All articles
TUTORIAL · 7 min read

AD Pentest with BloodHound CE: A Walkthrough

BloodHound CE replaced the legacy GUI for almost every team I work with. The workflow shifts, but the analysis is more powerful — if you know the queries.

Collect cleanly

SharpHound with -CollectionMethods All,GPOLocalGroup,LoggedOn. Run from a low-priv user to mirror an attacker's first foothold.

Ingest and pivot

Drop the zip into BloodHound CE, mark owned/high-value, then run the built-in attack paths.

The queries that pay rent

Shortest path from owned to DA. ACLs on Tier-0. Kerberoastable accounts with admin rights. ADCS misconfig templates.

  • Owned → Domain Admins shortest path
  • Users with DCSync rights
  • Computers with unconstrained delegation
  • Certificate templates with ESC1-ESC11

Tools mentioned

SharpHoundBloodHound CECertipyRubeusImpacketNetExec
⟩ takeaway

BloodHound turns a 5-day internal engagement into a 1-day storyline. Learn the queries — the GUI is just a viewer.

⟩ keep reading

Related articles