Traversable Edges
Most edges in BloodHound are traversable, representing a relationship between two nodes where the starting node can take control of the ending node to a degree that allows an attacker to abuse outgoing edges.
For example, consider the ForceChangePassword edge:
The Service Desk group has permission to force change the password of Bob without knowing Bob’s current password. An attacker can abuse this to change the password, log in as Bob, and exploit Bob’s privileges. Traversable edges like ForceChangePassword facilitate graph traversal and enable the pathfinding logic in BloodHound.
These are the traversable AD edge types in BloodHound:
ADCSESC1 | AllExtendedRights | HasSIDHistory |
ADCSESC10a | AllowedToAct | HasSession |
ADCSESC10b | AllowedToDelegate | MemberOf |
ADCSESC13 | CanPSRemote | Owns |
ADCSESC3 | CanRDP | ReadGMSAPassword |
ADCSESC4 | Contains | ReadLAPSPassword |
ADCSESC6a | DCFor | SQLAdmin |
ADCSESC6b | DCSync | SyncedToEntraUser |
ADCSESC9a | DumpSMSAPassword | SyncLAPSPassword |
ADCSESC9b | ExecuteDCOM | TrustedBy |
AddAllowedToAct | ForceChangePassword | WriteAccountRestrictions |
AddKeyCredentialLink | GPLink | WriteDacl |
AddMember | GenericAll | WriteGPLink |
AddSelf | GenericWrite | WriteOwner |
AdminTo | GoldenCert | WriteSPN |
These are the traversable Azure edge types in BloodHound:
AZAKSContributor | AZGetSecrets | AZOwner |
AZAddMembers | AZGlobalAdmin | AZOwns |
AZAddOwner | AZHasRole | AZPrivilegedAuthAdmin |
AZAddSecret | AZKeyVaultContributor | AZPrivilegedRoleAdmin |
AZAppAdmin | AZLogicAppContributor | AZResetPassword |
AZAutomationContributor | AZMGAddMember | AZRunsAs |
AZAvereContributor | AZMGAddOwner | AZUserAccessAdministrator |
AZCloudAppAdmin | AZMGAddSecret | AZVMAdminLogin |
AZContains | AZMGGrantAppRoles | AZVMContributor |
AZContributor | AZMGGrantRole | AZWebsiteContributor |
AZExecuteCommand | AZManagedIdentity | SyncedToADUser |
AZGetCertificates | AZMemberOf | |
AZGetKeys | AZNodeResourceGroup |
Non-Traversable Edges
If you cannot abuse a given relationship between two nodes to take control of the end node, then the relationship is non-traversable. However, some non-traversable relationships can form a traversable relationship when combined. An example is the DCSync attack narrative. GetChanges and GetChangesAll permissions on the domain object combined enable you to perform the DCSync attack. GetChanges and GetChangesAll are non-traversable edges, and BloodHound uses them to produce the traversable DCSync edge in what we call the post-processing logic.
Pathfinding includes only traversable edges. As a result, you might get a DCSync edge in a path like this:
But you will not see any GetChanges or GetChangesAll edge. However, you can use Cypher to reveal the GetChanges and GetChangeAll edges that the DCSync edge relies on:
These are the non-traversable AD edge types in BloodHound:
DelegatedEnrollmentAgent | HostsCAService | PublishedTo |
Enroll | IssuedSignedBy | RemoteInteractiveLogonPrivilege |
EnrollOnBehalfOf | LocalToComputer | RootCAFor |
EnterpriseCAFor | ManageCA | TrustedForNTAuth |
ExtendedByPolicy | ManageCertificates | WritePKIEnrollmentFlag |
GetChanges | MemberOfLocalGroup | WritePKINameFlag |
GetChangesAll | NTAuthStoreFor | |
GetChangesInFilteredSet | OIDGroupLink |
These are the non-traversable Azure edge types in BloodHound:
AZMGAppRoleAssignment_ReadWrite_All | AZMGGroup_ReadWrite_All |
AZMGApplication_ReadWrite_All | AZMGRoleManagement_ReadWrite_Directory |
AZMGDirectory_ReadWrite_All | AZMGServicePrincipalEndpoint_ReadWrite_All |
AZMGGroupMember_ReadWrite_All |
Updated