth mode reduces query frequency and SMB connection attempts to minimize detection by security monitoring tools. Loop mode continuously collects session data to capture the dynamic nature of user logons across the environment. The collector can target specific OUs, domains, or computer groups rather than performing enterprise-wide collection.
Collection typically generates JSON files containing graph nodes and relationships. A medium-sized organization (5,000 users, 2,000 computers) produces approximately 50-100 MB of data. Large enterprises can generate several gigabytes, particularly when collecting comprehensive session data across multiple domains.
Analysis Phase
The collected data imports into a Neo4j graph database where AD objects become nodes and relationships become edges. Neo4j's Cypher query language enables complex graph traversal operations that reveal attack paths spanning multiple privilege transitions.
BloodHound's pre-built queries address the most common attack scenarios. "Shortest Paths to Domain Admins" identifies the minimum number of privilege hops required from any starting user to domain administrator rights. "Kerberoastable Users" finds service accounts with weak password policies that can be cracked offline, then maps their privilege paths. "Computers with Unconstrained Delegation" identifies systems that can impersonate any domain user, a critical security vulnerability.
Custom Cypher queries enable targeted analysis for specific scenarios. Analysts can identify all paths from externally accessible service accounts, find computers where privileged users have active sessions, or map privilege paths through specific OUs or security groups. The graph structure makes complex multi-hop relationships visible and queryable.
The tool excels at revealing transitive permissions that accumulate through nested group memberships. A user in Group A might inherit permissions to modify Group B, which has permissions to modify Group C, which contains domain administrators. Each individual permission appears reasonable, but the transitive relationship creates an unintended privilege escalation path.
Practical Attack Path Examples
Consider a typical enterprise attack path: an attacker compromises a service account through password spraying, discovers it has local admin rights on a file server, extracts credentials from memory on that server, and finds domain admin credentials cached from a recent administrative session. BloodHound maps this exact sequence as a graph path, showing the relationship between the initial service account and domain admin privileges.
Another common scenario involves help desk personnel with password reset permissions. A help desk user with reset rights on service accounts can change their passwords, log in as those accounts, and inherit whatever permissions those service accounts possess. If a service account has local admin rights on critical servers, the help desk user effectively has those same rights through password reset permissions.
Integration and Automation
BloodHound integrates with other security tools through its REST API and database access. Security teams automate collection through scheduled tasks, import data into SIEM platforms for correlation with other security events, and generate reports for compliance and risk assessment purposes. Some organizations integrate BloodHound findings into their vulnerability management workflows, treating dangerous privilege paths as high-priority security vulnerabilities.
BloodHound fundamentally changed how organizations approach Active Directory security by making attack path analysis accessible to security teams without specialized AD expertise. The business impact extends far beyond technical security improvements.
Risk Visibility and Quantification
Before BloodHound, organizations had limited visibility into their actual AD attack surface. Security teams knew their domain admin count and could audit specific permissions, but they could not answer fundamental questions: How many privilege escalation paths exist? Which users pose the highest risk if compromised? How quickly could an attacker reach critical assets from a typical compromise?
BloodHound quantifies these risks with specific metrics. Organizations discover they have hundreds of privilege escalation paths they never knew existed. A company believing it had strong privilege separation might find that 40% of standard users have paths to domain admin within three privilege hops. This visibility enables data-driven security decisions rather than assumptions about AD security posture.
Operational Efficiency
Manual AD privilege analysis requires specialized expertise and enormous time investment. A security analyst might spend weeks manually tracing privilege paths that BloodHound identifies in minutes. This efficiency gain allows security teams to focus on remediation rather than discovery, fundamentally changing the economics of AD security.
The tool also improves incident response capabilities. When an account is compromised, responders can immediately identify what privileges the attacker potentially gained and which systems require additional monitoring or isolation. This rapid damage assessment enables more targeted and effective incident response.
Compliance and Governance
Many compliance frameworks require organizations to implement least privilege access controls and regularly audit user permissions. BloodHound provides concrete evidence of privilege separation effectiveness and identifies specific violations for remediation. Audit findings become actionable rather than vague recommendations to "improve access controls."
Common Misconceptions and Failure Modes
Organizations often misunderstand BloodHound's operational requirements and limitations. The tool requires regular data collection because AD environments change constantly. Users log into different systems, group memberships change, and new permissions are granted. Stale BloodHound data provides false confidence in privilege separation that no longer exists.
Another common misconception is that BloodHound finds vulnerabilities. The tool identifies configuration weaknesses and architectural problems, but these are often the result of legitimate business requirements implemented without full understanding of their security implications. Remediation requires balancing security concerns with operational needs, not simply removing all identified paths.
Security teams sometimes focus exclusively on paths to domain admin while ignoring other high-value targets. Attackers might target specific application servers, database systems, or file shares rather than pursuing full domain control. Effective BloodHound analysis considers all high-value assets, not just traditional privilege escalation targets.
CDA approaches BloodHound analysis through our Zero Possession Architecture (ZPA) methodology: "Trust nothing. Possess nothing. Verify everything." This philosophy recognizes that traditional perimeter-based security assumptions fail in modern identity infrastructure environments where the real attack surface consists of privilege relationships rather than network boundaries.
BloodHound analysis falls primarily within the Identity Assurance Theater (IAT) domain because identity relationships are the fundamental attack vectors the tool maps. However, our implementation extends into Vulnerability Systems Defense (VSD) when using BloodHound findings to identify and remediate systemic AD architectural weaknesses.
Operating Identity Infrastructure
CDA's approach differs from conventional security monitoring by emphasizing active operation of identity infrastructure rather than passive observation. Traditional security teams deploy BloodHound as a periodic assessment tool, running collection monthly or quarterly to generate point-in-time reports. CDA operators treat BloodHound as an operational intelligence platform that continuously informs identity architecture decisions.
Our Theater engagement methodology incorporates BloodHound analysis into routine IAT operations. Operators collect data as part of environment reconnaissance, analyze privilege paths during mission planning, and validate remediation effectiveness through follow-up collection. This operational approach treats identity privilege mapping as a core capability rather than an occasional audit activity.
C-HARDEN Integration
CDA's C-HARDEN campaign tier includes specific missions focused on AD hardening informed by BloodHound findings. These missions move beyond simple privilege path identification to systematic architectural improvement. Operators identify privilege chokepoints where targeted changes eliminate multiple attack paths, prioritize remediation based on operational impact, and validate that changes achieve intended security improvements without breaking business functionality.
The ZPA principle of "possess nothing" directly applies to BloodHound analysis. Organizations cannot possess perfect knowledge of their privilege relationships because these relationships change constantly. Instead, they must continuously verify actual privilege structures against intended designs and maintain operational capabilities to rapidly identify and respond to dangerous privilege accumulations.
Conventional Security vs. CDA Approach
Conventional security approaches treat BloodHound as a compliance tool that generates reports demonstrating due diligence in access control auditing. CDA treats BloodHound as an operational intelligence platform that enables continuous identity infrastructure operation. We emphasize building internal capabilities to collect, analyze, and act on privilege path intelligence rather than outsourcing these capabilities to periodic consulting engagements.
This operational focus extends to remediation strategies. Conventional approaches often focus on removing individual dangerous permissions without considering the business processes that created them. CDA operators analyze why dangerous privilege paths exist, identify the underlying business requirements, and develop architectural changes that meet business needs without creating unintended attack paths.
• BloodHound reveals transitive privilege relationships in Active Directory that remain invisible to traditional security tools, enabling proactive identification of attack paths before attackers discover them.
• The tool operates through automated data collection via standard AD protocols followed by graph-based analysis that maps privilege escalation paths across complex organizational structures.
• Effective BloodHound deployment requires regular data collection and analysis because AD environments change constantly, making stale data a source of false security confidence.
• Organizations must balance BloodHound findings against business operational requirements, as many identified paths result from legitimate business needs rather than misconfigurations.
• CDA integrates BloodHound into operational identity infrastructure management rather than treating it as a periodic audit tool, emphasizing continuous privilege path monitoring and remediation.
• Active Directory Hardening Fundamentals • Zero Trust Identity Architecture • Kerberos Attack Vectors and Defenses • Identity Assurance Theater Operations • Privilege Access Management Strategy
• MITRE ATT&CK Framework, "Technique T1078: Valid Accounts," MITRE Corporation, 2023. • NIST Special Publication 800-63B, "Digital Identity Guidelines: Authentication and Lifecycle Management," National Institute of Standards and Technology, 2022. • CIS Controls v8, "Control 6: Access Control Management," Center for Internet Security, 2023. • SANS Institute, "Active Directory Security: Securing AD in a Hostile World," SANS Whitepaper, 2023.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.