BloodHound Edges Worth Hunting First

A practical short-list of BloodHound edges that consistently shorten attack paths in real Active Directory engagements — what to run, why it works, and what defenders should detect.

Why this list exists

BloodHound surfaces hundreds of edges. In real engagements, only a handful consistently shorten the path to Tier-0. This is the short-list I run first, sorted by ratio of impact to noise.

The shortlist

1. AddMember on a privileged group — the simplest privilege

escalation primitive in AD. If the path exists, the engagement is essentially over.

1. GenericAll / GenericWrite on user objects — full control of

the target principal, including a forced password change.

1. ForceChangePassword on Tier-0 service accounts — almost always

missed by patching cycles and rotation policies.

1. AllowedToDelegate / AllowedToActOnBehalfOfOtherIdentity —

resource-based constrained delegation paths that lead straight to Domain Controllers.

1. WriteDacl / WriteOwner on AdminSDHolder or sensitive OUs —

long-lived persistence primitives, usually overlooked in audits.

How I run them

Once I have a low-privileged foothold I prefer SharpHound from a domain-joined Windows host with a low-noise collection method:

SharpHound.exe --CollectionMethods Default,LoggedOn,Trusts,DCOnly

For Linux pivots, BloodHound.py works fine over a SOCKS tunnel:

bloodhound-python -d corp.local -u svc.web -p '<pw>' -ns 10.0.0.10 -c All

What this writeup is NOT

It is not a BloodHound tutorial. The official docs cover collection methodology, query syntax, and the GUI. This list is the field-tested shortcut you reach for once you already know how to use the tool.