TTechniqueActiveDirectory
BloodHound maps Active Directory relationships into a graph that reveals privilege escalation paths invisible to manual enumeration. This lesson explains what an attacker does with BloodHound during an AD engagement, what it takes to use it effectively, what the attacker gains, and how to explain BloodHound findings clearly in interviews, reports, and stakeholder conversations.
Many privilege escalation paths in AD exist not because of a single misconfiguration, but because of chains of relationships that span multiple objects.
BloodHound is the standard tool for identifying these chains, and being able to explain how and why you used it is a core interview expectation for AD security roles. Understanding BloodHound at the technique level means knowing what data it needs, what questions to ask it, how to distinguish a practical path from a theoretical one, and how to turn graph output into findings that stakeholders can act on.
Using BloodHound requires an authenticated domain user account (any privilege level) to collect data via SharpHound or an equivalent collector. The collector queries LDAP for object properties, group memberships, ACLs, sessions, and trust relationships.
The attacker also needs a system where they can run the BloodHound GUI or API to analyze the collected data. No administrative privileges are needed for basic collection, though privileged collection modes reveal additional data such as local admin sessions across hosts.
SpecterOps · Official BloodHound documentation covering nodes, edges, data collection, and analysis techniques
Active Directory stores all relationship data — group memberships, ACL permissions, delegation configurations, session information — in a queryable directory accessible to any authenticated user. BloodHound collects this data and represents it as a directed graph where AD objects are nodes and relationships are edges.
Once the graph is built, standard graph algorithms can identify the shortest chain of relationships from any starting point to any target. This is effective because the individual relationships are each legitimate AD features (group membership, administrative rights, permission delegation), but their combination can create unintended escalation paths that no administrator designed or reviewed as a whole.
Successful BloodHound analysis reveals privilege escalation and lateral movement paths that would be extremely difficult to identify manually. The attacker can see which owned principals can reach Domain Admins through chains of group memberships, ACL permissions, or session data.
They can identify service accounts in privileged groups that are Kerberoastable, accounts with DCSync rights that should not have them, and delegation configurations that enable impersonation. The output is a prioritized list of actionable paths ranked by hop count and practical feasibility.
BloodHound analysis typically happens after the attacker has obtained at least one set of domain credentials, either through spraying, phishing, or initial compromise. It sits in the discovery phase but directly feeds credential access and privilege escalation decisions.
In a realistic attack chain, the attacker collects BloodHound data early, identifies candidate paths, and then executes specific techniques (Kerberoasting, ACL abuse, delegation abuse) against the targets the graph reveals. The analysis is iterative — each newly compromised principal is marked as owned, and the graph is re-queried for newly reachable paths.
BloodHound is the standard tool for identifying privilege escalation paths in Active Directory by mapping relationships into a directed graph. After collecting data with SharpHound, which any domain user can run, I analyze the graph to find chains of relationships — group memberships, ACL permissions, delegation settings, session data — that connect owned principals to high-value targets like Domain Admins or domain controllers.
The key is not just finding that a path exists, but validating that it is practical: checking whether sessions are active, whether the required permissions are exploitable, and whether the path is shorter than alternatives. When I find a viable path, I explain it as a concrete chain: this account is a member of this group, which has GenericAll on this user, who is a member of Domain Admins. That is a finding. A BloodHound screenshot alone is not.
BloodHound is a tool that maps all the relationships in your Active Directory and finds paths where one compromised account can reach critical systems through a chain of permissions and group memberships.
The risk is that these chains are created by normal administrative actions — adding a user to a group, delegating a permission — but no one reviews how they combine to create unintended access. An attacker with any employee-level account can collect this data and identify paths that lead to full control of your domain. The fix is reviewing and simplifying these relationship chains, particularly for accounts that have permissions on privileged groups or domain controllers.
Finding: Privilege Escalation Path via Transitive Group Membership and ACL Misconfiguration. During the assessment, the operator used BloodHound to identify a three-hop privilege escalation path from the compromised svc_monitoring account to Domain Admin access. The svc_monitoring account is a member of the IT-Ops group, which has GenericAll rights on the svc_backup account, which is a member of the Server Operators group with local administrator access on DC01. The operator validated the path by modifying the svc_backup account's password and authenticating to DC01.
Severity: Critical.
Recommendation: Remove GenericAll rights from the IT-Ops group on the svc_backup account. Review Server Operators membership and remove svc_backup if the privilege is not operationally required.