Traversable and Non-Traversable Edge Types

This article applies to BHCE and BHE

Traversable Edges

Most edges in BloodHound are traversable, representing a relationship between two nodes where the starting node can take control of the ending node to a degree that allows an attacker to abuse outgoing edges.

For example, consider the ForceChangePassword edge:

The Service Desk group has permission to force change the password of Bob without knowing Bob’s current password. An attacker can abuse this to change the password, log in as Bob, and exploit Bob’s privileges. Traversable edges like ForceChangePassword facilitate graph traversal and enable the pathfinding logic in BloodHound.

These are the traversable AD edge types in BloodHound:

ADCSESC1 AllExtendedRights HasSIDHistory
ADCSESC10a AllowedToAct HasSession
ADCSESC10b AllowedToDelegate MemberOf
ADCSESC13 CanPSRemote Owns
ADCSESC3 CanRDP ReadGMSAPassword
ADCSESC4 Contains ReadLAPSPassword
ADCSESC6a DCFor SQLAdmin
ADCSESC6b DCSync SyncedToEntraUser
ADCSESC9a DumpSMSAPassword SyncLAPSPassword
ADCSESC9b ExecuteDCOM TrustedBy
AddAllowedToAct ForceChangePassword WriteAccountRestrictions
AddKeyCredentialLink GPLink WriteDacl
AddMember GenericAll WriteGPLink
AddSelf GenericWrite WriteOwner
AdminTo GoldenCert WriteSPN

These are the traversable Azure edge types in BloodHound:

AZAKSContributor AZGetSecrets AZOwner
AZAddMembers AZGlobalAdmin AZOwns
AZAddOwner AZHasRole AZPrivilegedAuthAdmin
AZAddSecret AZKeyVaultContributor AZPrivilegedRoleAdmin
AZAppAdmin AZLogicAppContributor AZResetPassword
AZAutomationContributor AZMGAddMember AZRunsAs
AZAvereContributor AZMGAddOwner AZUserAccessAdministrator
AZCloudAppAdmin AZMGAddSecret AZVMAdminLogin
AZContains AZMGGrantAppRoles AZVMContributor
AZContributor AZMGGrantRole AZWebsiteContributor
AZExecuteCommand AZManagedIdentity SyncedToADUser
AZGetCertificates AZMemberOf  
AZGetKeys AZNodeResourceGroup  

Non-Traversable Edges

If you cannot abuse a given relationship between two nodes to take control of the end node, then the relationship is non-traversable. However, some non-traversable relationships can form a traversable relationship when combined. An example is the DCSync attack narrative. GetChanges and GetChangesAll permissions on the domain object combined enable you to perform the DCSync attack. GetChanges and GetChangesAll are non-traversable edges, and BloodHound uses them to produce the traversable DCSync edge in what we call the post-processing logic.

Pathfinding includes only traversable edges. As a result, you might get a DCSync edge in a path like this:


But you will not see any GetChanges or GetChangesAll edge. However, you can use Cypher to reveal the GetChanges and GetChangeAll edges that the DCSync edge relies on:

These are the non-traversable AD edge types in BloodHound:

DelegatedEnrollmentAgent HostsCAService PublishedTo
Enroll IssuedSignedBy RemoteInteractiveLogonPrivilege
EnrollOnBehalfOf LocalToComputer RootCAFor
EnterpriseCAFor ManageCA TrustedForNTAuth
ExtendedByPolicy ManageCertificates WritePKIEnrollmentFlag
GetChanges MemberOfLocalGroup WritePKINameFlag
GetChangesAll NTAuthStoreFor  
GetChangesInFilteredSet OIDGroupLink  

These are the non-traversable Azure edge types in BloodHound:

AZMGAppRoleAssignment_ReadWrite_All AZMGGroup_ReadWrite_All
AZMGApplication_ReadWrite_All AZMGRoleManagement_ReadWrite_Directory
AZMGDirectory_ReadWrite_All AZMGServicePrincipalEndpoint_ReadWrite_All
AZMGGroupMember_ReadWrite_All  

 

Updated