Glossary of BloodHound terminology

  • Updated

This article applies to BHCE and BHE

Review the definitions for terminology used in the BloodHound software and documentation.

Attack Path

Attack Paths are the chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users. Learn more by reading What is Attack Path Management.

Attack Path Management (APM)

"Attack Path Management" is the process of identifying, analyzing, and managing the Attack Paths that an adversary might exploit to reach high-value objects or compromise the network's security. BloodHound assists in visualizing and managing these attack paths through Attack Path Management (APM).

Choke Point

A "Choke Point" is a privilege or user behavior (named Edges) that, like the driveway to your house, connects the rest of the environment through an object or collection of objects (named Nodes). For example, any Edge into the collection of Tier Zero nodes is a Tier Zero Choke Point — a privilege or user behavior the adversary must abuse to compromise a Tier Zero object. Choke points are significant points of control and defense in the network security architecture and therefore represent the optimal location to block the largest number of Attack Paths.

Edge

An "Edge" in BloodHound is part of the graph construct and represents a relationship between two nodes, indicating some form of interaction.

Enterprise Access Model (EAM)

A security framework developed by Microsoft that defines a privileged access strategy[1] which has the ultimate goal of preventing privilege escalation through Identity-based Attack Paths. In most cases, EAM supersedes and replaces Tiering/Tier Model.

FOSS

Stands for "Free and Open Source Software", as in "BloodHound CE is a FOSS project."

High Value

"High Value" objects are critical resources, data, or systems in the network that are particularly valuable to the organization. See Tier Zero.

Identity-based Attack Path

An Attack Path which is based on identity/an already authenticated principal. BloodHound's main goal is to assist in visualizing and managing attack paths. See Attack Path.

Node

A "Node" in BloodHound is part of the graph construct and refers to an entity in the network, such as a user, computer, group, or domain.

Object

In BloodHound, an "Object" is a broad term used to refer to various entities within the Active Directory and Entra ID (Azure Active Directory) environment, such as users, groups, computers, organizational units (OUs), domains, and trusts. Each object represents a distinct element contributing to the network's overall structure and security posture. An object can also be referred to as an "Asset".

Cypher

Cypher is Neo4j’s graph query language that lets you to interact with BloodHound's database. It is similar to SQL for traditional databases.

Principal

In BloodHound, a "Principal" refers to an entity that can authenticate and be assigned permissions within the network, also known as a security principal. Principals can be users, groups, or computer objects in Active Directory, and they play a central role in the access control mechanisms of the network.

Privilege

In BloodHound, "Privilege" refers to a level of access or permission that a principal has on a specific object within the infrastructure.

Remediation

"Remediation" refers to the process of fixing or mitigating security risks identified during the analysis of attack paths with BloodHound

Right

See Privilege.

Tenant

A BloodHound Enterprise tenant is hosted and managed by SpecterOps (SasS), while BloodHound CE is self-hosted and self-managed.

Tier Zero

"Tier Zero" refers to the most critical and sensitive objects in the network, typically including domain controllers and other core infrastructure components. The term stems from Tiering.

Tiering/Tier Model

Refers to the categorization of objects and privileges based on their criticality and importance to the organization. The term stems from Microsoft's Active Directory Tier Model, which in most cases is superseded and replaced by the Enterprise Access Model. See Enterprise Access Model (EAM).