Offensive: AD HoundSquad


This post is not a “How to install bloodhound” one (Infosec space is already flooded with thousands of them). It’s not about Bloodhound either (I might write a post about BH and less-known functionalities one day). This post assumes you already have installed Bloodhound, and know your way around. It serves as a quick compendium of utilities and useful references.

Here we’ll use some functionality in Sharphound, and establish a common ground for using it. At the end, we explore briefly some additional tools:

  • Plumhound

  • Goodhound

If you’re new to Bloodhound/Sharphound, take a look here:

or here, John Hammond showcasing the setup and exploration in Bloodhound:

or here, SANS’ comprehensive intro to Bloodhound:

If you’re absolutely new to this and in need of a playground:

About Bloodhound

SharpHound is the data collection tool used by BloodHound, a powerful graph-based tool used in Microsoft’s Active Directory (AD) environments. It is used for analyzing security risks and attack paths between AD objects. SharpHound, written in C#, is basically gathers the data that BloodHound visualizes (So they are 2 different pieces of Software). It collects data about AD objects (users, computers, groups, etc.) and their relationships, and packages this data into a format that BloodHound can ingest. Without Bloodhound, we would take A LONG time to discover the risks or misconfigurations we usually see with it.

BloodHound was first introduced in 2016 by security researchers Rohan Vazarkar, Will Schroeder, and Andy Robbins. It was developed to help understand complex AD environments, identify security risks, and uncover hidden attack paths that could be exploited by attackers (Shadow admins, unintended privileges, and other risky misconfigurations). The tool uses graph theory to reveal the hidden and often unintended relationships within an AD environment.

Cool facts:

Of course, Bloodhound is a breed of dog that has an excellent sense of smell and tracking abilities. Very fitting.

Another interesting fact is that the creators of BloodHound initially faced some skepticism and criticism from the security community when they first introduced the tool, as some people were concerned that it could be used maliciously by attackers. However, the creators argued that the tool could also be a valuable resource for defenders, helping them to identify and remediate security risks in their AD environments. Over time, BloodHound has indeed proven to be a valuable tool for both offensive and defensive security operations.

I’ve seen Bloodhound more in “Offensive” related content, courses, etc. Than in the Blue Team side of cybersecurity, which I have found very interesting over the years.


Option 1: You’re engaging from a Windows machine:

  • Sharphound.ps1 - PowerShell script for running Sharphound. However, the latest release of Sharphound has stopped releasing the Powershell script version. This version is good to use with RATs since the script can be loaded directly into memory, evading on-disk AV scans.

  • Sharphound.exe - A Windows executable version for running Sharphound.

  • AzureHound.ps1 - PowerShell script for running Sharphound for Azure (Microsoft Cloud Computing Services) instances. Bloodhound can ingest data enumerated from Azure to find attack paths related to the configuration of Azure Identity and Access Management.

To download a pre-compiled version of Sharphound, as well as the PS version:

Option2: You’re engaging from a Linux machine:


GREAT Tips for filtering, querying, and general analysis in Bloodhound:

Part 3. Windows security: reconnaissance of Active Directory environment with BloodHound. -

Official Documentation for Sharphound Usage:

All SharpHound Flags, Explained - BloodHound 3.0.3 documentation

SharpHound - BloodHound 3.0.3 documentation

Using Runas.exe

Running SH from a non-joined computer (Not encouraged by Bloodhound’s devs, but I’ve never had an issue):

runas.exe /netonly /\username powershell.exe
# And then execute Bloodhound in a domain-joined PS session

# Or simply:
runas.exe /netonly /\username .\sharphound.exe <ARGS>

General usage

There seems to be an 80/20 ratio of 20% of the functionalities being used for 80% of the times, so we can just:

# Explore the AD with a single sweep:
Sharphound.exe --CollectionMethods All --Domain

--ExcludeDCs if Necessary to avoid some detection mechanisms: Excludes requests to the DC

And then, having some initial data to work with, we can continually grab the sessions made on the computers, servers and by whom.

Sharphound.exe --CollectionMethods Session --Domain --Loop --LoopDuration 12:30:12

Notes about “Session” methods:

The rationale is that collecting session data over a period of time (For example, from 9 am to 9 pm or something, in a productive day), will show relationships that would have been less likely to catch in a single sweep ("–CollectionMethods All"):

Since the general structure of an AD is relatively static, but sessions are always changing (We see in Bloodhound an Admin connecting to a Workstation, which may log out in seconds and make sharphound data unreliable, it is recommended to run —CollectionMethods All sometimes, and —collectionMethods session very often. The first one will take all the infrastructure information (Groups, OU, Users, Domain) and sessions (Who’s where), and the latter will update the sessions only, which will be changed very often so requires updating.

Last time I checked, the maximum Loop session time was 23:59:00 - Anything larger than that throws C errors.

More Resources on Bloodhound

Edges - BloodHound 3.0.3 documentation

Bloodhound 2.2 - How to Setup and Use it


BloodHoundAD Report Engine for Security Teams - A little bit old and unsupported now, but it is very good at having a clear and easy look to the data gathered by Sharphound.

GitHub - PlumHound/PlumHound: Bloodhound for Blue and Purple Teams


  • Neo4j running + Bloodhound already loaded with the graphs

  • It only runs on Python3.8, so I use Docker to run Plumhound, with Bloodhound/Neo4j running in my host. Like this:

docker run -it --network="host" --rm python:3.8 /bin/bash

git clone && \
    cd PlumHound && pip3 install -r requirements.txt
    # Or Python3 -m pip install -r requirements.txt

./ -x tasks/default.tasks -s "bolt://" \
    -u "neo4j" -p "neo4j" -v 0 --HTMLCSS template/html.css
    # Default Bolt port. DO NOT CHANGE

UPDATE: The project seems active again as of 2023, and it seems to support Python3.10 now.

BloodHound + PlumHound = ❤ ->


GoodHound is a tool that works with BloodHound data to produce an actionable list of attack paths for targeted remediation. It’s a quick look at Bloodhound, and designed to help security teams prioritize their remediation efforts by identifying the most critical attack paths in an Active Directory environment.

produce an actionable list of attack paths for targeted remediation”


Intro to Goodhound: GoodHound v1.1.2 releases: produce an actionable list of attack paths for targeted remediation

Written By


Cybersecurity professional and IT enthusiast with a passion for technology, music, personal growth, and Eastern philosophy. Transitioned from mechanical engineering to IT in 2020, with a full-time interest in Technology, Cybersecurity and recent advances in AI. Seeks to integrate eastern philosophy, mindfulness and a growth mindset into daily life and work.