CyberCheatsheets

BloodHound Cheat Sheet

Map Active Directory attack paths from SharpHound/SharpHound data collectors.

Active Directory & WindowsacladenumerationgraphpathUpdated 2026-06-02

Overview

BloodHound (and BloodHound CE) visualizes Active Directory relationships—group membership, ACLs, sessions, and attack paths to high-value targets (Domain Admins, etc.). Data is collected with SharpHound (or other ingestors) and analyzed in the GUI. Ethics: run collectors only in AD environments where you have written authorization; collection is intrusive and logged.

Install

Legacy: bloodhound from apt + Neo4j

sudo apt install bloodhound

Essential commands

SharpHound — all collection methods (noisy)

SharpHound.exe -c All -d corp.local --domaincontroller dc01.corp.local

Stealthier default

SharpHound.exe -c Default -d corp.local

From Linux with creds (BloodHound.py ingest alternative)

bloodhound-python -u user -p 'Pass' -d corp.local -ns 10.10.10.1 -c all

Common workflows

PowerShell — download SharpHound.ps1 only in authorized lab

Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain corp.local

Executable

.\SharpHound.exe -c All -d corp.local --zipfilename corp_bh.zip

SharpHound collection methods —

SharpHound.exe -c DCOnly -d corp.local
SharpHound.exe -c Session,LoggedOn -d corp.local
SharpHound.exe -c ACL -d corp.local --distinguishedname "DC=corp,DC=local"

Loop / scheduled (long engagements) —

SharpHound.exe -c All -d corp.local --loop --loopduration 02:00:00 --loopinterval 00:30:00

bloodhound-python (Linux) —

bloodhound-python -u 'user@corp.local' -p 'Password1!' -d corp.local
-ns 10.10.10.1 -dc dc01.corp.local -c all --zip

Flags reference

-c

Collection methods

-d

Domain FQDN

--domaincontroller

Target DC

--ldapusername / --ldappassword

Bind creds

--zipfilename

Output zip name

--loop

Periodic re-collection

-m

Available methods list

Tips

  • Ethics: All is noisy—use Default or targeted -c in client tests; coordinate with defenders.
  • Run SharpHound from a context that can reach LDAP/445/SMB to DCs; low-priv users still yield valuable graphs.
  • Clear old DB data between engagements to avoid cross-customer bleed in CE.
  • Pair results with certipy, rubeus, and manual ACL review before exploitation.

References

Related cheat sheets