BloodHound: Weaponizing Graph Theory for Active Directory Domination

For decades, assessing the security of an Active Directory (AD) environment was largely an exercise in examining lists. Red teams and system administrators would query AD for lists of users, lists of groups, and lists of permissions. They would manually cross-reference these flat structures, attempting to piece together the complex puzzle of privilege escalation. It was a tedious, error-prone process that inevitably missed the broader picture.

Then came BloodHound.

Released at DEF CON 24 by SpecterOps (specifically Andy Robbins, Rohan Vazarkar, and Will Schroeder), BloodHound fundamentally revolutionized AD security by shifting the paradigm from lists to graphs. By applying graph theory to the hidden, often accidental relationships within an enterprise environment, BloodHound transforms a sprawling, unintelligible Active Directory domain into a visual map of exploitable attack paths.

In this deep dive, we will explore the architecture of BloodHound, the foundational concepts of Graph Theory it relies on, its application by both threat actors (Offense) and defenders (Defense), and the strategic steps required to mitigate the attack paths it uncovers.

Core Concept: Why Graph Theory?

Active Directory is not merely a directory; it is a complex web of interconnected trusts, permissions, and sessions.

Consider a typical enterprise scenario:

• User A is a member of the IT Support group.
• The IT Support group has Local Administrator rights on Workstation 1.
• A Domain Admin (User B) is accidentally logged into Workstation 1, leaving their privileged credentials in memory.

If you look at these facts as separate lists, the danger isn't immediately obvious. However, if you represent them as nodes (entities) and edges (relationships) in a graph, a clear path emerges:

(User A) -> [MemberOf] -> (IT Support Group) -> [AdminTo] -> (Workstation 1) -> [HasSession] -> (User B / Domain Admin)

This simple graph illustrates a catastrophic vulnerability: By compromising User A (a low-privileged account), an attacker can easily pivot to Workstation 1, steal the Domain Admin's credentials from memory, and achieve total domain compromise.

BloodHound automates the discovery of these hidden, multi-hop attack paths—sometimes chaining together dozens of obscure permissions that no human could have manually correlated.

The Architecture of BloodHound

BloodHound is not a single tool, but rather an ecosystem consisting of three primary components working in concert:

A. The Ingestors (Data Collectors)

To build a graph, you first need data. BloodHound relies on data collectors, known as Ingestors, to query the target Active Directory environment. The most famous of these is SharpHound (written in C#).

SharpHound is typically executed by an attacker (or pentester) from a compromised, domain-joined machine. It reaches out to Domain Controllers and endpoints to collect crucial data points:

• ✓ User and Group memberships.
• ✓ Active user sessions (who is logged in where).
• ✓ Local Administrator group memberships on workstations and servers.
• ✓ Access Control Lists (ACLs) and Access Control Entries (ACEs).
• ✓ Trust relationships between domains.

Example SharpHound Command:

# Executing SharpHound from memory to collect all data types and zip the results
Invoke-BloodHound -CollectionMethod All -ZipFileName "corp_ad_data.zip"

Note: Because SharpHound generates significant LDAP and RPC traffic, its execution is often a massive, noisy event on the network—a key indicator for Blue Teams.

B. The Database (Neo4j)

Once SharpHound collects the raw JSON data, it must be imported into the backend database. BloodHound utilizes Neo4j, a highly optimized graph database engine designed specifically to handle highly interconnected data. Neo4j uses a query language called Cypher, which allows users to perform incredibly complex pathfinding queries in milliseconds.

C. The GUI (BloodHound App)

The frontend of BloodHound is an Electron-based application heavily built on JavaScript. It connects to the Neo4j database and visualizes the attack paths. The GUI provides built-in, pre-calculated queries (e.g., "Find Shortest Paths to Domain Admins") and allows advanced users to write raw Cypher queries for custom analysis.

Offensive Application: The Red Team Perspective

For specialized threat actors and Red Teams, BloodHound is entirely about discovering the path of least resistance.

Identifying "Tier 0" Assets

In AD security, "Tier 0" refers to the assets that control the domain—typically Domain Controllers, Domain Admins, and Enterprise Admins. The ultimate goal of an attacker is to reach Tier 0.

Once the initial ingestor data is loaded into the BloodHound GUI, an attacker simply executes the query: Shortest Paths to Domain Admins.

BloodHound instantly maps out the required steps. An attacker might discover that they don't need to crack complex passwords or find a zero-day exploit. Instead, they might find an attack path involving Excessive Privileges (ACL Abuse):

1. Compromise Helpdesk_User.
2. Helpdesk_User has GenericAll rights over Service_Account_A. (Meaning they can force a password reset on that account).
3. Service_Account_A has ForceChangePassword rights over a Domain Admin account.

By following the roadmap drawn by BloodHound, the attacker can execute these specific administrative changes and achieve domain dominance in minutes.

Advanced Cypher Example: Finding Unconstrained Delegation

Attackers can use raw Cypher queries to find very specific edge-case misconfigurations, such as servers with Unconstrained Delegation (which allow an attacker to steal Kerberos TGTs of anyone who authenticates to the server).

// Find all computers with Unconstrained Delegation allowed
MATCH (c:Computer {unconstraineddelegation:true})
RETURN c

Defensive Application: The Blue Team Perspective

While BloodHound was built as an offensive tool, it is equally—if not more—valuable to defenders.

Defenders have a massive advantage: they do not need to execute SharpHound stealthily. They can run ingestors regularly as highly privileged users to get a 100% complete map of the domain.

Continuous Attack Surface Management

A mature SOC or Identity & Access Management (IAM) team will run BloodHound internally on a regular schedule. By analyzing the output, they can:

1. Identify Accidental Privileges: Find developers who were accidentally granted Local Admin to critical servers, breaking the tiering model.
2. Verify the Tier Model: Ensure that Tier 0 assets (Domain Admins) never log into Tier 2 assets (Workstations), thereby preventing credential theft.
3. Prioritize Remediation: If a specific vulnerability exists on 100 machines, but BloodHound shows that only one of those machines acts as a pivot point to Domain Admin, the Blue Team knows exactly which machine to patch first.

BloodHound Enterprise

Recognizing the defensive value, SpecterOps released BloodHound Enterprise. Unlike the open-source tool, BHE runs continuously, providing automated attack path management and quantifying the "exposure risk" of the environment over time.

Detecting and Mitigating BloodHound

As a defender, you must both mitigate the attack paths BloodHound reveals and detect when an adversary is trying to use SharpHound in your network.

Detecting SharpHound (The Ingestor)

SharpHound's data collection methods are aggressively loud.

1. LDAP Profiling: SharpHound makes thousands of rapid LDAP queries to the Domain Controller to pull user and group data. SOCs should alert on distinct, high-volume LDAP query bursts originating from non-administrative workstations.
2. Remote Registry and RPC Traffic: To determine who has active sessions on endpoints or who is a local administrator, SharpHound connects to the srvsvc (Server Service) and winreg (Remote Registry) pipes over SMB (Port 445) on every single machine in the domain.
   • Detection: Alert on a single internal IP address attempting to connect to IPC$ or Port 445 across hundreds of internal workstations in a short timeframe.

Mitigating the Attack Paths

Remediating the paths found by BloodHound is the ultimate goal. The strategy typically involves:

1. Implementing Microsoft's Tier Model: Strictly logical separation. Domain Admins only log into Domain Controllers. Server Admins only log into Servers. Workstation Admins only log into Workstations. This severs the [HasSession] edges in the graph, killing credential dumping paths.
2. Cleaning up ACLs: Removing dangerous, delegated privileges (like GenericAll or WriteDacl) from standard user accounts over privileged objects.
3. Restricting Local Administrators: Using Group Policy or tools like Microsoft LAPS (Local Administrator Password Solution) to ensure that widespread Local Admin access is severely curtailed and randomized, stopping lateral movement dead in its tracks.

Conclusion

BloodHound fundamentally altered the landscape of Active Directory security. By proving that security is not just about the strength of individual nodes, but about the vulnerabilities hidden within the relationships between them, it exposed the fragile nature of modern enterprise networks.

For attackers, it remains an indispensable cartography tool for planning a silent, devastating takeover. For defenders, it is the ultimate mirror—forcing organizations to confront and untangle the chaotic, overgrown permissions of their environments before a threat actor does it for them.

Related Cybersecurity Guides and Tutorials:

PowerShell Remoting: The Double-Edged Sword of Enterprise Administration

DC Sync Attack: The Art of Impersonation

Mounting Devices and Shares in Linux: A Red Team Perspective

Golden dMSA Attack in Windows Server 2025: Understanding the New Domain Security Threat