Ultimate BloodHound Cheat Sheet

Samir KC
March 15, 2026


Ultimate BloodHound Cheat Sheet

Active Directory relationship mapping and attack path visualization.

1. Setup & Neo4j Database

BloodHound requires a Neo4j graph database backend.

Configure Neo4j

First, start the console to set the password.

sudo neo4j console

Then browse to http://localhost:7474 (Default user: neo4j, Pass: neo4j). Change the password.

Start BloodHound

bloodhound

Docker Version (Alternative)

docker-compose up -d

2. Data Collection (Ingestors)

BloodHound is useless without data. You need to run an "Ingestor" (like SharpHound) on the target network.

SharpHound (Windows / .exe)

The standard collector. Run this on a domain-joined machine.

SharpHound.exe -c All
SharpHound.exe -c All --zipfilename loot.zip

BloodHound.py (Linux / Python)

Collect data from a Linux machine (e.g., Kali) if you have credentials.

bloodhound-python -u 'username' -p 'password' -ns 192.168.1.5 -d target.local -c All

Collection Methods (-c)

  • Default: Group Membership, Domain Trust, Sessions, ObjectProps.
  • All: Everything (Noisy but complete).
  • DCOnly: Only data from the Domain Controller (Stealthier).
  • Session: Only user sessions (Requires touching many hosts).

3. Interface & Usage

Uploading Data

Drag and drop the .zip file generated by SharpHound directly into the BloodHound interface.

Node Icons

User

Icon: Person
Represents a Domain User.

Computer

Icon: Monitor
Represents a Server or Workstation.

Group

Icon: Three People
Represents AD Groups (e.g., Domain Admins).

Right-Click Options

  • Mark as Owned: Sets a node as "compromised". BloodHound will calculate paths starting from here.
  • Shortest Path to Here: Shows how to get to this node from anywhere.
  • Shortest Path to High Value Targets: Shows if this user can reach Domain Admin.

4. Built-in Queries

BloodHound comes with "Pre-Built Analytics" in the Analysis tab.

Query NameDescription
Find all Domain AdminsLists every user in the DA group.
Find Shortest Paths to Domain Admins The most famous query. Maps the route to power.
Find Principals with DCSync RightsFinds users who can dump hashes (Mimikatz).
Find Computers where Domain Users are Local AdminFinds weak configurations for lateral movement.
Find AS-REP Roastable UsersUsers vulnerable to offline brute force (Kerberos).

5. Custom Cypher Queries

Cypher is the query language used by Neo4j. Use the raw query bar at the bottom.

Find all Admin Sessions

Show computers where 'Domain Admins' are currently logged in.

MATCH p = (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {name:'DOMAIN ADMINS@TARGET.LOCAL'}) RETURN p

List All Operating Systems

Get a count of OS versions (good for finding XP/2003 legacy boxes).

MATCH (c:Computer) RETURN c.operatingsystem, count(c.operatingsystem)

Shortest Path from Owned to Target

If you marked nodes as "Owned", run this to see paths to Domain Admins.

MATCH (n:User {owned: true}),(m:Group {name: 'DOMAIN ADMINS@TARGET.LOCAL'}),p=shortestPath((n)-[*1..]->(m)) RETURN p

6. Pro Tips

Marking High Value Targets:

Don't just look for "Domain Admins". Edit the Group info to mark "Backup Operators", "Account Operators", and "Exchange Trusted Subsystem" as High Value too. They often lead to full compromise.

Clean Database

If you need to wipe the database and start fresh:

MATCH (n) DETACH DELETE n

Pathfinding Edges

  • MemberOf: Standard group membership.
  • AdminTo: Local Administrator rights.
  • HasSession: User is logged on (Memory extraction possible).
  • ForceChangePassword: User can reset target's password.
  • AddMember: User can add themselves to a group.