← All Cheatsheets

active-directory

BloodHound — Active Directory Attack Path Analysis

BloodHound maps Active Directory attack paths using graph theory to find privilege escalation routes.

14 views Apr 2026 lazyhackers

Data Collection (SharpHound / BloodHound.py) (8)

bloodhound-python -u user -p password -d domain.local -dc DC01.domain.local -c All

Python collector — collect all data

collection python

bloodhound-python -u user -p password -d domain.local -c All --zip

Collect and auto-zip for import

collection python zip

bloodhound-python -u user -p password -d domain.local -c DCOnly

Collect DC info only (faster, stealthier)

collection dconly

bloodhound-python -u user -p password -d domain.local -c All --dns-tcp -ns 10.10.10.1

Use TCP DNS with custom resolver

collection dns

./SharpHound.exe -c All

SharpHound Windows binary — collect all

sharphound windows collection

./SharpHound.exe -c All --zipfilename loot.zip

SharpHound collect + zip output

sharphound windows

./SharpHound.exe -c SessionLoop --loopcollection --loopinterval 00:05:00 --loopduration 02:00:00

Session loop collection for 2 hours

sharphound session loop

nxc ldap DC01 -u user -p pass --bloodhound -c All -ns 10.10.10.1

BloodHound collection via NetExec

nxc collection

BloodHound Cypher Queries (Neo4j) (8)

MATCH (u:User {admincount:true}) RETURN u

Find all DA/admin users

cypher admin da

MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN [email protected]"})) RETURN p

Shortest path to Domain Admins from any user

cypher path da

MATCH p=shortestPath((u:User {name:"[email protected]"})-[*1..]->(g:Group {name:"DOMAIN [email protected]"})) RETURN p

Shortest path from specific user to DA

cypher path

MATCH (u:User) WHERE u.hasspn=true RETURN u.name

Find all Kerberoastable users

cypher kerberoast spn

MATCH (u:User) WHERE u.dontreqpreauth=true RETURN u.name

Find AS-REP Roastable users

cypher asrep

MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c.name

Find computers with unconstrained delegation

cypher delegation

MATCH (u:User) WHERE u.enabled=true AND u.lastlogon < (datetime().epochseconds - (90*86400)) RETURN u.name ORDER BY u.lastlogon

Find enabled users not logged in 90+ days

cypher stale users

MATCH (g:Group) WHERE g.name =~ ".*ADMIN.*" RETURN g.name

Find all admin groups

cypher groups admin

Setup & Launch (3)

sudo neo4j start && bloodhound

Start Neo4j then BloodHound GUI

setup start

sudo neo4j console

Start Neo4j in foreground

setup neo4j

pip3 install bloodhound

Install bloodhound-python collector

install