blog.johlem.net

BloodHound: Seeing Active Directory the Way an Attacker Does

Active Directory is, to most administrators, a collection of objects — users, groups, computers, permissions — managed one at a time. BloodHound’s insight is that those objects form a graph, and that an attacker does not care about the objects individually; they care about the paths between them. BloodHound turns “here is a list of AD objects” into “here is how you get from this compromised account to domain admin,” and that reframe — from inventory to attack path — is the entire value.

This is about what BloodHound actually does for you in real work, and why the graph view is the point.

The mental model: relationships, not objects

The thing that makes BloodHound powerful is that it models relationships as a graph. User A is a member of group B; group B has rights over computer C; computer C has a session from user D who is a domain admin. Individually, each of those facts is mundane and invisible in normal administration. Chained, they are an attack path: compromise A, and a series of legitimate-looking steps leads to domain admin.

This is the same insight that drives behavioural detection on the defensive side — no single relationship is the problem; the path through them is. BloodHound makes the path visible. An attacker thinks in paths; AD is normally viewed as objects; BloodHound translates between the two.

1. The “how do I get to domain admin” query

The headline use: from a foothold, find the shortest path to high-value targets. You have compromised some account; BloodHound shows you the chain of relationships that leads from that account to domain admin or other crown jewels. What would take hours of manual enumeration — checking group memberships, rights, sessions, one object at a time — the graph surfaces as a path you can follow.

Where it earns its keep: turning a foothold into a plan — the path from “I have this account” to “I have the domain” becomes a visible route rather than a manual search. The discipline: the path is a hypothesis; each step still has to be validated and executed, and the graph reflects collection-time state that may have changed.

2. Finding the unexpected path

BloodHound’s real magic is surfacing paths nobody intended. AD permissions accrete over years — a delegation here, a nested group there, a service account with excessive rights — and the combination creates paths no administrator designed or is aware of. BloodHound finds these emergent paths because it reasons over the whole graph, not the individual grants. The path that compromises the domain is often a chain of individually-reasonable permissions that nobody saw as a chain.

Where it earns its keep: discovering attack paths that exist by accident, through the accumulation of permissions over time. The defensive mirror: this is exactly why defenders run BloodHound on themselves — to find and cut the unintended paths before an attacker walks them.

3. High-value target identification

Beyond pathing from a foothold, BloodHound helps identify what to target — which accounts and objects are most valuable because of their position in the graph. An account that sits on many paths to high-value targets is itself high-value, even if it is not obviously privileged. The graph reveals positional importance that an object-by-object view hides.

Where it earns its keep: prioritising effort toward the accounts whose compromise unlocks the most, based on graph position rather than obvious privilege.

4. The defensive use — pathfinding to harden

BloodHound is at least as valuable to defenders. Running it against your own AD reveals the attack paths you are exposed to — the unintended chains, the over-privileged accounts, the dangerous sessions — so you can cut them. The defensive question is the inverse of the offensive one: not “how do I reach domain admin” but “what paths to domain admin exist that I should eliminate.” Same graph, opposite intent.

Where it earns its keep: AD hardening driven by actual attack paths rather than generic best practice — cutting the specific edges that create the dangerous chains.

Why the graph reframe matters

The deeper point: BloodHound changes the unit of analysis from the object to the path, and that change is what makes AD attack surface comprehensible. AD is too complex to reason about object-by-object — the permissions, memberships, and sessions number in the thousands, and the dangerous combinations are invisible at that granularity. The graph makes the emergent structure visible: the paths that matter light up, and the noise recedes.

This is a general lesson that extends past AD: complex systems hide their risks in the relationships between components, not the components themselves, and seeing the relationships as a graph reveals what object-by-object analysis cannot. BloodHound is the canonical example, but the principle — model the relationships, find the paths — applies anywhere risk emerges from combination.

The honest limits

A credible take names them:

The takeaway

BloodHound’s value is a single reframe: Active Directory is a graph of relationships, an attacker cares about paths not objects, and the dangerous paths are usually emergent chains of individually-reasonable permissions that nobody designed. It turns a foothold into a visible route to domain admin, surfaces the unintended paths that accreted over years, and — run defensively — shows you exactly which edges to cut.

The reframe to carry: AD risk lives in the relationships, not the objects; model it as a graph and the attack paths become visible — which is as useful for cutting them as for walking them. Whether you are the attacker finding the path or the defender eliminating it, BloodHound is the tool that makes the graph you are actually fighting over something you can see.


An independent piece by johlem.net — IT security, Luxembourg. Active Directory attack-path analysis, offensive and defensive.