Get Started with BloodHound
- Introduction to BloodHound
- Quickstart
- Security Boundaries
Install a Data Collector
- Overview
- Install SharpHound
- Install AzureHound
Collect Data
- Overview
- Collection Permissions
- BloodHound Enterprise Collection
- Community Edition Collection
OpenGraph
Analyze Attack Path Data
Manage BloodHound
- Overview
- BloodHound Configuration Supplement
- BloodHound Enterprise Compliance Framework
- Authentication and Authorization
- Securing BloodHound and collectors
API & Integrations
- Overview
- BloodHound API
- Integrations
Resources
- Resources
- Nodes
- Edges
- About BloodHound Edges
- Traversable and Non-Traversable Edge Types
- AbuseTGTDelegation
- ADCSESC1
- ADCSESC10a
- ADCSESC10b
- ADCSESC13
- ADCSESC3
- ADCSESC4
- ADCSESC6a
- ADCSESC6b
- ADCSESC9a
- ADCSESC9b
- AddAllowedToAct
- AddKeyCredentialLink
- AddMember
- AddSelf
- AdminTo
- AllExtendedRights
- AllowedToAct
- AllowedToDelegate
- AZAddMembers
- AZAddOwner
- AZAddSecret
- AZAKSContributor
- AZAppAdmin
- AZAutomationContributor
- AZAvereContributor
- AZCloudAppAdmin
- AZContains
- AZContributor
- AZExecuteCommand
- AZGetCertificates
- AZGetKeys
- AZGetSecrets
- AZGlobalAdmin
- AZHasRole
- AZKeyVaultContributor
- AZLogicAppContributor
- AZManagedIdentity
- AZMemberOf
- AZMGAddMember
- AZMGAddOwner
- AZMGAddSecret
- AZMGAppRoleAssignment_ReadWrite_All
- AZMGApplication_ReadWrite_All
- AZMGDirectory_ReadWrite_All
- AZMGGrantAppRoles
- AZMGGrantRole
- AZMGGroupMember_ReadWrite_All
- AZMGGroup_ReadWrite_All
- AZMGRoleManagement_ReadWrite_Directory
- AZMGServicePrincipalEndpoint_ReadWrite_All
- AZNodeResourceGroup
- AZOwner
- AZOwns
- AZPrivilegedAuthAdmin
- AZPrivilegedRoleAdmin
- AZResetPassword
- AZRunsAs
- AZScopedTo
- AZUserAccessAdministrator
- AZVMAdminLogin
- AZVMContributor
- AZWebsiteContributor
- CanApplyGPO
- CanPSRemote
- CanRDP
- CoerceToTGT
- Contains
- ContainsIdentity
- CrossForestTrust
- DCFor
- DCSync
- DelegatedEnrollmentAgent
- DumpSMSAPassword
- Enroll
- EnrollOnBehalfOf
- EnterpriseCAFor
- ExecuteDCOM
- ExtendedByPolicy
- ForceChangePassword
- GenericAll
- GenericWrite
- GetChanges
- GetChangesAll
- GetChangesInFilteredSet
- GoldenCert
- GPLink
- GPOAppliesTo
- HasSession
- HasSIDHistory
- HasTrustKeys
- HostsCAService
- IssuedSignedBy
- LocalToComputer
- ManageCA
- ManageCertificates
- MemberOf
- MemberOfLocalGroup
- NTAuthStoreFor
- OIDGroupLink
- Owns
- PropagatesACEsTo
- PublishedTo
- ReadGMSAPassword
- ReadLAPSPassword
- RemoveInteractiveLogonRight
- RootCAFor
- SameForestTrust
- SpoofSIDHistory
- SQLAdmin
- SyncLAPSPassword
- SyncedToADUser
- SyncedToEntraUser
- TrustedForNTAuth
- WriteAccountRestrictions
- WriteDacl
- WriteGPLink
- WriteOwner
- WritePKIEnrollmentFlag
- WritePKINameFlag
- WriteSPN
- Glossary
- Community and Support
- Release Notes
- Legacy BloodHound
On this page
Edges
Contains
GPOs linked to a container apply to all objects that are contained by the container. Additionally, ACEs set on a parent OU may inherit down to child objects.
Abuse Info
Permissions on the parent of a child object may enable compromise of the child object through inherited ACEs or linked GPOs. See the inbound edges on the parent object for details.Copy
Ask AI
## Opsec Considerations
Creation and modification of ACEs will be logged depending on the auditing setup on Domain Controllers.
## References
* [https://wald0.com/?p=179](https://wald0.com/?p=179)
* [https://blog.cptjesus.com/posts/bloodhound15](https://blog.cptjesus.com/posts/bloodhound15)
Assistant
Responses are generated using AI and may contain mistakes.