This repository is an Active Directory audit lab using BloodHound. It focuses on mapping and analyzing compromise paths so they can be prioritized, explained and remediated.
No exploitation steps are included here. The project is meant for authorized labs, internal audits and portfolio demonstration.
- BloodHound CE-oriented Cypher query library.
- Tier Zero and high-value path review methodology.
- Exposure categories for Kerberoastable users, local admin reachability, DCSync rights and dormant privilege.
- A small reporting helper for CSV exports.
- A clean remediation report template.
Collect authorized AD data
|
v
Ingest into BloodHound CE
|
v
Run focused Cypher queries
|
v
Map compromise paths and produce remediation notes
.
|-- docs/
| |-- lab-setup.md
| `-- reporting-method.md
|-- queries/
| |-- dcsync-exposure.cypher
| |-- dormant-high-privilege.cypher
| |-- kerberoast-exposure.cypher
| |-- local-admin-reachability.cypher
| `-- tier-zero-shortest-paths.cypher
|-- reports/
| `-- attack-path-assessment-template.md
|-- samples/
| `-- attack-path-findings.csv
`-- scripts/
`-- Summarize-BloodHoundFindings.ps1
- Stand up BloodHound CE in an authorized lab.
- Ingest your lab dataset.
- Run the queries from
queries/. - Export interesting paths to CSV.
- Summarize findings:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
./scripts/Summarize-BloodHoundFindings.ps1 `
-CsvPath ./samples/attack-path-findings.csv `
-OutputPath ./reports/summary.generated.md- BloodHound CE quickstart: https://support.bloodhoundenterprise.io/hc/en-us/articles/17715215791899-Getting-started-with-BloodHound-Community-Edition
- Searching with Cypher: https://support.bloodhoundenterprise.io/hc/en-us/articles/16721164740251-Searching-with-Cypher
- BloodHound search and pathfinding: https://support.bloodhoundenterprise.io/hc/en-us/articles/12016243350939-Explore-Search-for-Objects
Only run collection and analysis against systems where you have explicit permission. Treat path findings as sensitive because they describe how privilege could be reached.