Identifying Privilege Paths with BloodHound

ActiveDirectoryDiscoveryintermediateTA000714 min

BloodHound maps Active Directory relationships into a graph that reveals privilege escalation paths invisible to manual enumeration. This lesson explains what an attacker does with BloodHound during an AD engagement, what it takes to use it effectively, what the attacker gains, and how to explain BloodHound findings clearly in interviews, reports, and stakeholder conversations.

This lesson builds on

Theory

Why It Matters

Many privilege escalation paths in AD exist not because of a single misconfiguration, but because of chains of relationships that span multiple objects.

BloodHound is the standard tool for identifying these chains, and being able to explain how and why you used it is a core interview expectation for AD security roles. Understanding BloodHound at the technique level means knowing what data it needs, what questions to ask it, how to distinguish a practical path from a theoretical one, and how to turn graph output into findings that stakeholders can act on.

Preconditions

Using BloodHound requires an authenticated domain user account (any privilege level) to collect data via SharpHound or an equivalent collector. The collector queries LDAP for object properties, group memberships, ACLs, sessions, and trust relationships.

The attacker also needs a system where they can run the BloodHound GUI or API to analyze the collected data. No administrative privileges are needed for basic collection, though privileged collection modes reveal additional data such as local admin sessions across hosts.

Key Concepts

  • Nodes and edges — nodes represent AD objects (users, groups, computers, GPOs, OUs) and edges represent relationships between them (MemberOf, AdminTo, GenericAll, WriteDACL, HasSession, ForceChangePassword, DCSync rights)
  • Attack paths are chains of edges from a controlled principal to a target — the security risk is the chain, not any individual relationship
  • SharpHound collection is the data-gathering step: it queries LDAP for properties, memberships, ACLs, sessions, and trusts; no admin rights required for basic collection
  • Path practicality matters more than path existence — a path through a stale session or an offline host is theoretical, not actionable; validate before exploiting
  • Owned-principal tracking changes the graph — marking compromised accounts as owned reveals paths that were not reachable from the original starting point
  • Transitive control is BloodHound's core value — a user who can change a group's membership, which has WriteDACL on another group, which has local admin on a DC, has a path to domain compromise even though no single relationship grants it

Why It Works

Active Directory stores all relationship data — group memberships, ACL permissions, delegation configurations, session information — in a queryable directory accessible to any authenticated user. BloodHound collects this data and represents it as a directed graph where AD objects are nodes and relationships are edges.

Once the graph is built, standard graph algorithms can identify the shortest chain of relationships from any starting point to any target. This is effective because the individual relationships are each legitimate AD features (group membership, administrative rights, permission delegation), but their combination can create unintended escalation paths that no administrator designed or reviewed as a whole.

What the Attacker Gains

Successful BloodHound analysis reveals privilege escalation and lateral movement paths that would be extremely difficult to identify manually. The attacker can see which owned principals can reach Domain Admins through chains of group memberships, ACL permissions, or session data.

They can identify service accounts in privileged groups that are Kerberoastable, accounts with DCSync rights that should not have them, and delegation configurations that enable impersonation. The output is a prioritized list of actionable paths ranked by hop count and practical feasibility.

Where It Fits in the Attack Chain

BloodHound analysis typically happens after the attacker has obtained at least one set of domain credentials, either through spraying, phishing, or initial compromise. It sits in the discovery phase but directly feeds credential access and privilege escalation decisions.

In a realistic attack chain, the attacker collects BloodHound data early, identifies candidate paths, and then executes specific techniques (Kerberoasting, ACL abuse, delegation abuse) against the targets the graph reveals. The analysis is iterative — each newly compromised principal is marked as owned, and the graph is re-queried for newly reachable paths.

Tools & Examples

  • SharpHound (.exe or .ps1) — collects AD data from a domain-joined host for import into BloodHound
  • BloodHound GUI — graph visualization and pathfinding interface; supports pre-built and custom Cypher queries
  • bloodhound-python — Linux-based collector for remote data gathering using domain credentials
  • Cypher queries — graph query language for asking targeted questions: 'MATCH path to Domain Admins from owned principals'

Defender's Perspective

  • Audit and remediate ACL misconfigurations on sensitive objects — GenericAll, WriteDACL, and ForceChangePassword on privileged groups or users are the most commonly exploited edges.
  • Reduce unnecessary group nesting. Deep group hierarchies create transitive control paths that administrators rarely review.
  • Monitor for SharpHound collection indicators: high-volume LDAP queries for objectClass, ACL enumeration, and session data from a single source.
  • Run BloodHound proactively as a defender to identify and break attack paths before adversaries find them.
  • Limit the scope of service accounts and remove them from privileged groups when the membership is not operationally required.

Communication

How to Explain It in an Interview

BloodHound is the standard tool for identifying privilege escalation paths in Active Directory by mapping relationships into a directed graph. After collecting data with SharpHound, which any domain user can run, I analyze the graph to find chains of relationships — group memberships, ACL permissions, delegation settings, session data — that connect owned principals to high-value targets like Domain Admins or domain controllers.

The key is not just finding that a path exists, but validating that it is practical: checking whether sessions are active, whether the required permissions are exploitable, and whether the path is shorter than alternatives. When I find a viable path, I explain it as a concrete chain: this account is a member of this group, which has GenericAll on this user, who is a member of Domain Admins. That is a finding. A BloodHound screenshot alone is not.

How to Explain It to a Stakeholder

BloodHound is a tool that maps all the relationships in your Active Directory and finds paths where one compromised account can reach critical systems through a chain of permissions and group memberships.

The risk is that these chains are created by normal administrative actions — adding a user to a group, delegating a permission — but no one reviews how they combine to create unintended access. An attacker with any employee-level account can collect this data and identify paths that lead to full control of your domain. The fix is reviewing and simplifying these relationship chains, particularly for accounts that have permissions on privileged groups or domain controllers.

How It Might Appear in a Report

Finding: Privilege Escalation Path via Transitive Group Membership and ACL Misconfiguration. During the assessment, the operator used BloodHound to identify a three-hop privilege escalation path from the compromised svc_monitoring account to Domain Admin access. The svc_monitoring account is a member of the IT-Ops group, which has GenericAll rights on the svc_backup account, which is a member of the Server Operators group with local administrator access on DC01. The operator validated the path by modifying the svc_backup account's password and authenticating to DC01.

Severity: Critical.

Recommendation: Remove GenericAll rights from the IT-Ops group on the svc_backup account. Review Server Operators membership and remove svc_backup if the privilege is not operationally required.

Common Weak Answers

  • Describing BloodHound as 'a tool that finds paths to Domain Admin' without explaining what data it collects, how paths are formed from relationship chains, or what makes a path practical versus theoretical.
  • Saying 'I run SharpHound and import the data' without explaining what questions to ask the graph or how to investigate beyond pre-built queries.
  • Treating every BloodHound path as equally exploitable. A path through a stale session on an offline host is not the same as a path through a live ACL misconfiguration.
  • Reporting a BloodHound screenshot without translating it into a finding that explains the chain, the impact, and the remediation.
  • Not mentioning that BloodHound data is collected with standard user privileges. This is the key insight that explains why any foothold enables this analysis.

Likely Follow-Up Questions

  • What data does SharpHound collect, and what privilege level is required to run it?
  • How do you determine whether a BloodHound path is practical enough to attempt versus merely theoretical?
  • What is the difference between a direct edge and a transitive path in BloodHound?
  • How would you explain a multi-hop BloodHound privilege path to a non-technical executive?
  • If BloodHound shows no path to Domain Admins from your owned principals, what would you do next?

Further Reading

  • BloodHound Documentation

    SpecterOps · Official BloodHound documentation covering nodes, edges, data collection, and analysis techniques