# AD Attack Path Discovery

## BloodHound

* <https://github.com/BloodHoundAD/BloodHound>

BloodHound can be used to map the relationships within Active Directory environments. It works by collecting data from any associated domain controllers and domain-joined Windows systems, and then plots the relationships within a queryable Neo4j graph. Attack paths can then be visualised.

BloodHound works by using a data collector and an analysis tool.&#x20;

### SharpHound Collector

To compile the Active Directory objects and relationships, a BloodHound collector needs to be used within the target Active Directory environment. Typically, SharpHound, a C# data collector is used.

* <https://github.com/BloodHoundAD/SharpHound>

SharpHound will create several JSON files to use with the BloodHound analysis tool. The following  command will execute SharpHound and collect all types of data:&#x20;

`SharpHound.exe --collectionmethods All`

* Python Collector (Python)
  * <https://github.com/dirkjanm/BloodHound.py>
* RustHound (Rust)
  * <https://github.com/NH-RED-TEAM/RustHound>

### Analysis

Following collection and now having compiled the Active Directory data, this can now be uploaded into the BloodHound analysis tool. Once uploaded, BloodHound will do the following things:

* Map out the paths between Active Directory objects
* Execute in-built queries to find common attack paths

To ensure the best use of BloodHound, the following should be conducted:

* Execute custom queries to find other attack paths&#x20;
* Mark nodes as "high value" or "owned" for best attack path finding

For more information on using the analysis tooling, as well as SharpHound, do see the official docs:

* <https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/general-discovery/ad-attack-path-discovery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.