BloodHound AD Attack Path Analysis: Complete Guide
In the 2023 MGM Resorts breach, attackers moved from a single compromised helpdesk account to full domain compromise in under 10 minutes — a path that BloodHound would have flagged in seconds. BloodHound is an open-source Active Directory reconnaissance tool that maps trust relationships, group memberships, and permissions into exploitable attack graphs. If you run Windows domains and haven’t pointed BloodHound at your own environment, attackers already have the advantage.
Step 1: Collect AD Data with SharpHound
SharpHound is BloodHound’s data collector — a C# ingestor that queries AD via LDAP and SMB. Run it from any domain-joined machine with a standard user account. You don’t need elevated privileges to collect most of the data that matters.
# Run SharpHound from a domain-joined workstation
# User: jsmith@corp.local | Machine: WS-FINANCE-04 (192.0.2.44)
.\SharpHound.exe -c All --zipfilename corp_bloodhound_20260627.zip
[+] Resolved Domain: CORP.LOCAL
[+] DC identified: DC01.corp.local (192.0.2.10)
[+] Using DNS for enumeration
[+] Collecting Users ... 1,204 objects
[+] Collecting Groups ... 389 objects
[+] Collecting Computers ... 318 objects
[+] Collecting ACLs ... 94,712 edges
[+] Collecting GPOs ... 47 objects
[+] Collecting Sessions ... 812 sessions
[+] Output written to corp_bloodhound_20260627.zipThat 94,712 ACL edges number is the one to watch. Each edge is a permission relationship — a user who can reset another user’s password, a group that has GenericWrite on a computer object, a service account with DCSync rights. Most of these are invisible in standard AD tooling. Import the ZIP into BloodHound’s GUI via the upload button, then let the graph engine do the heavy lifting.
As a defender, this collection run also appears in your SIEM. SharpHound generates a high volume of LDAP queries in a short window — typically triggering alerts in Microsoft Defender for Identity as “LDAP reconnaissance.” Know what your own tools look like so you can tune detection accordingly.
Step 2: Find the Shortest Path to Domain Admin
BloodHound’s most powerful built-in query is “Find Shortest Paths to Domain Admins.” Open the Analysis tab, click it, and watch the graph render. What you’re looking for: paths with fewer than four hops from a low-privileged user to a Domain Admin or the Domain Controller itself.
/* BloodHound Cypher query — run in the Raw Query box */
MATCH p=shortestPath(
(u:User {name:"JSMITH@CORP.LOCAL"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})
)
RETURN p
/* Result path rendered in graph:
jsmith@corp.local
--[MemberOf]--> HELPDESK@corp.local
--[GenericAll]--> svc_backup@corp.local
--[DCSync]--> CORP.LOCAL */Read this graph left to right. jsmith is a member of the HELPDESK group. HELPDESK has GenericAll on the svc_backup service account — meaning any helpdesk member can reset that account’s password, modify its attributes, or add it to groups without any additional approval. And svc_backup has DCSync rights on the domain, meaning it can request a full replication dump of all password hashes from any Domain Controller.
An attacker with jsmith’s credentials executes this in three moves: reset svc_backup’s password, authenticate as svc_backup, run Mimikatz’s lsadump::dcsync to dump the krbtgt hash, then forge Golden Tickets at will. The entire path exists because of two misconfigurations — almost certainly from a forgotten helpdesk automation script and a legacy backup job. This is exactly the kind of debt that accumulates invisibly in AD environments older than five years.
As a defender, your remediation priority is clear: remove GenericAll from the HELPDESK group on svc_backup, or strip DCSync rights from svc_backup entirely and reassign backup duties to a dedicated, tightly scoped account.
Step 3: Hunt Kerberoastable Accounts on the Attack Path
Not every service account with an SPN is dangerous. But service accounts that sit on an attack path and are Kerberoastable are high-priority targets. BloodHound flags these automatically. Cross-reference with a quick PowerShell check to see which ones have weak password ages.
# Find Kerberoastable accounts with passwords older than 365 days
# Run from WS-FINANCE-04 as jsmith@corp.local
Get-ADServiceAccount -Filter * -Properties ServicePrincipalNames, PasswordLastSet |
Where-Object { $_.ServicePrincipalNames -ne $null -and
$_.PasswordLastSet -lt (Get-Date).AddDays(-365) } |
Select-Object Name, PasswordLastSet, ServicePrincipalNames
Name PasswordLastSet ServicePrincipalNames
---- -------------- ---------------------
svc_backup 2021-03-14 09:22:11 MSSQLSvc/SQL01.corp.local:1433
svc_print 2020-11-02 14:05:44 HTTP/PRINT01.corp.local
svc_deploy 2022-08-19 08:31:00 HOST/DEPLOY01.corp.localsvc_backup hasn’t had its password rotated in over five years. An attacker requests a Kerberos service ticket for that SPN, takes the encrypted blob offline, and cracks it with Hashcat. A five-year-old service account password is likely a dictionary word with a number appended — crackable in minutes on a GPU. Combined with the GenericAll path you found in Step 2, this account is the linchpin of a full domain compromise.
Rotate passwords on all three accounts immediately. Then set a Group Policy to enforce annual (or better, quarterly) rotation on service accounts, or migrate to Group Managed Service Accounts (gMSA) which rotate automatically.
What To Do Right Now
Download SharpHound, run it against your own domain today, and import the ZIP into BloodHound. Run the built-in “Find Shortest Paths to Domain Admins” query and count how many paths exist with fewer than five hops. If you find more than three, you have immediate remediation work. Start with any path that crosses a service account with an SPN — those are your highest-probability breach scenarios and your fastest wins to close.
