BloodHound

Official SpectreOps documentation.

Ingestors

Sharphound

SharpHound is a data collection tool that maps Active Directory environments by gathering information on users, groups, sessions, and permissions, typically used as part of the BloodHound toolset. It does that via Windows API calls and LDAP queries.

OPSEC: The --excludedcs option avoids querying Domain Controllers.

# Collect all available domain information
.\SharpHound.exe -c all

Its PowerShell version import Sharphound.ps1 directly into memory.

# Execution policy bypass
powershell -ep bypass

# Import module
Import-Module .\Sharphound.ps1

# Collect all available domain information
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"

It collects and compresses domain data (in JSON format) into a .zip file. SharpHound may also generate a .bin cache file to speed up future runs—this file isn't required for analysis and can be ignored or deleted.

SharpHound also supports looping for continuous data collection if needed.

SOAPHound

SOAPHound talks to AD Web Services (ADWS) on port 9389 instead of LDAP queries (same as AD Module). The ADWS port is open by default. It has almost no network-based detection (e.g. MDI) and it retrieves info about all objects (objectGuid=*) and then process them. This means limited LDAP queries - less chance of endpoint detection.

# Build a cache that includes basic info about domain objects
SOAPHound.exe --buildcache -c c:\ad\tools\cache.txt

# Collect BH compatible data
SOAPHound.exe -c c:\ad\tools\cache.txt --bhdump -o c:\ad\tools\bloodhound-output -nolaps

RustHound

RustHound-CE is a cross-platform BloodHound collector written in Rust, compatible with Linux, Windows, and macOS, that generates JSON files for analysis in BloodHound CE.

rusthound-ce -d domain -u x7331@domain -p Pass123! -z

bloodhound-python (nxc)

SharpHound's Python-based version:

# Plaintext creds
bloodhound-python -u <user> -p <password> -dc <FQDN> -c all -d <domain> -ns <dc-ip>

# PtH
bloodhound-python -u <user> --hashes :<NTML> -dc <FQDN> -c all -d <domain> -ns <dc-ip>

NetExec uses bloodhound-python under the hood on its --bloodhound ingestor:

nxc ldap <dc-ip/FQDN> -u <user> -p <password> --bloodhound -c All --dns-server <dc-ip>

BloodHound

BloodHound is a graphical tool that visualizes Active Directory relationships and permissions to identify attack paths and privilege escalation opportunities in enterprise environments. Once the data is collected via SharpHound, we can upload the .zip file to BloodHound.

BloodHound used neo4j, a graph database that stores data as nodes and relationships—perfect for mapping complex AD environments. The default Neo4j credentials are neo4j:neo4j.

Custom cypher queries: BloodHound Queries For All.

bloodhound-automation

Bloodhound automation automatically runs and populates a new instance of BH CE:

# Create & start a project
./bloodhound-automation.py start -bp 10001 -np 10501 -wp 8001 my_project

# Import data
./bloodhound-automation.py data -z test.zip my_project

# Delete & clear data
./bloodhound-automation.py delete my_project
./bloodhound-automation.py clear my_project

Manual

# start the Neo4j service
$ sudo neo4j start
# Launch BloodHound
$ bloodhound

Docker

sudo curl -L https://ghst.ly/getbhce | docker compose -f - up

AD-miner

AD Miner is an Active Directory auditing tool (supporting both on-prem and Entra ID) that analyzes BloodHound data in a Neo4j database using Cypher queries. It generates a static, web-based report highlighting AD weaknesses with dynamic graphs, risk ratings, historical indicators, and detailed mitigation paths. It requires a Neo4j database populated with AD data from tools like SharpHound, RustHound-CE, BloodHound.py, or AzureHound.

For optimal performance, BloodHound Automation is recommended, as it installs the Graph Data Science plugin—enabling faster analysis and smarter pathfinding compared to default BloodHound setups.

Basic

Basic usage:

AD-miner -cf My_Report -u neo4j -p mypassword

Cache

AD Miner generates cache files after each Neo4j request, allowing the process to be paused or stopped without losing progress (-c). Cache files are saved in the cache_neo4j folder, and the report name must match the cache file's prefix to reuse cached data:

AD-miner -c -cf My_Report -u neo4j -p mypassword

Resources

• A nice demo of how to use Bloodhound (video)