Quick Reference
BloodHound Quick Reference
Hackers Manifest - hackersmanifest.com
Active Directory attack path mapping, data collection, and Cypher queries.
Authorized Testing Only
BloodHound enumeration generates substantial LDAP / SMB traffic and is detected by most modern EDR / SIEM platforms.
Only run SharpHound or BloodHound-Python against environments you have explicit written authorization to assess.
BloodHound CE vs Legacy vs Enterprise
BloodHound Community Edition (CE) — current open-source release from SpecterOps; Docker-based, ships with new ADCS edges (
ADCSESC1–ADCSESC15), DumpShadowCredentials, NTLM relay paths, and a modern web UI. Use bloodhound-cli + azurehound / sharphound v2+.
BloodHound Legacy — JS Electron app + Neo4j; still supports older collectors but no new edges since 2023. Migrate when possible.
BloodHound Enterprise — commercial SaaS; continuous monitoring of attack paths.
MITRE ATT&CK Coverage
🚀 Setup
| Install Neo4j | sudo apt install neo4j |
| Start Neo4j | sudo neo4j start |
| Neo4j Browser | http://localhost:7474 |
| Default creds | neo4j / neo4j |
| Start BloodHound | bloodhound |
| No sandbox | ./BloodHound --no-sandbox |
🐕 SharpHound (Windows)
| Collect all | .\SharpHound.exe -c All |
| With creds | .\SharpHound.exe -c All --ldapusername user --ldappassword pass |
| Specific domain | .\SharpHound.exe -c All -d domain.local |
| Stealth mode | .\SharpHound.exe -c All --stealth |
| Specific DC | .\SharpHound.exe -c All --domaincontroller dc01.domain.com |
| Loop sessions | .\SharpHound.exe -c Session --loop --loopduration 02:00:00 |
🐍 BloodHound-Python (Linux)
| With creds | bloodhound-python -u user -p pass -d domain.local -dc dc01.domain.local -c All |
| With hash | bloodhound-python -u user --hashes :NTLM -d domain.local -c All |
| Custom DNS | bloodhound-python -u user -p pass -d domain.local -ns DNS_IP -c All |
| Output ZIP | bloodhound-python -u user -p pass -d domain.local -c All --zip |
📦 Collection Methods
| All | Everything (default) |
| Default | Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, DCOM, PSRemote |
| Group | Group memberships |
| LocalAdmin | Local admin rights |
| Session | Active sessions |
| ACL | ACL data for objects |
| Trusts | Domain trusts |
| ObjectProps | Object properties |
🔍 Pre-Built Queries
Find all Domain Admins
Shortest Paths to Domain Admins
Principals with DCSync Rights
Users with Foreign Domain Group Membership
Computers where Domain Users are Local Admin
Shortest Path from Kerberoastable Users
Shortest Path from Owned Principals
🎯 Node Marking
| Mark as Owned | Right-click → Mark as Owned |
| Mark as High Value | Right-click → Mark as High Value |
| Set as Start Node | Right-click → Set as Start Node |
| Set as End Node | Right-click → Set as End Node |
| Shortest Path | Start node → Target → Shortest Path |
📝 Custom Cypher Queries
All Domain Admins
MATCH (u:User)-[:MemberOf*1..]->(g:Group) WHERE g.name =~ '.*DOMAIN ADMINS.*' RETURN u.name Kerberoastable Users
MATCH (u:User) WHERE u.hasspn=true RETURN u.name, u.serviceprincipalnames AS-REP Roastable Users
MATCH (u:User) WHERE u.dontreqpreauth=true RETURN u.name Unconstrained Delegation Computers
MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c.name DCSync Rights
MATCH (n)-[:MemberOf|GetChanges|GetChangesAll*1..]->(d:Domain) RETURN n.name GenericAll on Users
MATCH p=(n)-[:GenericAll]->(u:User) RETURN p Shortest Path to DA from Owned
MATCH p=shortestPath((n)-[*1..]->(g:Group)) WHERE n.owned=true AND g.name =~ '.*DOMAIN ADMINS.*' RETURN p Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com