Skip to main content

Documentation Index

Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Applies to BloodHound Enterprise and CE

Introduction

This page collects best practices for creating Graph Extensions and tooling for OpenGraph.

Creating a new OpenGraph extension

Elements of a Complete Submission

This section lists the elements that are mandatory and nice-to-have in an OpenGraph extension submission.

Mandatory

  1. A Collector/Hound
    • A script that collects all information needed to populate the graph
    • The collector should create JSON that can be uploaded to BloodHound
  2. Documentation on
    • Minimum system requirements to run the tool
      • OS
      • Software
      • Resources
    • How to install the collector
    • How to use the collector
      • Minimum permissions needed to collect the information
        • As a privileged user
        • As an unprivileged user
      • Command line options/switches
        • Examples of running the tool from the command line

Nice to Have

  1. Nodes and Edges Documentation (online)
    • Hosted wiki (e.g., GitHub) or
    • Markdown file in the repository
    • List of relevant information to document
      • General
      • Abuse Info
      • Remediation Info
      • OPSEC
      • References
      • Other fields as applicable
  2. Optional API upload
    • Ability to upload the JSON output to a BloodHound instance via the API without user interaction
  3. Cypher Queries “Starter Pack”
    • Cypher Queries to help new users explore the new elements introduced to the Graph
    • Should be in the Custom Query JSON format for easy ingestion
  4. Privilege Zone Rules
    • Queries for creating Cypher-based Privilege Zone rules to help users classify high-value nodes in the graph
  5. Icon Definition Pack
    • Including a script to upload them. See example
      • You can use a Bearer Token instead of an API key as this script will typically run only once.
      • Do not hardcode credentials; use place holder for users to modify.
    Only necessary for generic graph data. Structured graphs include icon definitions in the extension definition schema.
  6. Arrows.app diagram illustrating nodes and attack paths between them