← All Posts
Pen Testing

Active Directory Misconfiguration Hunting with BloodHound

08 January 2025 10 min read by birenk

BloodHound is one of those tools that completely changes how you think about Active Directory. Before it, privilege escalation paths through AD were identified manually — checking ACLs, enumerating group memberships, and hoping you spotted the chain before the engagement ended. BloodHound made the invisible visible by modelling the entire directory as a graph and letting you query attack paths with precision.

This post focuses on the hunting side: how to use BloodHound not just for the low-hanging-fruit queries the UI surfaces by default, but to find the subtle misconfigurations that automated assessments routinely miss. We'll cover data collection, the most impactful built-in queries, and a set of custom Cypher queries I've found consistently useful on engagements.

Setting Up: SharpHound Collection

BloodHound's data comes from SharpHound, the .NET collector. On an engagement, assuming you have valid domain credentials, collection is straightforward. The key is choosing the right collection method — All is thorough but noisy. For quieter collection, DCOnly limits enumeration to what's accessible via the DC directly:

# Full collection (noisy but comprehensive)
SharpHound.exe -c All --zipfilename bh_output.zip

# Quieter — DC-only LDAP collection
SharpHound.exe -c DCOnly --zipfilename bh_output.zip

# Target a specific domain
SharpHound.exe -c All -d CORP.LOCAL --zipfilename bh_output.zip

Import the resulting ZIP into the BloodHound UI via the upload button. On large environments, collection can take several minutes and generates significant LDAP traffic — expect this to trip up network-based detection in more mature environments.

The Built-in Queries Worth Running First

The BloodHound UI ships with a set of pre-built analytics queries. Before diving into custom Cypher, run these — they surface the highest-value paths in most environments:

  • Find all Domain Admin paths: Shows every path from any non-privileged node to Domain Admins. The number of unique paths is a good proxy for attack surface.
  • Kerberoastable accounts in high-value groups: Service accounts with SPNs and membership of sensitive groups are prime targets.
  • AS-REP roastable accounts: Accounts with pre-auth disabled. Often forgotten service or legacy accounts.
  • Shortest path from owned principals: Once you've marked compromised accounts as "owned" in the UI, this shows your fastest route to DA.

Custom Cypher: Finding What the Defaults Miss

The real power of BloodHound is its Cypher query interface. Cypher is Neo4j's graph query language, and it's worth investing time in learning it. Here are several queries I return to repeatedly:

1. Users with DCSync rights

DCSync (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All) allows any account holding these rights to replicate password hashes from the DC without being an admin. This is frequently over-provisioned:

MATCH p=()-[:DCSync]->(:Domain) RETURN p

2. GPO write paths to high-value targets

Group Policy Objects that apply to machines containing privileged accounts are extremely valuable abuse paths. Any account with GenericWrite or WriteOwner on such a GPO can push a malicious script to every affected machine:

MATCH p=(n)-[:GenericWrite|WriteOwner|WriteDacl]->(g:GPO)-[:GPLink]->(c:OU)-[:Contains]->(m:Computer)
WHERE EXISTS((m)<-[:AdminTo]-(:User))
RETURN p LIMIT 25

3. Unconstrained delegation computers (excluding DCs)

Computers with unconstrained delegation will cache TGTs of any user that authenticates to them — including Domain Admins. Combine this with a printer bug or PetitPotam coerce to get a DA TGT:

MATCH (c:Computer {unconstraineddelegation: true})
WHERE NOT c.name CONTAINS "DC"
RETURN c.name, c.operatingsystem

4. Shadow admins — local admin paths to DCs

This catches accounts that aren't in Domain Admins but have a path to local admin on a Domain Controller through nested group memberships or direct ACLs:

MATCH p=shortestPath((n:User)-[*1..]->(c:Computer {name: "DC01.CORP.LOCAL"}))
WHERE NOT (n)-[:MemberOf*1..]->(:Group {name: "DOMAIN [email protected]"})
RETURN p

5. Accounts with GenericAll on other accounts

GenericAll on a user object means you can reset their password, add them to groups, or perform targeted Kerberoasting against them. This is the "god permission" in AD terms:

MATCH p=(u:User)-[:GenericAll]->(t:User)
WHERE u.enabled = true AND t.enabled = true
RETURN u.name, t.name

ACL Abuse Chains: What to Look For

The most subtle findings in AD environments usually aren't about direct group memberships — they're about ACL chains. A low-privileged user might have GenericWrite on a group, which contains a service account, which has WriteDacl on a high-value OU, which in turn gives control over privileged computer objects. BloodHound will surface these chains, but you need to know what edges to look for:

  • GenericAll / GenericWrite — full control or attribute write access to an object
  • WriteOwner — take ownership and then set any DACL you want
  • WriteDacl — modify permissions to grant yourself further rights
  • AddMember — add principals to groups (often overlooked on help desk accounts)
  • ForceChangePassword — reset a user's password without knowing the current one
  • AllExtendedRights — a catch-all that includes ForceChangePassword and targeted Kerberoasting

When you find a chain, walk each step manually to confirm it's exploitable — BloodHound data can sometimes be stale, and some edges have prerequisites the graph doesn't model (like needing network access to the target).

Defensive Perspective

Running BloodHound in your own environment as a defender — sometimes called "BloodHound for the blue team" — is one of the highest-value things you can do with a few hours. The output tells you exactly which misconfigurations to fix to collapse your most dangerous privilege escalation paths. Prioritise:

  1. Removing any non-DC accounts with DCSync rights
  2. Auditing and tightening GPO write access
  3. Eliminating unconstrained delegation from non-DC computers
  4. Auditing Tier 0 / Tier 1 / Tier 2 admin account separation
  5. Running SharpHound quarterly and comparing output for regressions

AD misconfigurations have a habit of creeping back in. A one-time audit isn't enough — it needs to become part of your regular security hygiene.