Introducing the BloodHound Query Library

TL;DR The BloodHound Query Library is a community-driven collection of Cypher queries designed to help BloodHound Community Edition and BloodHound Enterprise users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem. The library is a free tool for the community and you can start using it today at https://queries.specterops.io.

The Hunt for Better Cypher Queries

One of BloodHound’s key features is its flexibility through Cypher queries – a query language to search the BloodHound graph database. Queries can answer anything from simple questions (e.g., “Which users have non-expiring passwords?”), to complex identity attack path problems (e.g., “Which low-privileged users can compromise computers hosting a gMSA with unconstrained delegation?”).

However, there is a challenge: learning Cypher can be difficult and requires dedicated time and effort. We’ve observed that, for that reason, many BloodHound users do not use Cypher and BloodHound to its full extent. Instead, they mostly rely on BloodHound’s pre-built queries and the numerous “BloodHound Cypher cheat sheets” the amazing BloodHound community created over the years. And although the community contributions are great, they aren’t collaborative; represent a subset of what we’ve found possible; often become outdated, scattered knowledge silos; and the valuable queries from community experts rarely get the attention and updates they deserve.

This made us wonder: How can we help the community get the full value from BloodHound’s queries? And how can we democratize the knowledge that currently exists in the minds of the BloodHound community?

Introducing the BloodHound Query Library

The BloodHound Query Library is found at https://queries.specterops.io/ and represents our solution: A collection of queries presented through a sleek, searchable front-end, and maintained in a human-readable format (YAML) in the BloodHoundQueryLibrary repository. The goal of the project is to enable users of BloodHound Community Edition and BloodHound Enterprise to find useful queries and advance their knowledge of the query language. Rather than replacing BloodHound’s built-in functionality, the library serves as an extension and an educational bridge – helping users understand query patterns, learn from real-world examples, and eventually develop the confidence to write their own custom queries.

Not Just Another Cypher Cheat Sheet in the Pack

The BloodHound Query Library isn’t just another collection of queries. Several features set it apart:

• Open Query Ecosystem: Unlike the traditional model where queries were added to BloodHound as product features (or infrequent community pull requests), the library creates a centralized open ecosystem for query sharing and community voting to surface the most valuable content
• Standardized Query Format: Each query is a YAML file and includes not just the query, but metadata like platform compatibility, description, and resource links. YAML ensures readability and makes contributions easy while maintaining consistency
• Web Interface: Unlike static cheat sheets or the raw YAML files, the library provides a user-friendly, searchable interface with direct run and copy functionality to improve usability and locates the queries you need in a matter of seconds

BloodHound Query Library in Action

The library launches with an extensive collection of more than 170 queries that demonstrate BloodHound’s versatility beyond traditional attack path analysis. This includes:

• All existing pre-built queries from BloodHound
• Cherry-picked community queries
• SpecterOps-created queries that BloodHound Enterprise customers found valuable
• Novel queries to further showcase BloodHound’s security assessment capabilities, as detailed in the next section: Beyond Attack Paths

The web interface makes exploring the collection intuitive and efficient:

Beyond Attack Paths: BloodHound as a Comprehensive Assessment Platform

To showcase BloodHound’s broader security assessment capabilities, we’ve mapped BloodHound queries to common security tools, demonstrating overlap capabilities. For example, you can now use library queries to validate 105 of PingCastle’s 186 test cases (56% coverage) in BloodHound. This approach enables different security teams to leverage BloodHound’s comprehensive attack path data for multiple kinds of risk validation, whether they’re conducting red team assessments, blue team analysis, or compliance audits.

At the time of publication, the available queries map to the following security tooling:

• 105/186 (56%) tests of Netwrix PingCastle
• 35/45 (78%) tests of Microsoft Defender for Identity: Security Posture Assessment
• 10/10 (100.0%) tests of Tenable Nessus: Active Directory Starter Scan

More information about the mapping and coverage is available in the repository here: https://github.com/SpecterOps/BloodHoundQueryLibrary/blob/main/docs/security-assessment-mapping.md 

The Technology Behind the Library

The BloodHound Query Library is built with a clean separation between the frontend and data layer. A VueJS web application provides the web interface, while individual query files stored in YAML format are automatically combined into a single Queries.json file that powers the search functionality. The system optionally stores user votes through Supabase. Whenever new queries are added, the syntax is automatically validated, ensuring that only syntactically compatible queries are added.

The query YAML files are stored in the BloodHoundQueryLibrary repository on GitHub.

Contributing and Looking Forward

The BloodHound Query Library’s success depends on community participation. BloodHound users who have developed useful queries are encouraged to contribute them to the library. For detailed contribution guidelines, see the Contributing section in the GitHub repository.

This launch represents just the beginning of the BloodHound Query Library. We’re looking forward to community feedback and contributions that will help grow the query collection. Planned improvements include enhanced integration features to simplify BloodHound import and use, as well as adding more novel queries.

The library will continue to evolve based on community input. As more users share their expertise, the library becomes increasingly valuable for everyone in the BloodHound community!

Wrap Up

The BloodHound Query Library represents SpecterOps’s commitment to openly sharing security knowledge. By making expert-level queries accessible to the broader security community, we hope to empower security teams and raise the overall effectiveness of BloodHound deployments.

This is just the beginning and we plan to make further improvements. The library’s value grows with each contribution, so we encourage you to explore the existing queries, contribute new queries, vote, and help us build a comprehensive resource for the entire BloodHound community. Open knowledge sharing benefits us all.

Lastly, we want to thank the community for the history of openly sharing BloodHound Cypher queries, and to the SpecterOps colleagues who helped us push the project forward, especially Hugo van den Toorn and JD (aka SadProcessor).

Got questions or feedback?

Reach us in the BloodHound community Slack #cypher_queries channel or directly:

• Martin – X, BlueSky, LinkedIn, GitHub
• Joey – X, LinkedIn, GitHub

BloodHound Query Library: https://queries.specterops.io/
Project GitHub: https://github.com/SpecterOps/BloodHoundQueryLibrary