In many Active Directory (AD) environments, risk doesn’t necessarily come from malware or zero-days – it comes from the relationships and permissions already in place. Whether you’re a red teamer emulating an attacker or a blue teamer defending your infrastructure, BloodHound offers something most security tools can’t: a clear visual map of how attackers can move laterally and escalate privileges without exploiting a single vulnerability.

From Low Privilege to Domain Admin: A Common Story

In countless penetration tests, RMC has used BloodHound to escalate from an unprivileged user to full Domain Admin access. This isn’t an exception – it’s a recurring outcome rooted not in advanced exploits, but in everyday missteps. Over-permissioned accounts, misconfigured policies, and overlooked trust relationships continue to create reliable paths attackers can follow – often without defenders ever noticing.

Using SharpHound, we start data collection from a domain-joined Windows system. The scope determines whether we collect everything or focus on specific flags such as Session data (active user sessions), ACLs (Access Control Lists), or LoggedOn users. Once uploaded to the BloodHound GUI (Graphical User Interface), the attack paths often begin to reveal themselves.

Consider this common sequence:

LowPrivUser

└── MemberOf → HelpDeskGroup

└── CanRDP → Tier2AdminPC

└── AdminTo → BackupAdmin

└── AddMember → Domain Admins

A few hops. No exploits. Total domain compromise.

What the Data Shows Again and Again

Across client environments, we see the same issues repeat:

• Non-admin users with RDP (Remote Desktop Protocol) access to high-tier systems
• Group Policy Objects (GPOs) that open privilege escalation opportunities
• “Shadow admins” who aren’t technically Domain Admins but control it through ACLs
• Service accounts with easily crackable Service Principal Names (SPNs)
• Broad over-permissioning that violates the principle of least privilege

These aren’t edge cases – they’re endemic to large or legacy AD setups.

Why This Tool Belongs on Both Sides of the Engagement

While BloodHound started as a red team tool, its value to blue teams can’t be overstated. We often recommend it directly to clients, not just as a check on current hygiene, but as a way to proactively break potential attack paths.

Think of it as Google Maps for your Active Directory environment – except instead of showing you how to get to the grocery store, it shows how an attacker could move from a compromised user account to the keys of the kingdom.

How to Defend Against What BloodHound Reveals

Not all defenses require expensive software or sweeping architecture changes. Start with:

• Regular AD hygiene reviews
• Least privilege enforcement
• Limiting RDP access and tiering administration
• Monitoring and rotating service account credentials
• Identifying and auditing users with high-privilege ACLs

CrowdStrike’s guide on how to block BloodHound attacks and the OWASP Least Privilege Violation page offer excellent further reading.

Resources to Explore

Interested in going deeper? These guides are essential:

• BloodHound walkthrough by Pentest Partners
• SharpHound collection methods
• BloodHound Quickstart (SpecterOps)
• Cypher cheatsheet by Haus3c
• CrowdStrike – How to block BloodHound attacks
• OWASP Least Privilege Violation

What You Don’t See Is What Hurts You Most

BloodHound doesn’t just highlight theoretical attack paths – it shows the exact relationships and permissions that open the door to compromise. Whether you’re testing your defenses or reinforcing them, understanding those paths is the difference between being vulnerable and being ready.