Single-file, browser-based Active Directory attack graph tool for SharpHound and AzureHound collection data.
No server. No install. No Neo4j. Upload a ZIP, get an interactive attack graph.

Built by zrnge

Use it online — no download required:
https://zrnge.github.io/Z-Hound/

Or download index.html and open it locally for fully offline use. All processing happens in the browser — no data ever leaves your machine either way.

Z-Hound is a single HTML file that parses SharpHound and AzureHound ZIPs and renders an interactive attack graph of an Active Directory / Azure environment. It replaces the need to spin up Neo4j and BloodHound for quick triage, portable assessments, and client-site work where you cannot install tooling.

Built for pentesters, red teamers, and defenders who need fast, offline AD analysis with zero infrastructure.

After the CDN scripts load once (Cytoscape.js, JSZip, Tailwind), the page works fully offline on subsequent opens.

• Upload a SharpHound ZIP (all JSON files processed automatically) or individual JSON files
• Upload AzureHound ZIP for full Azure / Entra ID analysis
• Supports SharpHound v3 / v4 / v5 output formats and BloodHound CE graph exports
• Parses Sessions, PrivilegedSessions, and RegistrySessions
• Resolves SIDs and GUIDs from both Properties.objectsid and item.ObjectIdentifier
• Auto-synthesises well-known built-in domain groups that SharpHound does not explicitly collect
• 500 MB uncompressed / 100,000 node limit per session

• Interactive graph powered by Cytoscape.js
• Five layout modes: Concentric (default), Hierarchical (Dagre), Breadth-First, Force-Directed, Grid
• Node colour and shape coding by type: Users, Groups, Computers, Domains, OUs, GPOs, Cert Templates, and all Azure object types
• Node size and border glow scale with risk score — the most dangerous objects stand out instantly
• DCSync-capable principals render in red; high-value targets in gold
• Click any node to focus and reveal its neighbourhood
• Box-select, zoom (0.02×–12×), full pan support
• Short / Full / Type-only label modes; SID overlay toggle

• Toggle: Hide Orphans, Structure edges, ACL edges, Exec/Admin edges
• Quick View dropdown with auto-built categories:
  • Special Analysis: DCSync Principals, High Value Targets + Paths
  • NTLM Relay: SMB Relay Targets, WebClient Hosts, Coerce → Relay Chains (appears automatically when signing/webclient props are present)
  • High-Risk ACLs, Privilege & Exec, Delegation & Trust, ADCS, GPO
  • Vulnerable Attributes (Kerberoastable, AS-REP, Unconstrained Delegation, etc.)
  • Azure / Entra ID group (appears automatically when AzureHound data is loaded)
  • Dynamic "Other Edges" group for unknown edge types

• Find DA Path — BFS shortest path from any searched node to Domain Admins
• All Paths — enumerate every User/Computer → DA path, sorted by hop count (Critical ≤2 hops, High ≤4, Medium 5+)
• Click any path row to highlight it on the graph in red

Every node is scored 0–100 automatically:

• DCSync — GetChanges + GetChangesAll or AllExtendedRights on the domain object
• Kerberoastable — hasspn = true, account enabled
• AS-REP Roastable — dontreqpreauth = true
• Unconstrained Delegation — computers with unrestricted delegation
• Critical ACLs — GenericAll, WriteDacl, WriteOwner, Owns, AllExtendedRights on high-value targets
• SID History abuse paths
• NTLM Relay Target — signing = false or signingrequired = false on computer objects
• WebClient Running — webclient = true on computer objects (HTTP coerce surface)
• SMBv1 Enabled — smb1enabled = true

When SharpHound collects SMB signing and WebClient properties:

• Relay Targets — computers where SMB signing is not required, visualised with RELAY TARGET badge in node details
• WebClient Hosts — computers with WebDAV WebClient service running, visualised with WEBCLIENT badge
• Relay Chain synthesis — constructs full coerce → NTLMRelay → target → DA paths including direct AdminTo relay chains
• Relay surface shown in Computer node details panel: SMB Signing, SMB Signing Required, SMBv1, WebClient status — all colour-coded
• NTLMRelay virtual edge type mapped to MITRE T1557.001 (Adversary-in-the-Middle: SMB Relay)

Automatic detection of ESC vulnerabilities from certificate template properties:

Load AzureHound output alongside or separately for hybrid AD + Azure analysis.

Parsed relationship types (from AzureHound arrays): GlobalAdmins, PrivilegedRoleAdmins, Owners, Contributors, UserAccessAdmins, AddMembers, AddOwners, ResetPasswords, AddSecrets, GetSecretUsers, GetKeyUsers, GetCertificateUsers, VMAdmins, RunCommandAdmins, GrantAppRoles, AppRoleAssignments, InboundTransitiveRoles

Azure node types supported: AZUser, AZGroup, AZDevice, AZApp, AZServicePrincipal, AZTenant, AZSubscription, AZResourceGroup, AZVM, AZKeyVault, AZMgmtGroup

Azure-specific features:

• AZTenant marked as high value (Azure equivalent of Domain root)
• Azure GA quick query — surfaces Global Admin and Privileged Role Admin holders; finds on-prem → Azure GA hybrid attack paths
• Azure node details panel: Tenant ID, App ID, Object ID, SP Type, roles held/granted, inbound high-risk permissions (AZAddSecret, AZExecuteCommand, AZResetPassword, AZOwns)
• Azure section in Report panel: object inventory, GA list, Priv Role Admins, app secret access, VM execution, password resets
• Azure findings included in HTML report export

Computer nodes:

• NTLM Relay Surface — SMB Signing, SMB Signing Required, SMBv1, WebClient status with colour-coded risk badges
• Local Admins (Explicit / Unrolled / Foreign)
• Inbound Execution Rights — RDP / DCOM (direct and group-delegated)
• SQL Admins
• Active Sessions (clickable)

User nodes:

• Sessions observed (clickable)
• Sibling objects in same OU
• Reachable High Value Targets (clickable)
• Effective Inbound GPOs
• Outbound / Inbound Object Control
• Risk flags: Kerberoastable, AS-REP Roastable, Unconstrained Delegation, SID History

Group nodes:

• Sessions of group members (clickable)
• Reachable High Value Targets (clickable)
• Direct / Transitive / Foreign members (clickable)
• Execution Rights (RDP / DCOM)
• Outbound / Inbound Object Control

Azure nodes:

• Tenant ID, App ID, Object ID, SP Type
• Roles held and roles granted to this object
• Inbound AZAddSecret / AZExecuteCommand / AZResetPassword / AZOwns counts
• Outbound high-risk permission count
• Reachable High Value Targets

OU / GPO / Domain nodes: Full BloodHound-style details including trusts, DCSync principals, effective GPOs, cert templates.

Live metrics on data load:

Objects | Edges | Kerberoastable | AS-REP | DCSync Risk | Critical ACLs | Unconstrained Deleg | Cert Templates | Relay Targets | WebClient | Paths to DA

Unknown edge types are caught automatically and added to Quick Views.

Single HTML file — no build step, no backend, no framework, no install.

• A modern browser (Chrome 90+, Firefox 88+, Edge 90+)
• Internet connection on first load only (CDN scripts cached after that — full offline use thereafter)
• SharpHound collection output — ZIP or individual JSON files
• AzureHound output — ZIP (optional, for Azure analysis)

• Datasets with >50 k edges may slow the browser — use Quick View filters to scope the graph down
• No session persistence — page reload requires re-uploading the collection
• NTLM relay features require SharpHound to have collected signing, signingrequired, and webclient properties (available in extended / BloodHound CE collections); standard collections will not show relay data
• Foreign domain objects may appear as unresolved SIDs if their JSON files are not included in the upload

Z-Hound is intended for authorized security assessments, penetration testing, and defensive security work only. Only use it against environments you have explicit written permission to test.

MIT