BloodHound
What is BloodHound?
BloodHoundAn open-source tool that uses graph theory to map and analyze Active Directory and Azure AD attack paths to high-value targets like Domain Admin.
BloodHound is an open-source attack-path analysis tool created by Andy Robbins, Will Schroeder, and Rohan Vazarkar, and now maintained by SpecterOps. A collector (SharpHound or AzureHound) gathers users, groups, sessions, ACLs, and trust relationships from Active Directory and Entra ID, then the BloodHound UI renders them as a Neo4j graph that highlights the shortest path from any compromised principal to high-value assets. Red teams use it for privilege-escalation planning, while blue teams use the same graphs to prioritize hardening (Tier 0, ACL pruning, group-membership reductions). Collection requires read access to the directory and is noisy enough to be detectable.
● Examples
- 01
Visualizing the shortest path from a help-desk user to Domain Admin via group nesting.
- 02
Blue team using BloodHound to remove unused DCSync rights from legacy service accounts.
● Frequently asked questions
What is BloodHound?
An open-source tool that uses graph theory to map and analyze Active Directory and Azure AD attack paths to high-value targets like Domain Admin. It belongs to the Defense & Operations category of cybersecurity.
What does BloodHound mean?
An open-source tool that uses graph theory to map and analyze Active Directory and Azure AD attack paths to high-value targets like Domain Admin.
How does BloodHound work?
BloodHound is an open-source attack-path analysis tool created by Andy Robbins, Will Schroeder, and Rohan Vazarkar, and now maintained by SpecterOps. A collector (SharpHound or AzureHound) gathers users, groups, sessions, ACLs, and trust relationships from Active Directory and Entra ID, then the BloodHound UI renders them as a Neo4j graph that highlights the shortest path from any compromised principal to high-value assets. Red teams use it for privilege-escalation planning, while blue teams use the same graphs to prioritize hardening (Tier 0, ACL pruning, group-membership reductions). Collection requires read access to the directory and is noisy enough to be detectable.
How do you defend against BloodHound?
Defences for BloodHound typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BloodHound?
Common alternative names include: BloodHound CE, BloodHound Enterprise.
● Related terms
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- attacks№ 583
Kerberoasting
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- defense-ops№ 606
Lateral Movement
The MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
- attacks№ 447
Golden Ticket
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.