// MCP TOOL REFERENCE

BLOODHOUND MCP TOOLS

106 tools from the BloodHound MCP MCP Server, categorised by risk level.

View the BloodHound MCP policy →
// ALL 106 BLOODHOUND MCP TOOLS
READ 105 tools
Read computers_with_most_sessions [WIP] Computers with Most Sessions [Required: sessions] Read find_all_enabled_as_rep_roastable_users Find all enabled AS-REP roastable user(s) Read find_all_enabled_kerberoastable_users Find all enabled kerberoastable user(s) Read find_all_owned_groups_granting_network_share_access Find all owned groups that grant access to network shares Read find_allshortestpaths_with_dcsync_to_domain Find allshortestpaths with DCSync to domain object Read find_allshortestpaths_with_shadow_credential_permission Find allshortestpaths with Shadow Credential permission to principal(s) Read find_azure_app_owners_with_dangerous_rights Owned: [WIP] Find all Owners of Azure Applications with Owners to Service Principals with Dangerous Rights ... Read find_enabled_certificate_templates Find enabled Certificate Template(s) [Required: Certipy] Read find_owned_users_with_azure_tenancy_access Owned: [WIP] Find all owned user with privileged access to Azure Tenancy (Required: azurehound) Read find_owned_users_with_group_granted_azure_access Owned: [WIP] Find all owned user where group membership grants privileged access to Azure Tenancy (Required... Read find_paths_dangerous_rights_to_adminsdholder Find allshortestpaths with dangerous rights to AdminSDHolder object Read list_all_aad_groups_synchronized_with_ad [WIP] List all AAD Group(s) that are synchronized with AD (Required: azurehound) Read list_all_ad_principals_with_edges_to_azure_principals [WIP] List all AD principal(s) with edge(s) to Azure principal(s) (Required: azurehound) Read list_all_authenticated_users_group_memberships list_all_authenticated_users_group_memberships Read list_all_certificate_templates List all Certificate Template(s) [Required: Certipy] Read list_all_cross_domain_user_sessions_and_memberships List all cross-domain user session(s) and user group membership(s) Read list_all_domain_users_group_memberships list_all_domain_users_group_memberships Read list_all_enabled_azure_users List all enabled Azure User(s) (Required: azurehound) Read list_all_enabled_azure_users_group_memberships List all enabled Azure User(s) Azure Group membership(s) (Required: azurehound) Read list_all_enabled_users_logged_in_last_90_days List all enabled user(s) that logged in within the last 90 days Read list_all_enabled_users_never_logged_in List all enabled user(s) but never logged in Read list_all_enabled_users_set_password_last_90_days List all enabled user(s) that set password within the last 90 days Read list_all_enabled_users_with_foreign_group_membership List all enabled user(s) with foreign group membership Read list_all_enabled_users_with_no_password_required list_all_enabled_users_with_no_password_required Read list_all_enabled_users_with_password_never_expires list_all_enabled_users_with_password_never_expires Read list_all_enabled_users_with_userpassword_attribute list_all_enabled_users_with_userpassword_attribute Read list_all_enrollment_rights_for_certificate_templates [WIP] List all Enrollment Right(s) for Certificate Template(s) Read list_all_gpos List all GPO(s) Read list_all_groups List all group(s) Read list_all_owned_computers List all owned computer(s) Read list_all_owned_enabled_users List all owned & enabled user(s) Read list_all_owned_enabled_users_with_email List all owned & enabled user(s) with an email address Read list_all_owned_enabled_users_with_rdp_and_sessions list_all_owned_enabled_users_with_rdp_and_sessions Read list_all_owned_enabled_users_with_sqladmin list_all_owned_enabled_users_with_sqladmin Read list_all_owned_users List all owned user(s) Read list_all_principals_used_for_syncing_ad_and_aad [WIP] List all principal(s) used for syncing AD and AAD Read list_all_principals_with_local_admin_permission list_all_principals_with_local_admin_permission Read list_all_principals_with_rdp_permission list_all_principals_with_rdp_permission Read list_all_principals_with_sqladmin_permission list_all_principals_with_sqladmin_permission Read list_all_tenancy List all Tenancy (Required: azurehound) Read list_all_user_sessions List all user session(s) [Required: sessions] Read list_all_users_with_description_field List all user(s) with description field Read list_certificate_authority_servers List Certificate Authority server(s) [Required: Certipy] Read list_computers_without_laps List computer(s) WITHOUT LAPS Read list_custom_privileged_groups List custom privileged group(s) Read list_domain_computers List domain computer(s) Read list_domain_controllers List domain controller(s) Read list_domain_trusts List domain trust(s) Read list_domains List domain(s) Read list_en_svc_accts_priv_grp_mems List all enabled SVC account(s) with privileged group membership(s) Read list_enabled_non_privileged_users_with_local_admin list_enabled_non_privileged_users_with_local_admin Read list_enabled_non_privileged_users_with_rdp list_enabled_non_privileged_users_with_rdp Read list_enabled_non_privileged_users_with_rdp_and_sessions list_enabled_non_privileged_users_with_rdp_and_sessions Read list_enabled_non_privileged_users_with_sqladmin list_enabled_non_privileged_users_with_sqladmin Read list_enabled_principals_with_constrained_delegation list_enabled_principals_with_constrained_delegation Read list_enabled_principals_with_unconstrained_delegation list_enabled_principals_with_unconstrained_delegation Read list_enabled_users List enabled user(s) Read list_enabled_users_pwd_never_expires_unchanged_1yr list_enabled_users_pwd_never_expires_unchanged_1yr Read list_enabled_users_with_email List enabled user(s) with an email address Read list_esc1_vulnerable_certificate_templates List ESC1 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc2_vulnerable_certificate_templates List ESC2 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc3_vulnerable_certificate_templates List ESC3 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc4_vulnerable_certificate_templates List ESC4 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc6_vulnerable_certificate_templates List ESC6 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc7_vulnerable_certificate_templates List ESC7 vulnerable Certificate Template(s) [Required: Certipy] Read list_esc8_vulnerable_certificate_templates List ESC8 vulnerable Certificate Template(s) [Required: Certipy] Read list_high_value_targets List high value target(s) Read list_network_shares_ignoring_sysvol List network share(s), ignoring SYSVOL Read list_non_managed_service_accounts List non-managed service account(s) Read list_non_priv_users_with_admin_and_sessions list_non_priv_users_with_admin_and_sessions Read list_own_en_usrs_local_adm_sess list_own_en_usrs_local_adm_sess Read list_principals_with_azure_tenancy_access [WIP] List all principal(s) with privileged access to Azure Tenancy (Required: azurehound) Read list_privileged_users_without_protected_users list_privileged_users_without_protected_users Read list_privileges_for_certificate_authority_servers [WIP] List privileges for Certificate Authority server(s) [Required: Certipy] Read non_privileged_users_with_dangerous_permissions List non-privileged user(s) with dangerous permissions to any node type Read route_all_owned_enabled_group_memberships Route all owned & enabled group membership(s) Read route_all_owned_enabled_non_privileged_group_memberships Route all owned & enabled non-privileged group(s) membership Read route_all_owned_enabled_privileged_group_memberships Route all owned & enabled privileged group(s) membership Read route_all_sessions_to_computers Route all sessions to computers (Required: sessions) Read route_all_sessions_to_computers_without_laps Route all sessions to computers WITHOUT LAPS (Required: sessions) Read route_azure_users_with_dangerous_rights_to_users [WIP] Route from Azure User principal(s) that have dangerous rights to Azure User and User principal(s) (Re... Read route_from_owned_enabled_principals_to_high_value_targets Route from owned & enabled principals to high value target(s) Read route_non_priv_comps_dangerous_rights_to_comps Route non-privileged computer(s) with dangerous rights to computer(s) [HIGH RAM] Read route_non_priv_comps_dangerous_rights_to_gpos Route non-privileged computer(s) with dangerous rights to GPO(s) [HIGH RAM] Read route_non_priv_comps_dangerous_rights_to_groups Route non-privileged computer(s) with dangerous rights to group(s) [HIGH RAM] Read route_non_priv_comps_dangerous_rights_to_priv_nodes Route non-privileged computer(s) with dangerous rights to privileged node(s) [HIGH RAM] Read route_non_priv_comps_dangerous_rights_to_users Route non-privileged computer(s) with dangerous rights to user(s) [HIGH RAM] Read route_non_priv_users_dangerous_rights_to_comps Route non-privileged user(s) with dangerous rights to computer(s) [HIGH RAM] Read route_non_priv_users_dangerous_rights_to_priv_nodes Route non-privileged user(s) with dangerous rights to privileged node(s) [HIGH RAM] Read route_non_priv_usrs_dang_rts_grps Route non-privileged user(s) with dangerous rights to group(s) [HIGH RAM] Read route_non_privileged_users_with_dangerous_permissions Route non-privileged user(s) with dangerous permissions to any node type Read route_non_privileged_users_with_dangerous_rights_to_gpos Route non-privileged user(s) with dangerous rights to GPO(s) [HIGH RAM] Read route_non_privileged_users_with_dangerous_rights_to_users Route non-privileged user(s) with dangerous rights to user(s) [HIGH RAM] Read route_own_en_usrs_dang_rts_usrs Route all owned & enabled user(s) with Dangerous Rights to user(s) Read route_own_en_usrs_unconst_del route_own_en_usrs_unconst_del Read route_owned_users_dangerous_rights_to_any Route all owned & enabled user(s) with Dangerous Rights to any node type Read route_owned_users_dangerous_rights_to_groups Route all owned & enabled user(s) with Dangerous Rights to group(s) Read route_principals_to_azure_apps_and_sps [WIP] Route all principal(s) that have control permissions to Azure Application(s) running as Azure Service... Read route_principals_to_azure_vm [WIP] Route from principal(s) to Azure VM (Required: azurehound) Read route_principals_to_global_administrators [WIP] Route from principal(s) to principal(s) with Global Administrator permissions (Required: azurehound) Read route_priv_users_sessions_to_non_priv_comps Route all privileged user(s) with sessions to non-privileged computer(s) [Required: sessions] Read route_user_principals_to_azure_service_principals [WIP] Route all user principal(s) that have control permissions to Azure Service Principals (AzSP), and rou... Read users_with_most_cross_domain_sessions [WIP] Users with most cross-domain sessions [Required: sessions] Read users_with_most_local_admin_rights [WIP] Users with Most Local Admin Rights Read users_with_most_sessions [WIP] Users with Most Sessions [Required: sessions]
EXECUTE 1 tools
Execute run_query 執行Cypher查詢並返回結果 Args: query: Cypher查詢字符串 parameters: 查詢參數字典 Returns: ...

Route BloodHound MCP through PolicyLayer and every one of its 106 tools is checked against your policy before it runs.

GOVERN BLOODHOUND →

Enforced before the call runs. Nothing to install.

// FAQ
How many tools does the BloodHound MCP MCP server have? +

The BloodHound MCP MCP server exposes 106 tools across 2 categories: Read, Execute.

How do I enforce policies on BloodHound MCP tools? +

Route the BloodHound MCP server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do BloodHound MCP tools fall into? +

BloodHound MCP tools are categorised as Read (105), Execute (1). Each category has a recommended default policy.

Enforce policy on every BloodHound MCP tool call.

Deterministic rules across all 106 BloodHound MCP tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

GOVERN BLOODHOUND →

Free to start. No card required.

42,500+ MCP servers and 110,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.