SharpHound is a data collection tool that maps Active Directory environments by gathering information on users, groups, sessions, and permissions, typically used as part of the BloodHound toolset. It does that via Windows API calls and LDAP queries.
# Collect all available domain information.\SharpHound.exe-c all
Its PowerShell version import Sharphound.ps1 directly into memory.
# Execution policy bypasspowershell -ep bypass# Import moduleImport-Module .\Sharphound.ps1# Collect all available domain informationInvoke-BloodHound-CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"
It collects and compresses domain data (in JSON format) into a .zip file. SharpHound may also generate a .bin cache file to speed up future runs—this file isn't required for analysis and can be ignored or deleted.
SharpHound also supports looping for continuous data collection if needed.
SOAPHound talks to AD Web Services (ADWS) on port 9389 instead of LDAP queries (same as AD Module). The ADWS port is open by default. It has almost no network-based detection (e.g. MDI) and it retrieves info about all objects (objectGuid=*) and then process them. This means limited LDAP queries - less chance of endpoint detection.
# Build a cache that includes basic info about domain objectsSOAPHound.exe--buildcache -c c:\ad\tools\cache.txt# Collect BH compatible dataSOAPHound.exe-c c:\ad\tools\cache.txt --bhdump -o c:\ad\tools\bloodhound-output -nolaps
BloodHound is a graphical tool that visualizes Active Directory relationships and permissions to identify attack paths and privilege escalation opportunities in enterprise environments. Once the data is collected via SharpHound, we can upload the .zip file to BloodHound.
BloodHound used neo4j, a graph database that stores data as nodes and relationships—perfect for mapping complex AD environments. The default Neo4j credentials are neo4j:neo4j.
# Create & start a project
./bloodhound-automation.py start -bp 10001 -np 10501 -wp 8001 my_project
# Import data
./bloodhound-automation.py data -z test.zip my_project
# Delete & clear data
./bloodhound-automation.py delete my_project
./bloodhound-automation.py clear my_project
# start the Neo4j service
$ sudo neo4j start
# Launch BloodHound
$ bloodhound
sudo curl -L https://ghst.ly/getbhce | docker compose -f - up
AD-miner
AD Miner is an Active Directory auditing tool (supporting both on-prem and Entra ID) that analyzes BloodHound data in a Neo4j database using Cypher queries. It generates a static, web-based report highlighting AD weaknesses with dynamic graphs, risk ratings, historical indicators, and detailed mitigation paths. It requires a Neo4j database populated with AD data from tools like SharpHound, RustHound-CE, BloodHound.py, or AzureHound.
For optimal performance, BloodHound Automation is recommended, as it installs the Graph Data Science plugin—enabling faster analysis and smarter pathfinding compared to default BloodHound setups.
Basic usage:
AD-miner -cf My_Report -u neo4j -p mypassword
AD Miner generates cache files after each Neo4j request, allowing the process to be paused or stopped without losing progress (-c). Cache files are saved in the cache_neo4j folder, and the report name must match the cache file's prefix to reuse cached data:
