TUTORIAL · 7 min read
AD Pentest with BloodHound CE: A Walkthrough
BloodHound CE replaced the legacy GUI for almost every team I work with. The workflow shifts, but the analysis is more powerful — if you know the queries.
Collect cleanly
SharpHound with -CollectionMethods All,GPOLocalGroup,LoggedOn. Run from a low-priv user to mirror an attacker's first foothold.
Ingest and pivot
Drop the zip into BloodHound CE, mark owned/high-value, then run the built-in attack paths.
The queries that pay rent
Shortest path from owned to DA. ACLs on Tier-0. Kerberoastable accounts with admin rights. ADCS misconfig templates.
- Owned → Domain Admins shortest path
- Users with DCSync rights
- Computers with unconstrained delegation
- Certificate templates with ESC1-ESC11
Tools mentioned
SharpHoundBloodHound CECertipyRubeusImpacketNetExec
⟩ takeaway
BloodHound turns a 5-day internal engagement into a 1-day storyline. Learn the queries — the GUI is just a viewer.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.