> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Custom Queries

> How to import and manage custom BloodHound Cypher query lists.

## Query File Location

```bash theme={"dark"}
# BloodHound CE (web app — stored in browser localStorage)
# Legacy BloodHound (Electron app)
~/.config/bloodhound/customqueries.json
```

```powershell theme={"dark"}
# Windows
%APPDATA%\bloodhound\customqueries.json
```

***

## Import Community Query Lists

Download and apply ZephrFish's BloodHound Custom Queries.

```bash theme={"dark"}
curl -o ~/.config/bloodhound/customqueries.json \
  https://raw.githubusercontent.com/ZephrFish/Bloodhound-CustomQueries/main/customqueries.json
```

ly4k's (Certipy) fork ships its queries built-in as prebuilt queries — there is no root-level `customqueries.json` to download from that repo.

Merge multiple query files with jq.

```bash theme={"dark"}
jq -s 'map(.queries) | add | {queries: .}' file1.json file2.json > merged.json
```

***

## BloodHound CE — Import via UI API

Create a saved query in BloodHound CE via API. Use **POST** to create (PUT is only for updating an existing query at `/saved-queries/{id}`). The CE API takes a single query object (`name`, `query`, `description`) — it does **not** accept the legacy `customqueries.json` schema, so you must send one query at a time.

```bash theme={"dark"}
curl -X POST http://localhost:8080/api/v2/saved-queries \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"Find Kerberoastable Admins","query":"MATCH (u:User {hasspn:true}) RETURN u","description":""}'
```

List saved queries.

```bash theme={"dark"}
curl http://localhost:8080/api/v2/saved-queries \
  -H "Authorization: Bearer <token>"
```

Delete a saved query by ID.

```bash theme={"dark"}
curl -X DELETE http://localhost:8080/api/v2/saved-queries/<query-id> \
  -H "Authorization: Bearer <token>"
```

***

## Custom Query File Format

```json theme={"dark"}
{
  "queries": [
    {
      "name": "Find Kerberoastable Admins",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (u:User {hasspn: true})-[:MemberOf*1..]->(g:Group) WHERE g.name =~ '(?i).*admin.*' RETURN u.name"
        }
      ]
    }
  ]
}
```

***

## Useful Community Lists

| Repository                                                                                  | Focus             |
| ------------------------------------------------------------------------------------------- | ----------------- |
| [ZephrFish/Bloodhound-CustomQueries](https://github.com/ZephrFish/Bloodhound-CustomQueries) | General purpose   |
| [ly4k/BloodHound](https://github.com/ly4k/BloodHound)                                       | Extended queries  |
| [mgeeky/Penetration-Testing-Tools](https://github.com/mgeeky/Penetration-Testing-Tools)     | Offensive focused |
| [CompassSecurity/BloodHoundQueries](https://github.com/CompassSecurity/BloodHoundQueries)   | Compass Security  |

***

## References

* [BloodHound CE — Custom Queries Docs](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251)
* [Neo4j Cypher Manual](https://neo4j.com/docs/cypher-manual/current/)
