> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # ClaimSpecialIdentity > The ClaimSpecialIdentity edge represents the ability to obtain an access token containing a special identity (group) SID. Applies to BloodHound Enterprise and CE The ClaimSpecialIdentity edge represents the ability to obtain an access token containing a special identity (group) SID. Unlike regular groups, membership in special identities is determined at authentication rather than by an explicit member list. See the Abuse section for specific cases. ## Abuse Info **Guest Account (RID -501)** * The Guest user account allows users without a personal account to log in. The account has no password by default. * If enabled, anyone with AD access can log in with the Guest account. **Network Identity (S-1-5-2)** * Any user or computer accessing a Windows system via a network has the Network identity in their access token. **Authentication Authority Asserted Identity (S-1-18-1)** * Included in access tokens when an account is authenticated directly against a domain controller and not through Kerberos constrained delegation (service asserted identity). **Key Trust (S-1-18-4)** * Included in access tokens when authentication is based on public key credentials via key trust objects. * Anyone with key trust credentials (e.g., from a Shadow Credentials attack) can obtain Key Trust identity access through PKINIT authentication. **MFA Key Property (S-1-18-5)** * Similar to Key Trust but requires the MFA property on the key trust credentials. * A Shadow Credentials attack enables anyone to obtain the MFA Key Property identity access through PKINIT authentication. **NTLM Authentication (S-1-64-10)** * Included in an access token when authentication occurs via NTLM protocol. * Any AD account can obtain NTLM authentication identity access, assuming NTLM is available. **Schannel Authentication (S-1-64-14)** * Included in an access token when authentication occurs via Schannel protocol. * Any AD account can obtain the Schannel Authentication identity, for example by performing certificate authentication over Schannel. **This Organization Identity (S-1-5-15)** * Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication. **This Organization Certificate Identity (S-1-5-65-1)** * Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication, when the Kerberos PAC contains an NTLM\_SUPPLEMENTAL\_CREDENTIAL structure. * Authentication using an ADCS certificate ensures the required PAC structure. ## OPSEC Considerations No OPSEC considerations are available for this edge. ## Edge Schema Source: [Group](/resources/nodes/group)\ Destination: [User](/resources/nodes/user), [Group](/resources/nodes/group)\ Traversable: **Yes** ## References * [Microsoft: Special identity groups](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups) * [Microsoft: Guest account](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts#guest-account) * [Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound](https://specterops.io/blog/2025/06/25/good-fences-make-good-neighbors-new-ad-trusts-attack-paths-in-bloodhound/)