{
	"id": "dcc1e9c8-bdaf-424d-b4b1-1a5e564aea45",
	"created_at": "2026-04-06T00:09:30.359711Z",
	"updated_at": "2026-04-10T03:21:58.296211Z",
	"deleted_at": null,
	"sha1_hash": "f80e26f428b9a958c0f781221cf6a717fadca3ed",
	"title": "Bloodhound walkthrough. A Tool for Many Tradecrafts | Pen Test Partners",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3032822,
	"plain_text": "Bloodhound walkthrough. A Tool for Many Tradecrafts | Pen Test\r\nPartners\r\nBy PTP Admin\r\nPublished: 2019-06-07 · Archived: 2026-04-05 15:08:43 UTC\r\nRelated services\r\nRelated blogs\r\nA walkthrough on how to set up and use BloodHound\r\nBloodHound (https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active\r\ndirectory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged\r\nis pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours.\r\nIt can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access\r\ncontrol lists (ACLs), users, groups, trust relationships and unique AD objects. The tool can be leveraged by both\r\nblue and red teams to find different paths to targets. The subsections below explain the different and how to\r\nproperly utilize the different ingestors.\r\nSpecifically, it is a tool I’ve found myself using more and more recently on internal engagements and when\r\ncompromising a domain as it is a quick way to visualise attack paths and understand users’ active directory\r\nproperties.\r\nFor the purposes of this blog post we’ll be using BloodHound 2.1.0 which was the latest version at the time of\r\nwriting.\r\nSetup\r\nInitial setup of BloodHound on your host system is fairly simple and only requires a few components, we’ll start\r\nwith setup on Kali Linux, I’m using version 2019.1 which can be acquired from Kali’s site here.\r\nIt can be installed by either building from source or downloading the pre-compiled binaries OR via a package\r\nmanager if using Kali or other Debian based OS.\r\nBloodHound is supported by Linux, Windows, and MacOS. BloodHound is built on neo4j and depends on it.\r\nNeo4j is a graph database management system, which uses NoSQL as a graph database.\r\nLinux\r\nTo install on kali/debian/ubuntu the simplest thing to do is sudo apt install BloodHound, this will pull down all the\r\nrequired dependencies.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 1 of 24\n\nHowever if you want to build from source you need to install NodeJS and pull the git repository which can be\r\nfound here: https://github.com/BloodHoundAD/BloodHound\r\nInstalling NodeJS\r\nnpm and nodejs are available from most package managers, however in in this instance we’ll use Debian/Ubuntu\r\nas an example;\r\n# Using Ubuntu\r\ncurl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -\r\nsudo apt-get install -y nodejs\r\n# Using Debian, as root\r\ncurl -sL https://deb.nodesource.com/setup_12.x | bash -\r\napt-get install -y nodejs\r\nOnce node has been installed, you should be able to run npm to install other packages, BloodHound requires\r\nelectron-packager as a pre-requisite, this can be acquired using the following command:\r\nsudo npm install -g electron-packager\r\nThen clone down the BloodHound from the GitHub link above then run npm install\r\nWhen this has completed you can build BloodHound with npm run linuxbuild\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 2 of 24\n\nAll going well you should be able to run neo4j console and BloodHound:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 3 of 24\n\nMacOS\r\nThe setup for MacOS is exactly the same to Linux, except for the last command where you should run npm run\r\nmacbuild instead of linuxbuilt. Then, again running neo4j console \u0026 BloodHound to launch will work. Likewise,\r\nthe DBCreator tool will work on MacOS too as it is a unix base.\r\nWindows\r\nAs with the Linux setup, download the repository from GitHub for BloodHound and take note of the example\r\ndatabase file as this will be required later. Setting up on windows is similar to Linux however there are extra steps\r\nrequired, we’ll start by installing neo4j on windows, this can be acquired from here (https://neo4j.com/download-center/#releases). Ensure you select ‘Neo4J Community Server’.\r\nBy default, the download brings down a few batch files and PowerShell scripts, in order to run neo4j and\r\nBloodHound we want the management one which can be run by importing the module then running neo4j.\r\nFirst open an elevated PowerShell prompt and set the execution policy:\r\nThen navigate to the bin directory of the downloaded neo4j server and import the module then run it:\r\nImport-Module .\\neo4j-management.psd1\r\nInvoke-Neo4j console\r\nRunning those commands should start the console interface and allow you to change the default password similar\r\nto the Linux stage above.\r\nIn conjunction with neo4j, the BloodHound client can also be either run from a pre-compiled binary or compiled\r\non your host machine. If you don’t want to run nodejs on your host, the binary can be downloaded from GitHub\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 4 of 24\n\nreleases (https://github.com/BloodHoundAD/BloodHound/releases) and run from PowerShell:\r\nTo compile on your host machine, follow the steps below:\r\n1. Install NodeJS.\r\n2. Install electron-packager npm install -g electron-packager\r\n3. Clone the BloodHound GitHub repo git clone https://github.com/adaptivethreat/BloodHound\r\n4. From the root BloodHound directory, run npm install\r\n5. Build BloodHound with npm run winbuild\r\nThen simply running BloodHound will launch the client.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 5 of 24\n\nDocker and BloodHound\r\nAs you’ve seen above it can be a bit of a pain setting everything up on your host, if you’re anything like me you\r\nmight prefer to automate this some more, enter the wonderful world of docker.\r\nIf you’ve not got docker installed on your system, you can install it by following the documentation on docker’s\r\nsite:\r\nWindows Install: https://docs.docker.com/docker-for-windows/install/\r\nLinux Install: https://docs.docker.com/install/linux/\r\nMac Install: https://docs.docker.com/docker-for-mac/install/\r\nOnce docker is installed, there are a few options for running BloodHound on docker, unfortunately there isn’t an\r\nofficial docker image from BloodHound’s Github however there are a few available from the community, I’ve\r\nfound belane’s to be the best so far. To run this simply start docker and run:\r\ndocker run -it \\\r\n-p 7474:7474 \\\r\n-e DISPLAY=unix$DISPLAY \\\r\n-v /tmp/.X11-unix:/tmp/.X11-unix \\\r\n--device=/dev/dri:/dev/dri \\\r\n-v $(pwd)/data:/data \\\r\n--name bloodhound belane/bloodhound\r\nThis will pull down the latest version from Docker Hub and run it on your system.\r\nAlternatively you can clone it down from GitHub: https://github.com/belane/docker-BloodHound and run yourself\r\n(instructions taken from belane’s GitHub readme):\r\nBuild\r\ndocker build . -t Bloodhound\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 6 of 24\n\nBuild with example data\r\ndocker build . -t bloodexample --build-arg data=example\r\nOptional Arguments\r\nneo4j version\r\nBloodhound version\r\ndocker build . -t Bloodhound --build-arg neo4j=3.4.8 --build-arg Bloodhound=2.1.0\r\nRun\r\ndocker run -it \\\r\n-p 7474:7474 \\\r\n-e DISPLAY=unix$DISPLAY \\\r\n-v /tmp/.X11-unix:/tmp/.X11-unix \\\r\n--device=/dev/dri:/dev/dri \\\r\n-v ~/Desktop/bloodhound/data:/data \\\r\n--name bloodhound bloodhound\r\nRun with example data\r\ndocker run -it \\\r\n-e DISPLAY=unix$DISPLAY \\\r\n-v /tmp/.X11-unix:/tmp/.X11-unix \\\r\n--device=/dev/dri:/dev/dri \\\r\n-v ~/Desktop/bloodhound/data:/data \\\r\n--name bloodexample bloodexample\r\nStart container\r\ndocker start Bloodhound\r\nUse Login:\r\nDatabase URL: bolt://localhost:7687\r\nDB Username: neo4j\r\nDB Password: blood\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 7 of 24\n\nIn addition to BloodHound neo4j also has a docker image if you choose to build hBloodHound from source and\r\nwant a quick implementation of neo4j, this can be pulled with the following command: docker pull neo4j .\r\nThen simply run sudo docker run -p 7687:7687 -p 7474:7474 neo4j to start neo4j for BloodHound as shown\r\nbelow:\r\nThis will start neo4j which is accessible in a browser with the default setup username and password of neo4j, as\r\nyou’re running in docker the easiest way to access is to open a web browser and navigate to\r\nhttp://DOCKERIP:7474:\r\nOnce entering the default password, a change password prompt will prompt for a new password, make sure it’s\r\nsomething easy to remember as we’ll be using this to log into BloodHound.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 8 of 24\n\nNote down the password and launch BloodHound from your docker container earlier(it should still be open in the\r\nbackground), login with your newly created password:\r\nThe default interface will look similar to the image below, I have enabled dark mode (dark mode all the things!),\r\nby clicking on the gear icon in middle right menu bar.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 9 of 24\n\nExample Data to Play With\r\nIf you want to play about with BloodHound the team have also released an example database generator to help\r\nyou see what the interface looks like and to play around with different properties, this can be pulled from GitHub\r\nhere(https://github.com/BloodHoundAD/BloodHound-Tools/tree/master/DBCreator)\r\nTo set this up simply clone the repository and follow the steps in the readme, make sure that all files in the repo\r\nare in the same directory.\r\ngit clone https://github.com/BloodHoundAD/BloodHound-Tools\r\ncd DBCreator\r\npip install neo4j-driver\r\nsudo pip2 install neo4j\r\npython DBCreator.py\r\nThe tool is written in python2 so may require to be run as python2 DBCreator.py, the setup for this tooling\r\nrequires your neo4j credentials as it connects directly to neo4j and adds an example database to play with.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 10 of 24\n\nYou should be prompted with a ‘Database Connection Successful’ message which assures that the tool is ready to\r\ngenerate and load some example data, simply use the command generate:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 11 of 24\n\nThe generated data will be automatically loaded into the BloodHound database and can be played with using\r\nBloodHound’s interface:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 12 of 24\n\nThe view above shows all the members of the domain admins group in a simple path, in addition to the main\r\ngraph the Database Info tab in the left-hand corner shows all of the stats in the database.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 13 of 24\n\nExplaining the different aspects of this tab are as follows:\r\nUsers – The users on the network extracted from active directory.\r\nComputers – The different endpoints on the network, servers, workstations and other devices.\r\nGroups – The different AD groups extracted from AD.\r\nSessions – The amount of user sessions on computers on the network that the ingestor has extracted (more\r\non this later).\r\nACLs – Access control lists, the different permissions and access that users and groups have against each\r\nother.\r\nRelationships – The different relations that all of the other aspects have to each other such as group\r\nmemberships, users, user sessions and other related information.\r\nIngestors \u0026 Data Collection\r\nOnce you’ve got BloodHound and neo4j installed, had a play around with generating test data. The next stage is\r\nactually using BloodHound with real data from a target or lab network. Essentially it comes in two parts, the\r\ninterface and the ingestors.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 14 of 24\n\nTo actually use BloodHound other than the example graph you will likely want to use an ingestor on the target\r\nsystem or domain. Essentially these are used to query the domain controllers and active directory to retrieve all of\r\nthe trust relationships, group policy settings and active directory objects.\r\nIngestors are the main data collectors for BloodHound, to function properly BloodHound requires three key pieces\r\nof information from an Active Directory environment, these are\r\nWhat user is logged on and where?\r\nWhich users have admin rights and what do they have access to?\r\nWhat groups do users and groups belong to?\r\nAdditionally, BloodHound can also be fed information about what AD principles have control over other users and\r\ngroup objects to determine additional relationships. In the majority of implementations, BloodHound does not\r\nrequire administrative privileges to run and therefore can act as a useful tool to identify paths to privilege escalate.\r\nAs of BloodHound 2.1 (which is the version that has been setup in the previous setup steps), data collection is\r\nhoused in the form of JSON files, typically a few different files will be created depending on the options selected\r\nfor data collection. Each of which contains information about AD relationships and different users and groups’\r\npermissions.\r\nWithin the BloodHound git repository (https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors)\r\nthere are two different ingestors, one written in C# and a second in PowerShell which loads the C# binary via\r\nreflection. Previous versions of BloodHound had other types of ingestor however as the landscape is moving away\r\nfrom PowerShell based attacks and onto C#, BloodHound is following this trend.\r\nThe ingestors can be compiled using visual studio on windows or a precompiled binary is supplied in the repo, it\r\nis highly recommended that you compile your own ingestor to ensure you understand what you’re running on a\r\nnetwork. Never run an untrusted binary on a test if you do not know what it is doing.\r\nAs well as the C# and PowerShell ingestors there is also a Python based one named BloodHound.Py\r\n(https://github.com/fox-it/BloodHound.py) which needs to be manually installed through pip to function. It does\r\nnot currently support Kerberos unlike the other ingestors. However, it can still perform the default data collection\r\ntasks, such as group membership collection, local admin collection, session collection, and tasks like performing\r\ndomain trust enumeration.\r\nBloodHound python can be installed via pip using the command: pip install BloodHound, or by cloning this\r\nrepository and running python setup.py install. BloodHound.py requires impacket, ldap3 and dnspython to\r\nfunction. To use it with python 3.x, use the latest impacket from GitHub.\r\nHow to Use Sharphound\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 15 of 24\n\nTypically when you’ve compromised an endpoint on a domain as a user you’ll want to start to map out the trust\r\nrelationships, enter Sharphound for this task. It needs to be run on an endpoint to do this, as there are two flavours\r\n(technically three if we include the python ingestor) we’ll want to drop either the PowerShell version or the C#\r\nbinary onto the machine to enumerate the domain.\r\nIt isn’t advised that you drop a binary on the box if you can help it as this is poor operational security, you can\r\nhowever load the binary into memory using reflection techniques.\r\nThe syntax for running a full collection on the network is as follows, this will use all of the collection method\r\ntechniques in an attempt to enumerate as much of the network as possible:\r\ninvoke-Bloodhound -CollectionMethod All -Domain TESTLAB.local -ZipFileName PATHTOZIP\\file.zip -JsonFo\r\nThe above command will run Sharphound to collect all information then export it to JSON format in a supplied\r\npath then compress this information for ease of import to BloodHound’s client.\r\nAn overview of all of the collection methods are explained; the CollectionMethod parameter will accept a comma\r\nseparated list of values. The default if this parameter is not supplied is Default:\r\nDefault – This performs a collection of the local admins on machines, group memberships, domain trusts,\r\nand sessions.\r\nGroup – Collects the group memberships only\r\nLocalGroup – Collects just the local admins\r\nGPOLocalGroup – Performs local admin collection using Group Policy Objects\r\nComputerOnly – Performs local admin collection and session collection\r\nSession – Collects the user sessions on machines on the domain\r\nLoggedOn – Performs privileged session collection (this requires local admin rights on target systems)\r\nTrusts – Enumerates the domain trusts for the specified target domain\r\nACL – Collects the access control lists from the domain\r\nContainer – Performs collection of Containers\r\nAll – Performs all Collection Methods listed above.\r\nFor a full breakdown of the different parameters that BloodHound accepts, refer to the Sharphound repository on\r\nGitHub (https://github.com/BloodHoundAD/SharpHound). Alternatively if you want to drop a compiled binary\r\nthe same flags can be used but instead of a single – a double dash is used:\r\nSharphound.exe --ZipFileName PATHTOZIP\\file.zip --JsonFolder PATHTOZIP\\ --CollectionMethod All -Domai\r\nUnderstanding What You’re Looking At\r\nWhen a graph is generated from the ingestors or an example dataset, BloodHound visualizes all of the\r\nrelationships in the form of nodes, each node has several properties including the different ties to other nodes.\r\nNavigating the interface to the queries tab will show a list of pre-compiled built-in queries that BloodHound\r\nprovides:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 16 of 24\n\nAn example query of the shortest path to domain administrator is shown below:\r\nIf you have never used BloodHound this will look like a lot going on and it is, but lets break this down. In the\r\ngraph world where BloodHound operates, a Node is an active directory (AD) object. The different notes in\r\nBloodHound are represented using different icons and colours; Users (typically green with a person), Computers\r\n(red with a screen), Groups (yellow with a few people) and Domains (green-blue with a globe like icon). There are\r\nalso others such as organizational units (OUs) and Group Policy Objects (GPOs) which extend the tool’s\r\ncapabilities and help outline different attack paths on a domain.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 17 of 24\n\nEssentially from left to right the graph is visualizing the shortest path on the domain to the domain admins group,\r\nthis is demonstrated via multiple groups, machines and users which have separate permissions to do different\r\nthings.\r\nThis feature set is where visualization and the power of BloodHound come into their own, from any given\r\nrelationship (the lines between nodes), you can right click and view help about any given path:\r\nWithin the help options of the attack path there is info about what the relationship is, how it can be abused and\r\nwhat operational security (opsec) considerations need to be taken into account:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 18 of 24\n\nIn the abuse info, BloodHound will give the user the exact commands to drop into PowerShell in order to pivot\r\nthrough a node or exploit a relationship which is incredibly useful in such a complicated path. Additionally, the\r\nopsec considerations give more info surrounding what the abuse info does and how it might impact the artefacts\r\ndropped onto a machine.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 19 of 24\n\nBy leveraging this information BloodHound can help red teams identify valid attack paths and blue teams identify\r\nindicators and paths of compromise. Back to the attack path, we can set the user as the start point by right clicking\r\nand setting as start point, then set domain admins as endpoint, this will make the graph smaller and easier to\r\ndigest:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 20 of 24\n\nThe user NNGHIEM00325@TESTLAB.LOCAL is going to be our path to domain administrator, by executing\r\nDCOM on COMP00262.TESTLAB.LOCAL, from the information; The user\r\nNNGHIEM00325@TESTLAB.LOCAL has membership in the Distributed COM Users local group on the\r\ncomputer COMP00262.TESTLAB.LOCAL. This can allow code execution under certain conditions by\r\ninstantiating a COM object on a remote machine and invoking its methods. This gains us access to the machine\r\nwhere we can run various tools to hijack RSUDDARTH00362@TESTLAB.LOCAL’s session and steal their hash,\r\nthen leverage Rubeus:\r\nRubeus.exe s4u /user:victim /rc4:2b576acbe6bcfda7294d6bd18041b8fe /impersonateuser:admin /msdsspn:\"HT\r\nUsing the above command to impersonate the user and pivot through to COMP00197 where LWIETING00103\r\nhas a session who is a domain administrator.\r\nAs simple as a small path, and an easy route to domain admin from a complex graph by leveraging the abuse info\r\ncontained inside BloodHound.\r\nExplaining Queries, How to Input Custom Ones\r\nIn addition to the default interface and queries there is also the option to add in custom queries which will help\r\nvisualize more interesting paths and useful information. As of BloodHound 2.0 a few custom queries were\r\nremoved however to add them back in, this code can be inputted to the interface via the queries tab:\r\nSimply navigate to the queries tab and click on the pencil on the right, this will open customqueries,json where all\r\nof your custom queries live:\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 21 of 24\n\nI have inputted the original BloodHound queries that show top tens and some other useful ones:\r\nIf you’d like to add more the custom queries usually lives in ~/.config/bloodhound/customqueries.json\r\nThere are endless projects and custom queries available, BloodHound-owned(https://github.com/porterhau5/BloodHound-Owned) can be used to identify waves and paths to domain\r\nadmin effectively, it does this by connecting to the neo4j database locally and hooking up potential paths of attack.\r\nIt also features custom queries that you can manually add into your BloodHound instance.\r\nExtra Tips\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 22 of 24\n\nIf you don’t have access to a domain connected machine but you have creds, BloodHound can be run from your\r\nhost system using runas. The following lines will enable you to query the Domain from outside the domain:\r\nrunas /netonly /user:FQDN.local\\USER powershell\r\nThis will prompt for the user’s password then should launch a new powershell window, from here you can import\r\nsharphound as you would normally:\r\nImport-Module Sharphound.ps1\r\n \r\nInvoke-BloodHound -ZipFileName 'PATH/TO/ZIP.zip' -JsonFolder 'PATH/TO/folderas above' -CollectionMeth\r\nThis window will use the local DNS settings to find the nearest domain controller and perform the various LDAP\r\nlookups that BloodHound normally performs. By leveraging this you are not only less likely to trigger antivirus,\r\nyou don’t have to exfiltrate the results either which reduces the noise level on the network.\r\nUsing BloodHound Defensively\r\nHopefully the above has been a handy guide for those who are on the offensive security side of things however\r\nBloodHound can also be leveraged by blue teams to track paths of compromise, identify rogue administrator users\r\nand unknown privilege escalation bugs.\r\nJust as visualising attack paths is incredibly useful for a red team to work out paths to high value targets, however\r\nit is just as useful for blue teams to visualise their active directory environment and view the same paths and how\r\nto prevent such attacks.\r\nBloodHound can do this by showing previously unknown or hidden admin users who have access to sensitive\r\nassets such as domain controllers, mail servers or databases. These accounts may not belong to typical privileged\r\nActive Directory (AD) groups (i.e. Domain Admins/Enterprise Admins), but they still have access to the same\r\nsystems. The permissions for these accounts are directly assigned using access control lists (ACL) on AD objects.\r\nThese accounts are often service, deployment or maintenance accounts that perform automated tasks in an\r\nenvironment or network. Which naturally presents an attractive target for attackers, who can leverage these service\r\naccounts for both lateral movement and gaining access to multiple systems. Exploitation of these privileges allows\r\nmalware to easily spread throughout an organization. For this reason, it is essential for the blue team to identify\r\nthem on routine analysis of the environment and thus why BloodHound is useful to fulfil this task.\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 23 of 24\n\nDetecting BloodHound Usage\r\nIn addition to leveraging the same tooling as attackers, it is important for the blue team to be able to employ\r\ntechniques to detect usage of such tooling for better time to detection and reaction for incident response. To\r\nidentify usage of BloodHound in your environment it is recommended that endpoints be monitored for access and\r\nrequests to TCP port 389(LDAP) and TCP port 636(LDAPS) and similar traffic between your endpoints and your\r\ndomain controllers. A large set of queries to active directory would be very suspicious too and point to usage of\r\nBloodHound or similar on your domain.\r\nReferences\r\nBloodhound was created and is developed by @_wald0, @CptJesus, and @harmj0y.\r\nGitHub page: https://github.com/BloodhoundAD/Bloodhound\r\nAdditional Tooling: https://github.com/BloodhoundAD/Bloodhound-Tools\r\nBloodHoundOwned Project: https://github.com/porterhau5/BloodHound-Owned\r\nSharphound Ingestor: https://github.com/BloodhoundAD/SharpHound\r\nSource: https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nhttps://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/"
	],
	"report_names": [
		"bloodhound-walkthrough-a-tool-for-many-tradecrafts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f80e26f428b9a958c0f781221cf6a717fadca3ed.pdf",
		"text": "https://archive.orkl.eu/f80e26f428b9a958c0f781221cf6a717fadca3ed.txt",
		"img": "https://archive.orkl.eu/f80e26f428b9a958c0f781221cf6a717fadca3ed.jpg"
	}
}