PrivHound

Local Privilege Escalation, as a Graph.

A BloodHound OpenGraph collector that models Windows local privilege escalation as interconnected attack paths not a wall of text.

The Problem

For a long time, BloodHound has proven that attackers think in graphs, transforming Active Directory misconfigurations from static checklists into explorable attack paths. Yet when it comes to local privilege escalation, the industry is still stuck in 2015: run a tool, read a wall of text, manually connect the dots or have LLM do it for you :P

WinPEAS, PowerUp, and Seatbelt are excellent at finding individual misconfigurations, but they cannot answer questions like:

• "Does this writable Program Files directory actually lead to SYSTEM because a service runs a binary from it?"
• "Does this PowerShell history file contain credentials that are valid for a local admin?"
• "Can I read another user's profile, find their stored credentials, log in as them, and exploit a service they have write access to?"

These tools report findings in isolation. In reality, privilege escalation is a multi-step chain where one finding feeds into another. A writable directory means nothing if no service runs from it. A credential in a history file means nothing if it doesn't belong to a privileged user. The real question is never "what misconfigurations exist?" — it's "what can I actually reach from here?"

If Active Directory attacks can be thought of as a graph, why not local privilege escalation?

The Solution

PrivHound changes this by modeling local privilege escalation as a graph. Built on BloodHound's OpenGraph framework, it enumerates 29 categories of Windows privilege escalation vectors, from weak service permissions to COM hijacking to WebClient relay and outputs them as interconnected nodes and edges.

The result: multi-hop escalation chains become visible, queryable with Cypher, and overlayable on top of existing Active Directory attack paths.

Example: Your current user can read the profile of another user on the machine. That profile contains cleartext credentials stored on their desktop for a third user. That third user has write permission to a service binary running as Administrator. No existing tool connects these dots. PrivHound does automatically.

CurrentUser ─PHCanAccessProfile─→ OtherUser's Profile
  ─PHProfileContains─→ .git-credentials ─PHContainsCreds─→ ...
    ─PHCanLoginAs─→ UserX ─PHCanWriteBinary─→ VulnService ─PHRunsAs─→ SYSTEM

What It Checks

Multi-Hop Attack Paths

This is what separates PrivHound from traditional privesc tools. Instead of listing findings in isolation, PrivHound connects them into exploitable chains:

Cross-User Privilege Escalation

When PrivHound discovers valid credentials for other local users (via GPP passwords, AutoLogon, unattend files, PowerShell history, cross-user profiles, etc.), it doesn't stop at creating a PHCanLoginAs edge. It analyzes what those discovered users can actually do.

How it works (no SeImpersonatePrivilege required):

1. LogonUser obtains a token handle for each discovered user
2. GetTokenInformation extracts group memberships (SIDs) and token privileges
3. ACL checks run using the discovered user's groups — not the current user's
4. Edges are created from the discovered user's node to any vulnerable resources they can access
5. The token is closed — no impersonation occurs, no elevated privileges needed

What it checks for each discovered user:

All cross-user edges include a discovered_via="credential" property for filtering.

Quick Start

1. Run PrivHound on target

# Basic collection
.\PrivHound.ps1

# Custom output path
.\PrivHound.ps1 -OutputPath C:\Temp\privhound.json

# Skip specific checks
.\PrivHound.ps1 -SkipChecks "ScheduledTasks","Autoruns"

# Skip credential validation (no logon attempts)
.\PrivHound.ps1 -NoCredTest

2. Register custom node icons (once per BH instance)

Custom icons give your nodes distinct visuals instead of the default "?" icon.

# Generate the icon definition file
.\PrivHound.ps1 -OutputFormat BloodHound-customnodes
# → Outputs privhound_customnodes.json

# Upload to BloodHound CE
.\tests\Upload-CustomNodes.ps1 -Token "<JWT_TOKEN>"

# Or with a remote BH instance
.\tests\Upload-CustomNodes.ps1 -BHUrl "http://192.168.1.50:8080" -Token "<JWT_TOKEN>"

curl -X POST http://localhost:8080/api/v2/custom-nodes \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Content-Type: application/json" \
  -H "Prefer: wait=30" \
  -d @privhound_customnodes.json

3. Upload OpenGraph data to BloodHound

• Navigate to Administration → File Ingest
• Drag and drop privhound_<HOSTNAME>_<timestamp>.json
• Wait for ingest to complete

4. Query in BloodHound

Important: OpenGraph custom data is Cypher-only. The BH pathfinding UI (search bar → shortest path) does not work for custom nodes. Use the Cypher tab in Explore.

// All privesc paths to SYSTEM
MATCH p=(u:PHUser)-[*1..5]->(t:PHPrivTarget)
WHERE t.account = "NT AUTHORITY\\SYSTEM"
RETURN p

// Full PrivHound graph
MATCH p=()-[r]->() WHERE type(r) STARTS WITH "PH"
RETURN p

// Cross-user credential chain to admin
MATCH p=(u:PHUser)-[*1..6]->(t:PHPrivTarget)
WHERE any(r IN relationships(p) WHERE type(r) = "PHCanAccessProfile")
  AND any(r IN relationships(p) WHERE type(r) = "PHCanLoginAs")
RETURN p

See queries/privhound_queries.cypher for 50+ prebuilt queries covering every attack path category.

Sample Output

Multi-Endpoint Collection

# On each host
.\PrivHound.ps1 -OutputPath ".\privhound_$env:COMPUTERNAME.json"

# Collect all JSONs and upload together
Compress-Archive -Path .\privhound_*.json -DestinationPath privhound_all.zip

Each endpoint gets its own set of nodes (IDs are hostname-scoped), so data from multiple hosts coexists cleanly in the same graph.

// Find all endpoints with SYSTEM-level privesc paths
MATCH (u:PHUser)-[*1..5]->(t:PHPrivTarget)
WHERE t.account = "NT AUTHORITY\\SYSTEM"
RETURN u.hostname AS Endpoint, count(*) AS PathCount
ORDER BY PathCount DESC

Combining with SharpHound Data

The real power is overlaying PrivHound on existing AD attack paths:

// AD user → local session → privesc → SYSTEM
MATCH (adUser:User)-[:HasSession]->(comp:Computer)
MATCH (phu:PHUser)-[*1..5]->(target:PHPrivTarget)
WHERE target.account = "NT AUTHORITY\\SYSTEM"
  AND phu.hostname = comp.name
RETURN adUser.name, comp.name, target.account

This reveals scenarios like: "The intern's AD account has a session on SERVER01 where a writable service binary gives them SYSTEM — from there, DCSync the domain."

Graph Model

Node Kinds

Edge Kinds

Requirements

• Target: Windows PowerShell 5.1+ or PowerShell 7+
• Privileges: Standard user (most checks). Some checks benefit from local admin.
• BloodHound: CE v8.0.0+ with PostgreSQL backend, or BloodHound Enterprise

Project Structure

PrivHound/
├── PrivHound.ps1                      # Main collector script
├── privhound_customnodes.json         # Custom node icons for BloodHound UI
├── queries/
│   └── privhound_queries.cypher       # 50+ prebuilt Cypher queries
├── tests/
│   ├── Setup-VulnLab.ps1             # Create vulnerable lab environment
│   ├── Teardown-VulnLab.ps1          # Clean up lab artifacts
│   └── Upload-CustomNodes.ps1        # Upload custom node icons to BH CE
└── README.md

Extending PrivHound

Adding a new check:

1. Create a function Check-YourNewCheck
2. Add nodes with Add-PHNode (use PH prefix for kinds)
3. Add edges with Add-PHEdge (use PH prefix for edge kinds)
4. Add findings with Add-PHFinding
5. Register the check in the $checks array in Invoke-PrivHound
6. Add the new kind to Get-CustomNodeKinds

function Check-NewVector {
    Write-PHStatus "Checking new vector..."
    $nodeId = New-PHId "newtype" "unique-name"
    Add-PHNode -Id $nodeId -Kinds @("PHNewType") -Properties @{
        name     = "Finding@$Script:HOSTNAME"
        objectid = $nodeId
        hostname = $Script:HOSTNAME
    }
    Add-PHEdge -StartId $Script:CurrentUserId -EndId $nodeId -Kind "PHCanExploitNew"
    Add-PHEdge -StartId $nodeId -EndId $Script:SystemNodeId -Kind "PHEscalatesTo"
    Add-PHFinding "NewVector" "HIGH" "Description" "Abuse command"
}