Edges
Traversable and Non-Traversable Edge Types
Details on traversable and non-traversable edge types in BloodHound
Traversable Edges
Most edges in BloodHound are traversable, representing a relationship between two nodes where the starting node can take control of the ending node to a degree that allows an attacker to abuse outgoing edges. For example, consider the ForceChangePassword edge:
| AbuseTGTDelegation | CanPSRemote | HasSession |
| ADCSESC1 | CanRDP | HasTrustKeys |
| ADCSESC10a | ClaimSpecialIdentity | MemberOf |
| ADCSESC10b | CoerceAndRelayNTLMToADCS | Owns |
| ADCSESC13 | CoerceAndRelayNTLMToLDAP | OwnsLimitedRights |
| ADCSESC3 | CoerceAndRelayNTLMToLDAPS | ReadGMSAPassword |
| ADCSESC4 | CoerceAndRelayNTLMToSMB | ReadLAPSPassword |
| ADCSESC6a | CoerceToTGT | SameForestTrust |
| ADCSESC6b | Contains | SpoofSIDHistory |
| ADCSESC9a | DCFor | SQLAdmin |
| ADCSESC9b | DCSync | SyncedToEntraUser |
| AddAllowedToAct | DumpSMSAPassword | SyncLAPSPassword |
| AddKeyCredentialLink | ExecuteDCOM | WriteAccountRestrictions |
| AddMember | ForceChangePassword | WriteDacl |
| AddSelf | GPLink | WriteGPLink |
| AdminTo | GenericAll | WriteOwner |
| AllExtendedRights | GenericWrite | WriteOwnerLimitedRights |
| AllowedToAct | GoldenCert | WriteSPN |
| AllowedToDelegate | HasSIDHistory |
| AZAKSContributor | AZGetSecrets | AZNodeResourceGroup |
| AZAddMembers | AZGlobalAdmin | AZOwner |
| AZAddOwner | AZHasRole | AZOwns |
| AZAddSecret | AZKeyVaultContributor | AZPrivilegedAuthAdmin |
| AZAppAdmin | AZLogicAppContributor | AZPrivilegedRoleAdmin |
| AZAutomationContributor | AZMGAddMember | AZResetPassword |
| AZAvereContributor | AZMGAddOwner | AZRunsAs |
| AZCloudAppAdmin | AZMGAddSecret | AZUserAccessAdministrator |
| AZContains | AZMGGrantAppRoles | AZVMAdminLogin |
| AZContributor | AZMGGrantRole | AZVMContributor |
| AZExecuteCommand | AZManagedIdentity | AZWebsiteContributor |
| AZGetCertificates | AZMemberOf | SyncedToADUser |
| AZGetKeys |
Non-Traversable Edges
If you cannot abuse a given relationship between two nodes to take control of the end node, then the relationship is non-traversable. However, some non-traversable relationships can form a traversable relationship when combined. An example is the DCSync attack narrative. GetChanges and GetChangesAll permissions on the domain object combined enable you to perform the DCSync attack. GetChanges and GetChangesAll are non-traversable edges, and BloodHound uses them to produce the traversable DCSync edge in what we call the post-processing logic. Pathfinding includes only traversable edges. As a result, you might get a DCSync edge in a path like this:
| Contains | GetChangesInFilteredSet | OIDGroupLink |
| CrossForestTrust | GPLink | OwnsRaw |
| DelegatedEnrollmentAgent | HostsCAService | PublishedTo |
| Enroll | IssuedSignedBy | RemoteInteractiveLogonPrivilege |
| EnrollOnBehalfOf | LocalToComputer | RootCAFor |
| EnterpriseCAFor | ManageCA | TrustedForNTAuth |
| ExtendedByPolicy | ManageCertificates | WriteOwnerRaw |
| GetChanges | MemberOfLocalGroup | WritePKIEnrollmentFlag |
| GetChangesAll | NTAuthStoreFor | WritePKINameFlag |
| AZMGAppRoleAssignment_ReadWrite_All | AZMGGroup_ReadWrite_All |
| AZMGApplication_ReadWrite_All | AZMGRoleManagement_ReadWrite_Directory |
| AZMGDirectory_ReadWrite_All | AZMGServicePrincipalEndpoint_ReadWrite_All |
| AZMGGroupMember_ReadWrite_All |