BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Active Directory and Windows Security/BloodHound and Attack Paths
40 minAdvanced

BloodHound and Attack Paths

After this lesson, you will be able to: Use BloodHound's graph analysis to collect AD data and find the shortest path to Domain Admin, and understand how defenders use the same tool.

BloodHound turns AD's complex permission relationships into a graph and finds attack paths a human would miss. This lesson covers how it collects data, how attackers use it to find the shortest path to Domain Admin, and how defenders use it to find and cut those paths.

Prerequisites:Common AD Attack Techniques

💡 Authorization first

Run BloodHound collectors only in a lab or environment you are authorized to assess. Collection touches the domain and is noisy; it is fine in your lab, not on networks you do not own.

Why graph analysis

AD permissions form a vast web: who is in which group, which accounts can reset whose password, which machines a user can administer, where sessions are active. Buried in that web are paths an attacker can follow from a foothold to Domain Admin, often through non-obvious chains of rights. Humans cannot see these at scale; a graph database can. BloodHound models AD as a graph and runs queries like 'shortest path from this user to Domain Admins.'

How BloodHound works

A collector (SharpHound, or the Python/AzureHound variants) enumerates the domain: users, groups, computers, sessions, ACLs, and trusts. It exports that data, which you import into the BloodHound interface backed by a graph database. You then run built-in queries (shortest paths to Domain Admin, Kerberoastable users, accounts with dangerous rights) or write custom Cypher queries. The output is a visual graph of exactly how an attacker would traverse the environment.

Defenders use it too

BloodHound is equally a defensive tool. By running it against your own AD, you find the same attack paths before attackers do and cut them: remove unnecessary group memberships, fix dangerous ACLs, reduce where privileged accounts log in (which exposes their credentials in memory). 'Attack path management' is now a recognized defensive discipline precisely because BloodHound made these paths visible. Seeing your environment the way an attacker does is one of the most effective hardening exercises.

Quick Check

What does BloodHound reveal that manual AD review usually misses?

Pick one.

Common mistakes only experienced practitioners catch

Running collection on networks you do not own (noisy and unauthorized). Only thinking offensively and never running it defensively on your own AD. Ignoring session-based edges (where privileged accounts log in is a real exposure). Fixing one path while leaving parallel ones. Not re-running after changes to confirm paths are actually cut. Treating the graph as complete when collection scope was limited.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Common AD Attack Techniques
Back to Active Directory and Windows Security
AD Defense and Monitoring→