Traversable and Non-Traversable Edge Types

This article applies to BHCE and BHE

Traversable Edges

Most edges in BloodHound are traversable, representing a relationship between two nodes where the starting node can take control of the ending node to a degree that allows an attacker to abuse outgoing edges.

For example, consider the ForceChangePassword edge:

The Service Desk group has permission to force change the password of Bob without knowing Bob’s current password. An attacker can abuse this to change the password, log in as Bob, and exploit Bob’s privileges. Traversable edges like ForceChangePassword facilitate graph traversal and enable the pathfinding logic in BloodHound.

These are the traversable AD edge types in BloodHound:

ADCSESC1 AddSelf GenericWrite
ADCSESC10a AdminTo GoldenCert
ADCSESC10b AllExtendedRights HasSIDHistory
ADCSESC13 AllowedToAct HasSession
ADCSESC3 AllowedToDelegate MemberOf
ADCSESC4 CanPSRemote Owns
ADCSESC6a Contains ReadLAPSPassword
ADCSESC7 DCSync SyncLAPSPassword
ADCSESC9a DumpSMSAPassword TrustedBy
ADCSESC9b ExecuteDCOM WriteAccountRestrictions
AddAllowedToAct ForceChangePassword WriteDACL
AddKeyCredentialLink GPLink WriteOwner
AddMember GenericAll WriteSPN

These are the traversable Azure edge types in BloodHound:

AZAKSContributor AZGetKeys AZMemberOf
AZAddMembers AZGetSecrets AZNodeResourceGroup
AZAddOwner AZGlobalAdmin AZOwner
AZAddSecret AZHasRole AZOwns
AZAppAdmin AZKeyVaultContributor AZPrivilegedAuthAdmin
AZAutomationContributor AZLogicAppContributor AZPrivilegedRoleAdmin
AZAvereContributor AZMGAddMember AZResetPassword
AZCloudAppAdmin AZMGAddOwner AZRunsAs
AZContains AZMGAddSecret AZUserAccessAdministrator
AZContributor AZMGGrantAppRoles AZVMAdminLogin
AZExecuteCommand AZMGGrantRole AZVMContributor
AZGetCertificates AZManagedIdentity AZWebsiteContributor

Non-Traversable Edges

If you cannot abuse a given relationship between two nodes to take control of the end node, then the relationship is non-traversable. However, some non-traversable relationships can form a traversable relationship when combined. An example is the DCSync attack narrative. GetChanges and GetChangesAll permissions on the domain object combined enable you to perform the DCSync attack. GetChanges and GetChangesAll are non-traversable edges, and BloodHound uses them to produce the traversable DCSync edge in what we call the post-processing logic.

Pathfinding includes only traversable edges. As a result, you might get a DCSync edge in a path like this:

But you will not see any GetChanges or GetChangesAll edge. However, you can use Cypher to reveal the GetChanges and GetChangeAll edges that the DCSync edge relies on:

These are the non-traversable AD edge types in BloodHound:

CanAbuseUPNCertMapping GetChangesAll NTAuthStoreFor
CanAbuseWeakCertBinding GetChangesInFilteredSet OIDGroupLink
DelegatedEnrollmentAgent HostsCAService PublishedTo
Enroll IssuedSignedBy RemoteInteractiveLogonPrivilege
EnrollOnBehalfOf LocalToComputer RootCAFor
EnterpriseCAFor ManageCA TrustedForNTAuth
ExtendedByPolicy ManageCertificates WritePKIEnrollmentFlag
GetChanges MemberOfLocalGroup WritePKINameFlag

These are the non-traversable Azure edge types in BloodHound:

AZMGAppRoleAssignment_ReadWrite_All AZMGGroup_ReadWrite_All
AZMGApplication_ReadWrite_All AZMGRoleManagement_ReadWrite_Directory
AZMGDirectory_ReadWrite_All AZMGServicePrincipalEndpoint_ReadWrite_All