Get Started with BloodHound
- Introduction to BloodHound
- Quickstart
- Security Boundaries
Install a Data Collector
- Overview
- Install SharpHound
- Install AzureHound
Collect Data
- Overview
- Collection Permissions
- BloodHound Enterprise Collection
- Community Edition Collection
OpenGraph
Analyze Attack Path Data
Manage BloodHound
- Overview
- BloodHound Configuration Supplement
- BloodHound Enterprise Compliance Framework
- Authentication and Authorization
- Securing BloodHound and collectors
API & Integrations
- Overview
- BloodHound API
- Integrations
Resources
- Resources
- Nodes
- Edges
- About BloodHound Edges
- Traversable and Non-Traversable Edge Types
- AbuseTGTDelegation
- ADCSESC1
- ADCSESC10a
- ADCSESC10b
- ADCSESC13
- ADCSESC3
- ADCSESC4
- ADCSESC6a
- ADCSESC6b
- ADCSESC9a
- ADCSESC9b
- AddAllowedToAct
- AddKeyCredentialLink
- AddMember
- AddSelf
- AdminTo
- AllExtendedRights
- AllowedToAct
- AllowedToDelegate
- AZAddMembers
- AZAddOwner
- AZAddSecret
- AZAKSContributor
- AZAppAdmin
- AZAutomationContributor
- AZAvereContributor
- AZCloudAppAdmin
- AZContains
- AZContributor
- AZExecuteCommand
- AZGetCertificates
- AZGetKeys
- AZGetSecrets
- AZGlobalAdmin
- AZHasRole
- AZKeyVaultContributor
- AZLogicAppContributor
- AZManagedIdentity
- AZMemberOf
- AZMGAddMember
- AZMGAddOwner
- AZMGAddSecret
- AZMGAppRoleAssignment_ReadWrite_All
- AZMGApplication_ReadWrite_All
- AZMGDirectory_ReadWrite_All
- AZMGGrantAppRoles
- AZMGGrantRole
- AZMGGroupMember_ReadWrite_All
- AZMGGroup_ReadWrite_All
- AZMGRoleManagement_ReadWrite_Directory
- AZMGServicePrincipalEndpoint_ReadWrite_All
- AZNodeResourceGroup
- AZOwner
- AZOwns
- AZPrivilegedAuthAdmin
- AZPrivilegedRoleAdmin
- AZResetPassword
- AZRunsAs
- AZScopedTo
- AZUserAccessAdministrator
- AZVMAdminLogin
- AZVMContributor
- AZWebsiteContributor
- CanApplyGPO
- CanPSRemote
- CanRDP
- ClaimSpecialIdentity
- CoerceToTGT
- Contains
- ContainsIdentity
- CrossForestTrust
- DCFor
- DCSync
- DelegatedEnrollmentAgent
- DumpSMSAPassword
- Enroll
- EnrollOnBehalfOf
- EnterpriseCAFor
- ExecuteDCOM
- ExtendedByPolicy
- ForceChangePassword
- GenericAll
- GenericWrite
- GetChanges
- GetChangesAll
- GetChangesInFilteredSet
- GoldenCert
- GPLink
- GPOAppliesTo
- HasSession
- HasSIDHistory
- HasTrustKeys
- HostsCAService
- IssuedSignedBy
- LocalToComputer
- ManageCA
- ManageCertificates
- MemberOf
- MemberOfLocalGroup
- NTAuthStoreFor
- OIDGroupLink
- Owns
- PropagatesACEsTo
- PublishedTo
- ReadGMSAPassword
- ReadLAPSPassword
- RemoveInteractiveLogonRight
- RootCAFor
- SameForestTrust
- SpoofSIDHistory
- SQLAdmin
- SyncLAPSPassword
- SyncedToADUser
- SyncedToEntraUser
- TrustedForNTAuth
- WriteAccountRestrictions
- WriteDacl
- WriteGPLink
- WriteOwner
- WritePKIEnrollmentFlag
- WritePKINameFlag
- WriteSPN
- Glossary
- Community and Support
- Release Notes
- Legacy BloodHound
On this page
Edges
AZContains
This indicates that the parent object contains the child object, such as a resource group containing a virtual machine, or a tenant “containing” a subscription.
Abuse Info
Control of the parent object also gives control of the child object.Opsec Considerations
No opsec considerations apply to this edge.Assistant
Responses are generated using AI and may contain mistakes.