Sponsored by SpecterOps Slack Syntax check
The BloodHound Query Library is a community-driven collection of Cypher queries designed to help BloodHound Community Edition and BloodHound Enterprise users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem.
The library is a free tool for the community maintained in a human-readable format (YAML) through this repository and the searchable front-end at https://queries.specterops.io/
BloodHound Query Library frontend screenshot
You can also easily bulk import all queries into BloodHound:
- Download Queries.zip from Releases.
- Import
Queries.zipby either:- UI: Explore -> Cypher -> Import
- API: /api/v2/saved-queries/import
For an introduction to the project, please read our blog post:
The library contains queries that demonstrate BloodHound's versatility beyond traditional attack path analysis. This includes:
- All existing pre-built queries from BloodHound
- Cherry-picked community queries
- SpecterOps-created queries BloodHound Enterprise customers found valuable
- Community contributed queries (see Contributing)
- Novel queries to further showcase BloodHound's security assessment capabilities (see security-assessment-mapping.md)
Individual query files are stored in stored /queries as .yml and are automatically combined into a single Queries.json/Queries.zip as part of our releases.
The query files use the YAML structure found in query-structure.yml, for example:
name: Entra ID SSO accounts not rolling Kerberos decryption key guid: 1867abf8-08e3-4ea8-8f65-8366079d35c4 prebuilt: false platforms: - Active Directory - Azure category: Configuration Weakness description: Microsoft highly recommends that you roll over the Entra ID SSO Kerberos decryption key at least every 30 days. query: |- MATCH (n:Computer) WHERE n.name STARTS WITH "AZUREADSSOACC." AND n.pwdlastset < (datetime().epochseconds - (30 * 86400)) RETURN n revision: 1 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account- acknowledgements: Martin Sohn Christensen, @martinsohndk
Whenever new queries are added, the syntax is automatically validated, ensuring that only syntactically compatible queries are added.
One of BloodHound’s key features is its flexibility through Cypher queries – a query language to search the BloodHound graph database.
Queries can answer anything from simple questions (e.g., "Which users haven’t reset their passwords in 180 days?"), to complex identity attack path problems (e.g., "Which low-privileged users can compromise computers hosting a gMSA with unconstrained delegation?").
The library gives you practical examples for learning Cypher and can be combined with these resources:
You can also learn with the communty by joining the #cypher_queries channel in the BloodHound community Slack.
Command line usage is easy with the BloodHound Operator PowerShell module.
First load the Queries.json:
$queries = Invoke-RestMethod "https://github.com/SpecterOps/BloodHoundQueryLibrary/releases/latest/download/Queries.json"
Example: Run a query in BloodHound:
$queries[0] | BHInvoke
Name : Tier Zero / High Value external Entra ID users
Query : MATCH (n:AZUser)
WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
AND n.name CONTAINS '#EXT#@'
RETURN n
LIMIT 100
Result : {@{label=ASADMIN_PHANTOMCORP.ONMICROSOFT.COM#EXT#@PHANTOMCORP.ONMICROSOFT.COM; kind=AZUser; objectId=D5C8A563-34C0-41EB-BC89-14
A2ECB4CA62; isTierZero=True; isOwnedObject=False; lastSeen=2025年06月17日T13:29:14.601282321Z; properties=}, @{label=RHADMIN_PHANTO
MCORP.ONMICROSOFT.COM#EXT#@PHANTOMCORP.ONMICROSOFT.COM; kind=AZUser; objectId=C1C0F17B-58F1-4B04-B50C-2B194B74E75D; isTierZero=
True; isOwnedObject=False; lastSeen=2025年06月17日T13:29:24.198Z; properties=}}
Count : 1
Timestamp : 17-06-2025 13:55:27
Duration : 00:00:00.0265562
Example: Import a few queries to BloodHound's Custom Searches:
$queries[0..4] | New-BHPathQuery
Example: Test all queries
$results = [System.Collections.ArrayList]::new() $queries | % { "$($results.Count + 1)/$($queries.Count) $($_.name)" $results.Add([PSCustomObject]@{ Name = $_.name Time = (Measure-Command { $errorMsg = $null try { $result = $_ | BHInvoke -WarningAction "Stop" } catch { $errorMsg = $_.Exception.Message } }).TotalSeconds Result = $result Error = $errorMsg }) | Out-Null }
The BloodHound Query Library's success depends on community participation. BloodHound users who have developed useful queries are encouraged to contribute them to the library.
Before comitting, please ensure that:
- The query follows the YAML query structure.
- The query is compatible with the latest BloodHound CE version
- The query passess all automated CI/CD tests