Skip to main content

Query File Location

# BloodHound CE (web app — stored in browser localStorage)
# Legacy BloodHound (Electron app)
~/.config/bloodhound/customqueries.json
# Windows
%APPDATA%\bloodhound\customqueries.json

Import Community Query Lists

Download and apply ZephrFish’s BloodHound Custom Queries.
curl -o ~/.config/bloodhound/customqueries.json \
  https://raw.githubusercontent.com/ZephrFish/Bloodhound-CustomQueries/main/customqueries.json
ly4k’s (Certipy) fork ships its queries built-in as prebuilt queries — there is no root-level customqueries.json to download from that repo. Merge multiple query files with jq.
jq -s 'map(.queries) | add | {queries: .}' file1.json file2.json > merged.json

BloodHound CE — Import via UI API

Create a saved query in BloodHound CE via API. Use POST to create (PUT is only for updating an existing query at /saved-queries/{id}). The CE API takes a single query object (name, query, description) — it does not accept the legacy customqueries.json schema, so you must send one query at a time.
curl -X POST http://localhost:8080/api/v2/saved-queries \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"Find Kerberoastable Admins","query":"MATCH (u:User {hasspn:true}) RETURN u","description":""}'
List saved queries.
curl http://localhost:8080/api/v2/saved-queries \
  -H "Authorization: Bearer <token>"
Delete a saved query by ID.
curl -X DELETE http://localhost:8080/api/v2/saved-queries/<query-id> \
  -H "Authorization: Bearer <token>"

Custom Query File Format

{
  "queries": [
    {
      "name": "Find Kerberoastable Admins",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (u:User {hasspn: true})-[:MemberOf*1..]->(g:Group) WHERE g.name =~ '(?i).*admin.*' RETURN u.name"
        }
      ]
    }
  ]
}

Useful Community Lists

RepositoryFocus
ZephrFish/Bloodhound-CustomQueriesGeneral purpose
ly4k/BloodHoundExtended queries
mgeeky/Penetration-Testing-ToolsOffensive focused
CompassSecurity/BloodHoundQueriesCompass Security

References