ManagerOfHound is an OpenGraph extension for BloodHound that collect manager-subordinate relationships from Active Directory and exports them as custom "ManagerOf" edges for BloodHound ingestion.
Some organizations implement self-service portals where managers can control the user accounts of their subordinates (e.g. password resets). This can create implicit privilege escalation paths not captured by the default BloodHound edges. ManagerOfHound makes these hidden relationships visible through OpenGraph, enabling security teams to identify and assess novel attack paths in their environment.
Demonstration available in the @SpecterOps #BloodHoundBasics post on X
- PowerShell 3.0+
- Windows with .NET Framework
- Read access to the Manager attribute of users (Authenticated Users has read by default)
- BloodHound v8.0 or above
git clone https://github.com/martinsohn/ManagerOfHound.git
cd ManagerOfHound(OPTIONAL) Create demo edges if running the GOAD lab
Demo output from GOAD lab: OpenGraph_ManagerOf_20250919110441.json
. .\Set-GOTManagerHierarchy.ps1
Set-GOTManagerHierarchy. .\ManagerOfHound.ps1
# Run with defaults:
# - Searches entire domain (all OUs)
# - Uses current domain controller
# - Saves to current directory
# - Output file: OpenGraph_ManagerOf_[timestamp].json
Invoke-ManagerOfHoundInvoke-ManagerOfHound -SearchBase "CN=Users,DC=north,DC=sevenkingdoms,DC=local"Generates OpenGraph_ManagerOf_[timestamp].json containing:
- Manager-to-subordinate relationships as "ManagerOf" edges
- Node identifiers using Active Directory SIDs
- Metadata for OpenGraph context
MATCH p=(:User)-[:ManagerOf]->(:User)
RETURN p
LIMIT 1000MATCH p=(:User)-[:ManagerOf]->(n:User)
WHERE (n:Tag_Tier_Zero)
RETURN p
LIMIT 1000MIT License - See LICENSE for details.