Skip to main content
Applies to BloodHound Enterprise and CE The OpenGraph library provides a list of projects created by BloodHound community members that extend the coverage of BloodHound utilizing OpenGraph. Have you built a cool project using OpenGraph and want it featured here? Already got your project in the list and need to update something? Open a “Library Change” issue on the BloodHound Docs repo and we’ll get it added for you! Submissions from the community will have a icon next to them while those by SpecterOps employees will have a SpecterOps icon.

OpenGraph Library

All code linked via this library is provided “as is,” without review, approval, or endorsement by SpecterOps, regardless of authorship. It has not been audited for accuracy, security, or fitness for any purpose. Use at your own risk. You are solely responsible for testing, validating, and ensuring the code meets your requirements before use in any environment. SpecterOps is not responsible for any damages, losses, or security issues arising from the use of any linked code.

1PassHound

DescriptionThe 1Password for Business OpenGraph extension lets you bring your 1Password ACL data into BloodHound’s graph‑analysis framework.Whether you’re auditing permissions, responding to incidents, or simply exploring your 1Password configuration, this extension brings clarity, control and rich visualization to your vaults and items.Authors/MaintainersRepo

AnsibleHound

DescriptionAnsibleHound is a BloodHound OpenGraph collector for Ansible AWX and Ansible Tower. The collector is designed to map the structure and permissions of your organization into a navigable attack-path graph.Authors/MaintainersRepo

ManagerOfHound

DescriptionManagerOfHound is an OpenGraph extension for BloodHound that collect manager-subordinate relationships from Active Directory and exports them as custom “ManagerOf” edges for BloodHound ingestion.Some organizations implement self-service portals where managers can control the user accounts of their subordinates (e.g. password resets). This can create implicit privilege escalation paths not captured by the default BloodHound edges. ManagerOfHound makes these hidden relationships visible through OpenGraph, enabling security teams to identify and assess novel attack paths in their environment.Demonstration available in the @SpecterOps #BloodHoundBasics post on XAuthors/MaintainersRepo

IAMhounddog

DescriptionA tool to help pentesters quickly identify privileged principals and second-order privilege escalation opportunities in unfamiliar AWS environments. Creates OpenGraph-compatible IAM to resource models that can be ingested and used in BloodHound CE along with pre-written queries to identify common misconfigurations.Authors/MaintainersRepo

EntraAuthPolicyHound

DescriptionThis PoC community project provides a sample PowerShell script that collects Microsoft Entra ID permissions related to Temporary Access Passes (TAPs) and Passkeys (FIDO2 security keys or mobile devices) and exports the data in BloodHound OpenGraph format.Authors/MaintainersRepo

EntraSSSOHound

DescriptionEntra ID Seamless Single Sign-On (Seamless SSO) is a feature that non-interactively signs users into cloud applications whenever they are connected to Active Directory. EntraSSSOHound extends BloodHound CE with OpenGraph-format coverage, modeling how Active Directory computers can compromise synced Entra ID users through the trust established between the trusted on-premises computer and Entra ID.Authors/MaintainersRepo

GitHound

DescriptionGitHound is a BloodHound OpenGraph collector for GitHub, designed to map your organization’s structure and permissions into a navigable attack‑path graph.With GitHound, you get a clear, interactive graph of your GitHub permissions landscape—perfect for security reviews, compliance audits, and rapid incident investigations.Authors/MaintainersRepo

GitHoundPy

DescriptionA python implementation of the GitHound collector for BloodHound OpenGraph. This project aims to stay in sync with the main PowerShell version.Credit and tons of props to the SpecterOps team for the main implementation, for a detailed breakdown on the features check the main repoAuthors/MaintainersRepo

GCP-Hound

DescriptionGCP-Hound is an open-source security enumeration and privilege escalation discovery tool designed specifically for Google Cloud Platform environments. Built to integrate seamlessly with BloodHound’s OpenGraph framework, it transforms complex GCP IAM relationships into interactive attack graphs.Authors/MaintainersRepo

JamfHound

DescriptionJamfHound is a python3 project designed to collect and identify attack-paths in Jamf Pro tenants for privilege escalation and lateral movement based on existing object permissions. The collector saves data as JSON for ingestion into BloodHound to easily visualize and evaluate the risks of compromise within the Jamf Pro tenant.Authors/MaintainersRepo

OpenGraph DLT (Kubernetes)

DescriptionA lightweight CLI for collecting service-specific resources and turning it into OpenGraph/BloodHound datasets. The long–term goal is to plug in multiple collectors; Kubernetes is the first source and serves as the reference implementation for future integrations. The kubernetes collector makes use of an (embedded) DuckDB database, which may not be needed for your usecase.Authors/MaintainersRepo

MSSQLHound

DescriptionCollects BloodHound OpenGraph compatible data from one or more MSSQL servers into individual temporary files, then zips them in the current directory.Authors/MaintainersRepo

NetworkHound

DescriptionNetworkHound connects to Active Directory Domain Controllers, discovers computer objects, resolves hostnames to IP addresses using multiple DNS methods, performs comprehensive network scanning (port scanning, HTTP/HTTPS validation), and discovers shadow-IT devices. It then builds a detailed network topology graph in OpenGraph JSON format compatible with BloodHound.Authors/MaintainersRepo

PingOneHound

DescriptionPingOne is an identity provider (IDP) product from the Ping Identity Corporation. PingOneHound collects the data necessary to:
  • Identify, analyze, and execute PingOne attack paths
  • Easily audit object-level permissions
Authors/MaintainersRepo

OpenGraph DLT (Rapid7 InsightVM)

DescriptionA lightweight CLI for collecting service-specific resources and turning it into OpenGraph/BloodHound datasets. Specifically the Rapid7 InsightVM collector. This collector allows you to ingest Vulnerability Management data from a local InsightVM machine and display them in a graph. Attack paths “HasVulnerability” indicates if machines are identified to have a certain vulnerability. The collector makes use of an (embedded) DuckDB database, which may not be needed for your use case.Authors/MaintainersRepo

runZeroHound

DescriptionBring runZero Exposure Management into BloodHound via OpenGraph.Read their initial blog post.Authors/MaintainersRepo

SCCM_SQL_Collector

DescriptionPoC script to collect SCCM attack paths from a SCCM site DB. Credits to @sanjivkawa for SQLRecon, which is where most of the scaffolding code to allow for connecting to SQL came from (thanks Sanj!)Authors/MaintainersRepo

SnowHound

DescriptionThe BloodHound extension for Snowflake tenants enables organizations to visualize their Snowflake environment by mapping key elements such as Users, Databases, Roles, Warehouses, and Integrations, along with the permissions that connect them.This provides a comprehensive view of access and potential attack paths within the Snowflake tenant, empowering security teams to identify vulnerabilities and better manage their environment’s security posture.Authors/MaintainersRepo

vCenterHound

DescriptionvCenterHound connects to one or more vCenters, collects infrastructure entities (Datacenter/Cluster/Host/VM/Network/Datastore, etc.) and permissions (Roles/Users/Groups/Assignments), then builds a BloodHound‑compatible JSON graph with Custom Nodes/Edges. The model.json file provides icons and styles for these custom kinds.Authors/MaintainersRepo

TaskHound

DescriptionWindows Privileged Scheduled Task Discovery Tool for fun and profit.TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound export support.Authors/MaintainersRepo

OpenGraph Tools

bhopengraph

Description This module provides Python classes for creating and managing graph structures that are compatible with BloodHound OpenGraph. The classes follow the BloodHound OpenGraph schema and best practices. If you don’t know about BloodHound OpenGraph yet, a great introduction can be found here: https://bloodhound.specterops.io/opengraph/best-practices The complete documentation of this library can be found here: https://bhopengraph.readthedocs.io/en/latest/ Authors/Maintainers Repo

BloodHoundOperator

Description PowerShell client for BloodHound Community Edition and BloodHound Enterprise Learn more:
  • Release blog post: BloodHound Operator — Dog Whispering Reloaded
  • Presentation at PowerShell Conference Europe: The Dog Ate My Homework - A new chapter in my BloodHound adventures with PowerShell
Authors/Maintainers Repo

BloodHound OpenGraph Helper Library

Description A Python library for creating BloodHound OpenGraph JSON data that conforms to the BloodHound OpenGraph schema specification. Authors/Maintainers Repo

gopengraph

Description This module provides Go types and helpers for creating and managing graph structures that are compatible with BloodHound OpenGraph. If you don’t know about BloodHound OpenGraph yet, a great introduction can be found here: https://bloodhound.specterops.io/opengraph/best-practices Authors/Maintainers Repo