Applies to BloodHound Enterprise and CE

Traversable Edges

Most edges in BloodHound are traversable, representing a relationship between two nodes where the starting node can take control of the ending node to a degree that allows an attacker to abuse outgoing edges. For example, consider the ForceChangePassword edge:
The Service Desk group has permission to force change the password of Bob without knowing Bob’s current password. An attacker can abuse this to change the password, log in as Bob, and exploit Bob’s privileges. Traversable edges like ForceChangePassword facilitate graph traversal and enable the pathfinding logic in BloodHound. These are the traversable AD edge types in BloodHound:
AbuseTGTDelegationCanPSRemoteHasSession
ADCSESC1CanRDPHasTrustKeys
ADCSESC10aClaimSpecialIdentityMemberOf
ADCSESC10bCoerceAndRelayNTLMToADCSOwns
ADCSESC13CoerceAndRelayNTLMToLDAPOwnsLimitedRights
ADCSESC3CoerceAndRelayNTLMToLDAPSReadGMSAPassword
ADCSESC4CoerceAndRelayNTLMToSMBReadLAPSPassword
ADCSESC6aCoerceToTGTSameForestTrust
ADCSESC6bContainsSpoofSIDHistory
ADCSESC9aDCForSQLAdmin
ADCSESC9bDCSyncSyncedToEntraUser
AddAllowedToActDumpSMSAPasswordSyncLAPSPassword
AddKeyCredentialLinkExecuteDCOMWriteAccountRestrictions
AddMemberForceChangePasswordWriteDacl
AddSelfGPLinkWriteGPLink
AdminToGenericAllWriteOwner
AllExtendedRightsGenericWriteWriteOwnerLimitedRights
AllowedToActGoldenCertWriteSPN
AllowedToDelegateHasSIDHistory
These are the traversable Azure edge types in BloodHound:
AZAKSContributorAZGetSecretsAZNodeResourceGroup
AZAddMembersAZGlobalAdminAZOwner
AZAddOwnerAZHasRoleAZOwns
AZAddSecretAZKeyVaultContributorAZPrivilegedAuthAdmin
AZAppAdminAZLogicAppContributorAZPrivilegedRoleAdmin
AZAutomationContributorAZMGAddMemberAZResetPassword
AZAvereContributorAZMGAddOwnerAZRunsAs
AZCloudAppAdminAZMGAddSecretAZUserAccessAdministrator
AZContainsAZMGGrantAppRolesAZVMAdminLogin
AZContributorAZMGGrantRoleAZVMContributor
AZExecuteCommandAZManagedIdentityAZWebsiteContributor
AZGetCertificatesAZMemberOfSyncedToADUser
AZGetKeys

Non-Traversable Edges

If you cannot abuse a given relationship between two nodes to take control of the end node, then the relationship is non-traversable. However, some non-traversable relationships can form a traversable relationship when combined. An example is the DCSync attack narrative. GetChanges and GetChangesAll permissions on the domain object combined enable you to perform the DCSync attack. GetChanges and GetChangesAll are non-traversable edges, and BloodHound uses them to produce the traversable DCSync edge in what we call the post-processing logic. Pathfinding includes only traversable edges. As a result, you might get a DCSync edge in a path like this:
But you will not see any GetChanges or GetChangesAll edge. However, you can use Cypher to reveal the GetChanges and GetChangeAll edges that the DCSync edge relies on:
These are the non-traversable AD edge types in BloodHound:
ContainsGetChangesInFilteredSetOIDGroupLink
CrossForestTrustGPLinkOwnsRaw
DelegatedEnrollmentAgentHostsCAServicePublishedTo
EnrollIssuedSignedByRemoteInteractiveLogonPrivilege
EnrollOnBehalfOfLocalToComputerRootCAFor
EnterpriseCAForManageCATrustedForNTAuth
ExtendedByPolicyManageCertificatesWriteOwnerRaw
GetChangesMemberOfLocalGroupWritePKIEnrollmentFlag
GetChangesAllNTAuthStoreForWritePKINameFlag
These are the non-traversable Azure edge types in BloodHound:
AZMGAppRoleAssignment_ReadWrite_AllAZMGGroup_ReadWrite_All
AZMGApplication_ReadWrite_AllAZMGRoleManagement_ReadWrite_Directory
AZMGDirectory_ReadWrite_AllAZMGServicePrincipalEndpoint_ReadWrite_All
AZMGGroupMember_ReadWrite_All