BloodHound Data Collection Guide

A practical guide to collecting Active Directory and Azure AD data for attack path analysis.

Prerequisites

  • SharpHound: Windows machine with domain-joined access and local Administrator privileges on targets.
  • AzureHound: Azure/Entra ID account with Directory Readers or Global Reader permissions.
  • BloodHound CE: Installed and running on your local machine or server.
  • Network access: Ability to reach domain controllers and Azure endpoints from your collection machine.

SharpHound Collection

SharpHound is the data collector for Active Directory environments. It requires domain credentials and local admin rights on target systems.

Standard Collection

Run the following command to collect comprehensive AD data including sessions, trusts, and computer options:

SharpHound.exe -c All,Session,Trusts,ComputerOptions,DcomRights,SPNTarget --domain corp.local

The collection flags provide:

  • All: Basic inventory (users, computers, groups)
  • Session: Session data for lateral movement analysis
  • Trusts: Domain trust relationships
  • ComputerOptions: LAPS, NTLM, and risky configurations
  • DcomRights/SPNTarget: Privilege escalation paths

Custom Filters

For large environments (100k+ objects), filter to focus on high-value targets:

SharpHound.exe -c All --domaincontroller only --skip computeroptions

Output & Scheduling

Specify an output directory to keep collection files organized:

SharpHound.exe -c All --outputdirectory "C:\BloodHound\Data\$(Get-Date -Format 'yyyy-MM-dd')"

AzureHound Collection

AzureHound collects data from Entra ID. You need specific permissions for full enumeration.

Permissions

Required permissions for thorough Azure AD enumeration:

  • Directory Readers: Minimum for users, groups, and applications
  • Global Reader: Read-only access to all directory data (conditional access, PIM)
  • Application Developer: Required for app registrations and API permissions

Interactive Login

For quick assessments, use interactive login:

AzureHound.exe -c All

Service Principal

For automated collection, use a service principal:

AzureHound.exe -c All --tenantid "YOUR-TENANT-ID" ` --clientid "YOUR-CLIENT-ID" ` --clientsecret "YOUR-SECRET"

AzureHound will silently fail if the account lacks consent permissions. Verify before collection:

Connect-AzureAD -TenantId "YOUR-TENANT-ID" Get-AzureADServicePrincipal -Top 1

Importing into BloodHound CE

After collection, import the JSON files into BloodHound CE.

Verification Queries

Run these queries immediately after import to verify data:

RETURN count(*) AS totalNodes MATCH (n:User) RETURN count(n) AS users MATCH (n:Computer) RETURN count(n) AS computers MATCH ()-[r:MemberOf]->() RETURN count(r) AS memberofs

Common Issues

  • No edges loaded: Check that you're uploading JSON files (not CSV). BloodHound CE is picky about file format.
  • Wrong tenant data: Verify the tenant ID in AzureHound matches what you expect.
  • Outdated data: Collection frequency of 4-6 hours recommended for meaningful attack path analysis.

Troubleshooting

  • SharpHound fails to connect: Check domain join status and network connectivity to domain controllers. Verify PowerShell execution policy isn't blocking the script.
  • AzureHound authentication errors: Verify the account has Directory Readers or Global Reader roles. Check if conditional access policies are blocking authentication.
  • Edges missing after upload: Run SharpHound with the -c All flag to ensure full enumeration.
  • Data not showing in BloodHound: Verify you're uploading JSON files (BoltDB for AD, JSON for Azure). Check that the BloodHound CE database isn't full (2GB limit by default).

Resources