Intro and Background

We released BloodHound in 2016. Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update.

This release is authored by myself (Andy Robbins), Rohan Vazarkar, and Ryan Hausknecht, with special thanks to Will Schroeder and Lee Christensen.

This release wouldn’t be possible without prior work from several individuals and teams, in particular when it comes to understanding the architecture of Azure and the relevant configuration-based attack primitives available in that system. At the…


I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of how the system works, what privileges and permissions can be abused, what limitations may exist, and what attack paths present themselves in real environments. I’ve kept my eyes open for attacks that allow the following:

  • Lateral movement from an on-premises (on-prem) device/user context into Azure
  • Privilege escalation within an Azure Active Directory (AAD) tenant
  • Lateral movement from Azure AD back down to on-prem AD

The first two scenarios are well-documented by folks like Dirk-Jan Mollema, Karl Fosaaen, and Sean Metcalf. That…


After several months of development and quality testing, we are proud to announce the release of BloodHound 3.0! With this release, we are including 3 new attack primitives, several performance improvements in the GUI and in SharpHound, and support for Neo4j 4.0.

Shout outs to the following folks who directly or indirectly made material contributions to this release: Tim McGuffin (@NotMedic), Michael Grafnetter (@MGrafnetter), Will Schroeder (@harmj0y), Lee Christensen (@tifkin_), Sean Metcalf (@PyroTek3), Dirk-jan Mollema (@_dirkjan), and Mark Gamache (@markgamacheNerd).

This is a major version release, which means we are introducing compatibility-breaking features with this release — SharpHound2 and your…


In the previous blog post, we looked at how to export data from the Neo4j web console into a CSV, format that CSV and save it as an XLSX, import that XLSX table data into PowerBI, then create a chart using PowerBI. That process is great for creating one-off, great-looking charts, but going through that process every time something in the database updates quickly becomes very tedious.

In this blog post, I’ll show you how to use the beta Neo4j connector for PowerBI created by Chris Skardon to create charts that can be easily updated by simply hitting the…


Data visualization is a powerful tool for communicating ideas and information — an effective chart, graph, or diagram is worth a thousand words. In the world of attacking and securing Active Directory domains and forests, the right graph visualization can be worth much more: easy attack path discovery and execution for attackers, and much simpler privilege and permission auditing for defenders. But while graphs are hugely powerful and we are obviously big fans of graphs, a graph is not the right tool for every job.

In this blog post, I’ll show you how you can use BloodHound data, the Cypher…


Active Directory is a vast, complicated landscape comprised of users, computers, and groups, and the complex, intertwining permissions and privileges that connect them. The initial release of BloodHound focused on the concept of derivative local admin, then BloodHound 1.3 introduced ACL-based attack paths. Now, with the release of BloodHound 1.5, pentesters and red-teamers can easily find attack paths that include abusing control of Group Policy, and the objects that those Group Policies effectively apply to.

In this blog post, I’ll recap how GPO (Group Policy Object) enforcement works, how to use BloodHound to find GPO-control based attack paths, and explain…

Note: This is the second in a two-part blog series. This companion blog post covers the more technical, prescriptive tactics on executing the resilience methodology. Context is provided where appropriate. For full context, see the first blog post in the series here.

Intro and Background

After releasing BloodHound at DEFCON 24, we and several others realized that while BloodHound is a great tool for attackers, its potential applications as a defensive tool are even more compelling. In the first blog post, we covered the high level strategy for how to unlock some of that power, which we call the Active…

Note: This is the first in a two-part blog series. This post covers the higher level strategy of the Adversary Resilience Methodology. In part two, we’ll put the methodology into practice and show you the nitty gritty technical details on how to do everything covered in this post.

Background and Intro

At DEFCON 24, Will Schroeder, Rohan Vazarkar and I released BloodHound. Since then, BloodHound has seen adoption from numerous pentest/red team firms and an awesome community of BloodHound users has congregated in the BloodHound Slack. The community adoption of it has been humbling. …

Intro & Background

In 2014, Emmanuel Gras and Lucas Bouillot presented their work titled “Chemins de contrôle en environement Active Directory” (“Active Directory Control Paths”) at the Symposium sur la sécurité des technologies de l’information et des communications (Symposium on Information and Communications Technology Security), where they used graph theory and Active Directory object permissions to answer the question, “Who can become Domain Admin?” I highly recommend checking out their presentation and whitepaper, which we drew initial inspiration from for the BloodHound project, and received very helpful and specific information from for our adding object control paths to the BloodHound attack graph.


Andy Robbins

Adversary Resilience at SpecterOps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store