Part 3. Windows security: reconnaissance of Active Directory environment with BloodHound.

Collecting information about the domain environment with SharpHound

A program that collects domain environment data – SharpHound is a component of the BloodHound tool. The collection of environmental data starts when SharpHound.exe is run on one of the computers.

The entire BloodHound package can be downloaded (Figure 32) from the address:

After downloading and attempting to run the SharpHound software (SharpHound.exe or SharpHound.ps1 to run in memory without dumping the .exe file to disk), a Microsoft Defender software prompt will be reported, which can be ignored in this experiment (Figure 33).

Figure 32. downloading the BloodHound tool from GitHub (the figure refers to: Windows workstation or Windows Server)
Figure 33. Microsoft Defender antivirus detects the SharpHound hack tool from BloodHound, classifying it as Hack Tool malware (the figure refers to: Windows workstation or Windows Server)

An example of a command that invokes SharpHound (Figure 3) might look as below:

.\SharpHound.exe –domain

All parameters for calling SharpHound are described in the documentation. The program can be run on Windows Server, on a Windows workstation connected to a domain, or even on a workstation not connected to a domain (Figure 26 earlier).

When the reconnaissance is complete, SharpHound will terminate with the message: Happy Graphing!, and a ZIP archive with the collected data will appear in a folder next to the program (Figure 3). The ZIP file can be transferred outside the tested Active Directory environment for analysis on your own computer.

Red teams and other attackers will, of course, want to move the data collected in the ZIP archive out of sight.

Figure 34. Start collecting data on a domain environment with the SharpHound tool (the figure refers to: Windows workstation or Windows Server)

Among the data-collecting programs included with the SharpHound tool, you can find a PowerShell script called SharpHound.ps1, which starts the SharpHound tool in memory without dumping the file to the computer’s disk (Figure 35). This is to avoid detection of the tool by antivirus and EDR (Endpoint Detection and Response) systems.

Figure 35. Running SharpHound in RAM without dropping the file to the computer’s disk (the figure refers to: any computer).

In addition, the SharpHound.exe command line has parameters such as:

  • EncryptZip – protect the created ZIP archive with a random password,
  • RandomizeFilenames – applying random names to created files,
  • Throttle and Jitter – use of random delay values in milliseconds between scans of individual computers,
  • NoSaveCache – not creating a cache file on disk so that it is not easily detected by antivirus or EDR software.

Visualizing data in graph form using BloodHound

In order to analyze the Active Directory environment for complex attack paths and dangerous links, the ZIP archive file created in the earlier step should be imported into the Neo4j database via the BloodHound graphical interface.

In order to run the data visualizer, it is necessary to install the mandatory software in the form of Oracle JDK and the Neo4j database. Oracle JDK version 11 can be downloaded from:

The Java environment is needed to run the Neo4j database server. The Community version of the Neo4j server can be downloaded from:

With the command:

neo4j.bat console

you can start the server in a command line window, then if you close the console, the server will also stop.

It is also possible to install the Neo4j server as a service on Windows with the command:

neo4j.bat install-service

Running the Neo4j server at the command line is shown in Figure 5. Be sure to keep the server running while using BloodHound.

Figure 36. Starting the Neo4j server whose database BloodHound uses (the figure refers to: any computer).

When starting Neo4j for the first time, change the password. The default username and password is neo4j:neo4j (Figure 37)

To change the password, open http://localhost:7474/ in a web browser and set a new password for the Neo4j database in the form (Figure 38).

Figure 37. logging in via the web application to the Neo4j server (the figure refers to: any computer)
Figure 38. changing the password to the Neo4j server through the web application (the figure refers to: any computer)

After this procedure, it is possible to log in to BloodHound (Figure 39).

Figure 39. BloodHound visualizer login screen (the figure refers to: any computer).

To be sure, check that the Neo4j database server is running in the background. Next, you can log into BloodHound and drag the ZIP archive file with data generated earlier by SharpHound over the program window (Figure 40).

Figure 40. Information about objects in the Neo4j database presented by BloodHound (the figure refers to: any computer).

The initial visualization in Figure 10 shows the users (MemberOf attribute) of the Domain Admins group. You can read more about groups at: Active Directory Security Groups | Microsoft Docs.

Users who are members of the Domain Admins group can manage the domain and are the default owners of any object created in the Active Directory domain.

In addition, the Domain Admins group controls access to all controllers in the domain and can modify the membership of all accounts, including those with administrator rights in the domain.

Figure 41. A query finding all users belonging to the Domain Admins group in the database (the figure refers to: any computer)

BloodHound software has a built-in set of ready-made queries (Table 1) that will help you find dangerous relationships between objects in Active Directory and other valuable information.

Note: Without preparing an advanced test environment, many queries may not return any results. Therefore, running an example for each query is beyond the scope of this text.

Table 1. Selected queries of BloodHound with description

Find all Domain AdminsFinds all accounts belonging to the Domain Admins group
Find Computers where Domain Users are Local AdminFinds computers where domain user accounts have local admin rights
Find All Paths from Domain Users to High Value TargetsFinds all paths from domain user accounts to nodes marked as high value targets on the graph
Find Workstations where Domain Users can RDPFinds workstations where domain user accounts can connect via remote desktop
Find Servers where Domain Users can RDPFinds servers where domain user accounts can connect via remote desktop
Find Dangerous Rights for Domain Users GroupsFinds dangerous access rights for domain user account groups
Shortest Paths to High Value TargetsFinds the shortest path to nodes marked as high value targets on the graph
Shortest Paths from Domain Users to High Value TargetsFinds the shortest path from domain users accounts to nodes marked on the graph as high value targets
Find Shortest Paths to Domain AdminsFinds shortest paths to user accounts from Domain Admins group

The graph presented by the BloodHound tool consists of nodes. By clicking the right mouse button, it is possible to view the properties of a given node (Figure 42). It is possible to edit, delete, set as start, end, owned, high value , and even find the shortest path going to that node.

Figure 42. Properties of the selected graph node – here the user daisy in the domain (the figure refers to: any computer)

The example in Figure 43. shows groups with administrator rights by typing in the search field:


Other prepends are as follows:

  • Group
  • Domain
  • Computer
  • User
  • OU (organizational unit)
  • GPO (group policy objects)

An important clue for the uninitiated is that administrators are not just a group of Domain Admins. There can be more groups, as shown in Figures 12 and 13.

Figure 43. BloodHound search window (the figure refers to: any computer).
Figure 44. Search query for users of the Enterprise Admins group (the figure refers to: any computer)

When reconstructing the attack path during post-breach analysis, the ability to mark nodes as owned proves to be a useful option. This makes it possible to look for paths leading both from compromised machines or accounts and to compromised objects (Figure 45).

Figure 45. Marking a graph node as compromised (owned) adds a skull icon next to the object

Individual graph nodes can have a high value designation, which means a high-value object. What is meant here is the value to the attacker, such as a user with high rights or having valuable data on his machine. Some nodes (such as a domain controller) are marked as high value by default. An example of marking an account as high value (diamond icon) is shown in Figure 46.

Figure 46. Marking nodes with a diamond icon denoting a high-value object for an attacker (the figure refers to: any computer)

As a simple experiment, let’s try to find the shortest path from the computer FINWVIR1000000 marked in Figure 45. as compromised to the user account DOLORES_GARRISON marked in Figure 46. as a high value object. The option that launches the search for the shortest path between the mentioned objects is shown in Figure 47.

Figure 47. Menu option to find the shortest path to a node from an object previously marked as compromised (the figure refers to: any computer)

The attack path in Figure 48. from the compromised machine FINWVIR1000000 leads through various groups, and the MemberOf attribute indicates that no abuse is needed because the computer is a member of these security groups. Following the path by sight after the MemberOf attribute five times, the GenericAll attribute appears, indicating that the compromised machine belonging to these security groups has full rights to the ANTOINE_GILES user account. Further this account is a member of the MA-TEQUIEROO-ADMINGROUP1 group, which has full rights (GenericAll) to the AWSWSECS1000001 computer, which has GenericAll rights to the user account marked as a high-value resource.

Figure 48. The shortest path from a compromised machine (skull icon) to a high-value account (diamond icon) (the figure refers to: any computer)

In most cases, both red teams and other attackers look for the shortest path to high-privileged user accounts. An example attack might start by infecting the user’s end workstation, and then include attempts at privilege escalation to take the shortest path further (Figure 49) to perform lateral movement from device to device and get to the domain controller, securing administrator rights. For this reason, the BloodHound tool can be very helpful during post-breach analysis to reconstruct a potential attack path.

Another practical example would be to mark the FREDERIC_MIDDLETON account as compromised and try to find a path leading from that account to a high-value resource such as a group of domain controllers (Figure 49).

Figure 49. Determining the path between nodes through search fields (the figure refers to: any computer).

It is possible to impose filters on attributes in the graph as shown in Figure 50. For example, checking CanRDP when searching for paths will include objects in the graph that have the right to connect via a remote desktop. This allows attackers, for example, to look for attack vectors with set attributes.

Figure 50. Filtering attributes to be taken into account when determining paths (the figure refers to: any computer)

BloodHound also allows you to add nodes, connections between them, organize the layout, and even import and export the graph (Figure 51).

Figure 51. Graph pop-up menu in BloodHound program (the figure refers to: any computer).

As you can see, the examples shown are just the tip of the iceberg, as the capabilities of the BloodHound tool are truly vast. When combined with the BadBlood script, you can create an Active Directory environment to train blue teams in detecting dangerous links and attack paths.

Finally, it is worth remembering not to run the BadBlood tool on production systems, as this can create a lot of random objects and the changes will be difficult to reverse.

A few words of summary

The aforementioned examples clearly illustrate that the links between any objects in an Active Directory environment should be reviewed and analyzed for hidden dangers. It’s worth mentioning that the CrowdStrike website already  described the ethical use of the BloodHound tool in 2018, which involves much easier detection of user accounts created by attackers as back doors providing unauthorized access to the Active Directory environment. Hidden accounts of this type can be used, for example, to take valuable data out of an enterprise.

BloodHound software is also another perfect example of how many cyber security tools can serve both good and bad purposes.

Table of Contents

BloodHound: Six Degrees of Domain Admin — BloodHound 3.0.3 documentation |

BloodHound, Software S0521 | MITRE ATT&CK® |

Hidden Administrative Accounts: BloodHound to the Rescue ( |

GitHub – davidprowe/BadBlood: BadBlood by @davidprowe, |

BloodHound – Sniffing Out the Path Through Windows Domains | SANS Institute |

BloodHound with Kali Linux: 101 – Red Teaming Experiments ( |

How to Detect and Block Bloodhound Attacks | CrowdStrike |

Active Directory Security Groups — Windows security |