BloodHoundAnalyzer is a bash script designed to automate the deployment, data import, and analysis of BloodHound CE (Community Edition), an Active Directory (AD) security tool. This script facilitates the setup and management of BloodHound CE containers, import of data, and running various analysis tools on the collected data.
- Multi-Domain Support: Deploy separate BloodHound CE instances for different domains
- Automated Container Management: Start, stop, and clean BloodHound CE containers with custom naming
- Custom Port Configuration: Configure custom ports for Neo4j and BloodHound web interface
- Automatic Password Management: Automatically reset admin password to a standard password
- Multiple Data Import Formats: Import .zip files, .json files, or folders containing JSON files
- Integrated Analysis Tools: Run AD-miner, GoodHound, Ransomulator, and BloodHound QuickWin
- Project Listing: View all deployed BloodHound projects and their status
Before using BloodHoundAnalyzer, ensure you have the following installed:
- Python 3 with venv support
- Docker Desktop (includes Docker Compose)
- Linux environment (tested on Ubuntu/Debian) or WSL2 on Windows
Run the install.sh script to install the required tools:
- bloodhound-cli: BloodHound CE command-line interface
- AD-miner: Generates comprehensive AD security reports
- GoodHound: Identifies high-value attack paths
- Ransomulator: Simulates ransomware attack paths
- BloodHound QuickWin: Quick analysis script
- PlumHound: Task-based analysis tool
chmod +x ./install.sh
./install.shRun the script with one or more modules as detailed below:
chmod +x ./BloodHoundAnalyzer.sh
./BloodHoundAnalyzer.sh [OPTIONS]-
-d, --domain DOMAIN
Specify the AD domain to analyze (required for most operations).
Containers will be named:<domain>-graph-db-1,<domain>-app-db-1,<domain>-bloodhound-1 -
-o, --output OUTPUT_DIR
Specify the directory where analysis results will be saved.
Default:/opt/BA_output -
-D, --data DATA_PATH
Specify the path to BloodHound data:.zipfile (SharpHound/AzureHound collection).jsonfile (single collection file)- Folder containing
.jsonfiles
-
-M, --modules MODULES
Comma-separated modules to execute:- list: List all deployed BloodHound projects and their status
- start: Start BloodHound CE containers for the specified domain
- import: Import BloodHound data (automatically starts containers if needed)
- analyze: Run analysis tools (AD-miner, GoodHound, Ransomulator, BloodHound QuickWin)
- stop: Stop BloodHound CE containers (preserves data volumes)
- clean: Remove BloodHound CE containers, volumes, and project data
-
--bolt-port PORT
Specify Neo4j Bolt port (default: 7687) -
--neo4j-port PORT
Specify Neo4j HTTP port (default: 7474) -
--web-port PORT
Specify BloodHound web interface port (default: 7080) -
-h, --help
Display the help message
./BloodHoundAnalyzer.sh -M list./BloodHoundAnalyzer.sh -M start -d contoso.localAccess at: http://127.0.0.1:7080/ui/login
- Username:
admin - Password:
BloodHound2025!@(automatically set)
./BloodHoundAnalyzer.sh -M start -d contoso.local --bolt-port 7688 --neo4j-port 7475 --web-port 7081Import a ZIP file:
./BloodHoundAnalyzer.sh -M import -d contoso.local -D /path/to/bloodhound_data.zipImport JSON files from a folder:
./BloodHoundAnalyzer.sh -M import -d contoso.local -D /path/to/json_folder/./BloodHoundAnalyzer.sh -M analyze -d contoso.local -o /opt/reportsThis will generate:
- AD-miner HTML report in
ADMinerReport_contoso.local/ - GoodHound analysis in
GoodHound_contoso.local/ - BloodHound QuickWin output in
bhqc_contoso.local.txt - Ransomulator results in
ransomulator_contoso.local.txt
./BloodHoundAnalyzer.sh -M import,analyze -d contoso.local -D /path/to/data.zip -o /opt/reports./BloodHoundAnalyzer.sh -M stop -d contoso.localNote: Volumes are preserved for restart
./BloodHoundAnalyzer.sh -M clean -d contoso.localWarning: This removes containers, volumes, and project data permanently!
Deploy and manage multiple domains simultaneously:
# Deploy first domain
./BloodHoundAnalyzer.sh -M start -d corp.local --web-port 7080
# Deploy second domain with different ports
./BloodHoundAnalyzer.sh -M start -d dev.local --web-port 7081 --bolt-port 7688 --neo4j-port 7475
# List all projects
./BloodHoundAnalyzer.sh -M list/opt/BA_tools/
├── bloodhound-cli # BloodHound CE CLI
├── .venv/ # Python virtual environment
├── bhqc.py # BloodHound QuickWin script
├── ransomulator.py # Ransomulator script
└── projects/
├── contoso.local/ # Project directory per domain
│ ├── docker-compose.yml
│ └── .env
└── corp.local/
├── docker-compose.yml
└── .env
/opt/BA_output/ # Analysis output directory
├── contoso.local/
│ ├── ADMinerReport_contoso.local/
│ ├── GoodHound_contoso.local/
│ ├── bhqc_contoso.local.txt
│ └── ransomulator_contoso.local.txt
└── corp.local/
└── ...
-
BloodHound CE Web Interface:
- URL:
http://127.0.0.1:7080/ui/login - Username:
admin - Password:
BloodHound2025!@(automatically configured)
- URL:
-
Neo4j Database (for analysis tools):
- Bolt:
bolt://127.0.0.1:7687 - Username:
neo4j - Password:
bloodhoundcommunityedition
- Bolt:
# Check Docker is running
docker ps
# Check container logs
docker logs <domain>-bloodhound-1
# Clean and restart
./BloodHoundAnalyzer.sh -M clean -d domain.local
./BloodHoundAnalyzer.sh -M start -d domain.local# Check API accessibility
curl http://127.0.0.1:7080/api/version
# Check container logs
docker logs <domain>-bloodhound-1
# Verify data file format (should be .zip or .json)This project is licensed under the terms of the MIT license.
BloodHoundAnalyzer uses the following tools:
- BloodHound CE - Active Directory security tool
- AD_Miner - AD security analysis and reporting
- GoodHound - Attack path analysis
- Ransomulator - Ransomware simulation
- BloodHound QuickWin - Quick analysis script
- PlumHound - Task-based reporting
lefayjey - GitHub