BloodHound: Six Degrees of Domain Admin

BloodHound logo

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.


Depending on which operating system you’re using, install Neo4j, then download the BloodHound GUI. You can also build the BloodHound GUI from source.

OS-specific instructions: Windows | macOS | Linux

Collect Your First Dataset

BloodHound is a data analysis tool and needs data to be useful. The officially supported data collection tool for BloodHound is called SharpHound. Download SharpHound or build it from source to collect your first data set. From a domain-joined system in your target Active Directory environnment, collecting your first dataset is quite simple:

C:\> SharpHound.exe

Import and Explore the Data

By default, SharpHound will generate several JSON files and place them into one zip. Drag and drop that zip into the BloodHound GUI, and BloodHound will import that data.

Once complete, you’re ready to explore the data. Search for the Domain Users group using the search bar in the upper left. See if the Domain Users group has local admin rights anywhere, or control of any objects in Active Directory.

Click the Pathfinding button (looks like a road) and search for Domain Admins in the box that drops below. See if there are any attack paths from Domain Users to Domain Admins.

For a full tour of the BloodHound GUI and its data analysis capabilities, see the Data Analysis section.

Getting Help

Have a bug report or feature request? Open an issue on the BloodHound repo

Need assistance? Join us in the BloodHound Gang Slack