Sometimes, you have to step back and look at your code you wrote a while ago. Usually, it’s not pretty. Sometimes, it’s just flat out wrong. This is one of those times. The 2.1 release of BloodHound has a large focus on bug fixes, and a couple new features including a new attack primitive. This post is going to cover changes we’ve made since the release of BloodHound 2.0, including some of the incremental changes in between.

New Attack Primitive — AddAllowedToAct/AllowedToAct

The BloodHound team has been looking for a generic computer ACL attack primitive for quite a while. Thanks to the excellent work of…


The BloodHound team has been relatively quiet for a while now. It’s been 5 months since the release of the Containers update, and outside of some bugfixes, nothing much has changed.

All that is about to change.

We’re proud to announce the release of BloodHound 2.0, representing the second major release of the project with tons of new features, bugfixes, and new abuse primitives.

Major New Features

BloodHound 2.0 is adding four new attack primitives of varying complexity and interest. The new attack primitives should help find new paths when executing engagements.

CanRDP — Remote Desktop Privileges

The CanRDP edge runs from a user or a group to…


When BloodHound 1.4 came out in October of 2017, the object properties added represented the first major change in the BloodHound database schema since the original creation of the project. Today, we’re proud to present BloodHound 1.5, which represents a much larger change in both the database schema, as well as many long standing features of the BloodHound user interface.

Containers — GPOs and OUs

One of the things the BloodHound team has been talking about for quite a while now is adding GPO and OU objects to the BloodHound schema. With the 1.5 update, this is finally a reality. BloodHound 1.5 introduces the ability…


One of the most common questions we get from BloodHound users is related to how collection is done, as well as what targets are selected for different collection methods. In this post, we’re going to detail what each collection method does, particularly which API calls are used for each different step, as well as the detailed target selection logic.

What does each collection method do?

The SharpHound collector has several discrete steps which run simultaneously to collect different data necessary for the graph. …


In the previous blog post, we focused on SharpHound from an operational perspective, discussing some of the new features, as well as improved features from the original ingestor. In this post, we’ll talk more about the technical and underlying changes made to the ingestor that optimize the way data is collected.

Pure LDAP

In the previous versions of the BloodHound ingestor, and the majority of the tools released, communication with Active Directory is done using the DirectorySearcher class in the System.ActiveDirectory namespace. In SharpHound, we’ve transitioned to a lower level API, the System.ActiveDirectory.Protocols namespace. DirectorySearcher provides convenience and abstraction, removing the need…


If you’ve been following the development of BloodHound, you’ll notice that the team has been very active lately. The culmination of all this recent work is the release of BloodHound 1.4. While the changes made may seem minor, we’ve decided that it deserves being tagged with a new release number, as it fixes quite a few issues and introduces some new features which should lead to far more interesting queries and analytics down the line. These new queries are on the to-do list for the BloodHound team, and should come out in the near(ish) future. …


Over the past few months, the BloodHound team has been working on a complete rewrite of the BloodHound ingestor. One of the biggest problems end users encountered was with the current (soon to be replaced) PowerShell ingestor, particularly in speed of enumeration as well as crippling memory usage. In moderately sized environments, the ingestor would happily eat up gigabytes of memory. There’s lots of reasons for this, almost all to do with the limitations of using PowerShell V2 as the base language.

Limitations of the Current Ingestor

A huge problem with the current ingestor is that PowerShell threading is at best, a hack. Will Schroeder…


One of the most overlooked features of BloodHound is the ability to enter raw Cypher queries directly into the user interface. Likely, a lot of that has to do with the fact that it’s not a very emphasized feature, not to mention it requires learning Cypher. However, with a bit of work, using raw Cypher queries can let you manipulate and examine BloodHound data in custom ways that will help you further understand your network or identify interesting relationships.

What is Cypher?

Just like SQL exists for MSSQL and other databases, the Neo4j graph database has its own query language: Cypher. Because Neo4j…

Rohan Vazarkar

Penetration Tester and BloodHound Developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store