Note
BloodHound Custom Cypher Query Cheat Sheet
Quick reference for the most useful BloodHound Cypher queries — from shortest paths to Kerberoastable DAs, custom tier analysis, and owned-node traversal.
01 Nov 20252 min read335 words
Basic Path Queries
cypher
// Shortest path from owned user to Domain Admins
MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}))
RETURN p
// All paths from owned nodes to DA (longer, more thorough)
MATCH p=allShortestPaths((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}))
RETURN pKerberoastable Accounts
cypher
// All Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u.name, u.description
// Kerberoastable users who are Domain Admins
MATCH (u:User {hasspn:true})-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"})
RETURN u.name
// High-value Kerberoastable accounts (admincount=true)
MATCH (u:User {hasspn:true, admincount:true}) RETURN u.nameAS-REP Roastable Users
cypher
// All accounts without Kerberos pre-auth
MATCH (u:User {dontreqpreauth:true}) RETURN u.name, u.description
// AS-REP roastable users with paths to DA
MATCH p=shortestPath(
(u:User {dontreqpreauth:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"})
) RETURN pACL / Permission Queries
cypher
// Find objects with WriteDACL on the domain
MATCH (n)-[:WriteDACL]->(d:Domain) RETURN n.name, labels(n)
// GenericAll on privileged accounts
MATCH (u)-[:GenericAll]->(v:User {admincount:true})
RETURN u.name, v.name
// All principals with DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll*1..]->(d:Domain)
RETURN pOwned Node Analysis
cypher
// Mark a user as owned
MATCH (u:User {name:"SVC-ALFRESCO@HTB.LOCAL"}) SET u.owned=true
// What can owned users reach?
MATCH p=(u:User {owned:true})-[r:MemberOf|AdminTo|HasSession|AllowedToDelegate*1..5]->(n)
RETURN p LIMIT 100
// Sessions of owned users on computers
MATCH p=(u:User {owned:true})-[:HasSession]->(c:Computer)
RETURN pDelegation Queries
cypher
// Unconstrained delegation (except DCs)
MATCH (c:Computer {unconstraineddelegation:true})
WHERE NOT c.name STARTS WITH "DC"
RETURN c.name
// Constrained delegation targets
MATCH (n)-[:AllowedToDelegate]->(c:Computer)
RETURN n.name, c.name
// Resource-based constrained delegation
MATCH (n)-[:AllowedToAct]->(c:Computer)
RETURN n.name, c.nameTier 0 Asset Mapping
cypher
// All admincount=true accounts (approx. tier 0)
MATCH (n {admincount:true}) RETURN n.name, labels(n)
// Direct admin rights on DCs
MATCH p=(u:User)-[:AdminTo]->(c:Computer {name:$dc_name})
RETURN pHigh-Value Target Shortcuts
cypher
// Foreign group members (cross-domain)
MATCH (u:User)-[:MemberOf]->(g:Group)
WHERE u.domain <> g.domain RETURN u.name, g.name
// Local admins on servers (excluding DCs)
MATCH p=(u:User)-[:AdminTo]->(c:Computer)
WHERE NOT c.name STARTS WITH "DC"
RETURN p LIMIT 50Tip: In BloodHound Community Edition, run custom queries via the "Custom Query" tab in the search panel. Save frequently used queries in the
customqueries.jsonfile for persistence.
#bloodhound#active-directory#cypher#graph-queries#neo4j
Related
Article14 Oct 2025
Active Directory Attack Paths: Foothold to Domain Admin
A walkthrough of the most reliable AD attack chain — from low-privileged shell to Domain Admin using AS-REP roasting, Kerberoasting, and DCSync.
#active-directory#kerberos#privilege-escalation+2
2 minWrite-up22 Sept 2025
HTB Forest — AS-REP Roasting to DCSync via Exchange ACL Abuse
Forest is a Windows domain controller box. The path involves AS-REP roasting an account without pre-auth, then exploiting Exchange Windows Permissions to gain DCSync rights.
HackTheBoxeasy
#hackthebox#active-directory#as-rep-roasting+3
2 min