Documentation Index
Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
Use this file to discover all available pages before exploring further.
Attack Path
An Attack Path is a chain of abusable privileges and user behaviors that creates direct or indirect connections between principals. In BloodHound, Attack Paths are visualized in the graph with nodes and edges. Learn more in What is Attack Path Management.- Identity-based Attack Path—An Attack Path is based on identity or an already authenticated principal. BloodHound’s main goal is to help visualize and manage Attack Paths.
Attack Path Management (APM)
The process of identifying, analyzing, and managing the Attack Paths that an adversary might exploit to reach high-value objects or compromise the network’s security. BloodHound helps visualize and manage Attack Paths through Attack Path Management.Automatic Certification
A rule setting that determines how objects matching the rule criteria are certified. Can be configured as:- Direct Objects (only directly matched objects are certified automatically, excluding expansion results)
- All Objects (all objects including those from expansion are certified automatically)
- Off (all certification is manual). See also Certification.
Certification
An optional process in BloodHound Enterprise that interrupts automatic inclusion of objects in a zone by requiring manual approval before objects are fully recognized within the zone. Can be configured as automatic to allow certain objects to be certified without manual review.Choke Point
A privilege or user behavior (called edges) that, like the driveway to a house, connects the rest of the environment through an object or collection of objects (called nodes). For example, any Edge into the collection of Tier Zero nodes is a Tier Zero Choke Point. This is a privilege or user behavior the adversary must abuse to compromise a Tier Zero object. Choke points are significant points of control and defense in the network security architecture. They represent the optimal location to block the largest number of Attack Paths. BloodHound Enterprise calculates exposure for all choke points.Collector client
A collector client is a configuration object in your BloodHound Enterprise tenant that links your tenant to a collector application. It stores authentication and configuration details used by the collector application to upload data.Collector application
A collector application is software that collects Attack Path-related data from a directory and sends it to your BloodHound Enterprise tenant. Examples include SharpHound Enterprise and AzureHound Enterprise.Composite Edge
A composite edge is a derived relationship between two nodes that represents a group of underlying relationships condensed into a single, meaningful connection. BloodHound uses composite edges to simplify understanding of that complexity and surface Attack Paths that are not visible from any single relationship alone. Some attack techniques require a combination of permissions before they can be abused, so BloodHound models those combined conditions as one simplified relationship. For example, the DCSync edge requires a combination of permissions to create an abusable path. BloodHound models this as a composite edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.Custom Glyph
A visual indicator that can be applied to zones to distinguish objects within that zone on the Explore page.Cypher
Cypher is a graph query language used to interact with BloodHound’s database. It’s similar to SQL for traditional databases. To use it, see Searching with Cypher.Directory
A service that stores identities and their attributes, such as Active Directory (AD) and Entra ID (formerly Azure Active Directory). BloodHound collects data from these directories to build its graph of nodes and edges.Edge
An edge is part of the graph construct and represents a relationship between two nodes, indicating some form of interaction. See About BloodHound Edges.Enterprise Access Model (EAM)
A security framework developed by Microsoft that defines a privileged access strategy[1] with the ultimate goal of preventing privilege escalation through identity-based Attack Paths. In most cases, EAM supersedes and replaces tiering.Escalation (ESC)
The process of exploiting vulnerabilities or misconfigurations to gain higher privileges or access levels than initially granted. In BloodHound, escalation encompasses various techniques an attacker can use to move from lower-privileged principals to higher-privileged ones or sensitive objects. BloodHound detects and visualizes escalations as Attack Paths to help organizations identify and remediate privilege escalation risks.Expansion
The automatic process by which BloodHound includes additional objects in a zone based on rule criteria. For example, unrolling group memberships to identify nested objects and tag them as zone members.Exposure
A risk measurement that quantifies the extent to which principals can reach a privileged asset through one or more Attack Paths. It encompasses all principals upstream of a finding’s source, including any principals that can reach the source through intermediaries. Exposure is measured in two ways:- Exposure count—The number of principals that can reach a privileged asset through one or more Attack Paths.
- Exposure percentage—The percentage of principals in an environment that have at least one Attack Path to a privileged asset.
Finding
A finding is a specific subsection of an Attack Path that BloodHound Enterprise has identified as a high-value remediation point. Findings can be relationship-based (abusable paths between principals) or principal-based (risky configurations on a principal). An attack path is the route. A finding is the identified risk instance tied to that route. Each finding can be categorized as a specific Attack Path type. There are two types of findings in BloodHound Enterprise:- Relationship-based finding A relationship-based finding identifies a directional path from a lower-privileged source principal to a privileged target asset. The path represents one or more abusable connections (potentially through intermediate principals or objects) through which the source principal can take control of the target. A single finding may include multiple Attack Paths when different intermediate nodes all enable the same type of access from source to target. Relationship-based findings can have an exposure metric and an impact metric.
- List-based finding A list-based finding identifies a vulnerability in a specific principal where the risk originates from the principal itself (like a misconfiguration). Because the vulnerability is inherent to the principal and not based on its connection to other principals, there is no exposure to measure. List-based findings do not have an exposure metric, but they will have an impact metric.
FOSS
Stands for Free and Open Source Software. For example, “BloodHound CE is a FOSS project.”Graph
The graph database used by BloodHound. It stores the relationships between nodes and edges and feeds BloodHound functionality like visualizing and understanding complex Attack Paths and environment risks.History Log
An audit log in Zone Builder that tracks changes made to zones and labels over time, including who made the change and when.Hygiene
A zone-agnostic, list-based finding that identifies issues not tied to a specific privilege zone. Examples include dangerous relationships originating from broadly populated default groups. Hygiene findings are displayed separately in a dedicated filter view on the Attack Path and Posture pages.Impact
A risk measurement that quantifies potential blast radius if a finding is abused. Impact is measured in two ways:- Impact count—The number of principals that could be compromised through an Attack Path.
- Impact percentage—The percentage of the environment that could be impacted by a specific identity vulnerability.