A chain of abusable privileges and user behaviors that create direct and indirect connections between computers and users. In BloodHound, attack paths are visualized in the graph by nodes and edges. Learn more in What is Attack Path Management.
Identity-based attack path—An attack path is based on identity or an already authenticated principal. BloodHound’s main goal is to help visualize and manage attack paths.
The process of identifying, analyzing, and managing the attack paths that an adversary might exploit to reach high-value objects or compromise the network’s security. BloodHound helps visualize and manage attack paths through Attack Path Management.
A privilege or user behavior (called edges) that, like the driveway to a house, connects the rest of the environment through an object or collection of objects (called nodes). For example, any Edge into the collection of Tier Zero nodes is a Tier Zero Choke Point. This is a privilege or user behavior the adversary must abuse to compromise a Tier Zero object.Choke points are significant points of control and defense in the network security architecture. They represent the optimal location to block the largest number of attack paths. BloodHound Enterprise calculates exposure for all choke points.
A collector, collector client, or data collector is software that collects attack path-related data from a directory. For example, SharpHound and AzureHound.
Cypher is a graph query language used to interact with BloodHound’s database. It’s similar to SQL for traditional databases. To use it, see Searching with Cypher.
A service that stores identities and their attributes, such as Active Directory (AD) and Entra ID (formerly Azure Active Directory). BloodHound collects data from these directories to build its graph of nodes and edges.
An edge is part of the graph construct and represents a relationship between two nodes, indicating some form of interaction. See About BloodHound Edges.
A security framework developed by Microsoft that defines a privileged access strategy[1] with the ultimate goal of preventing privilege escalation through identity-based attack paths. In most cases, EAM supersedes and replaces tiering.
A series of Active Directory Certificate Services (ADCS) attack paths that BloodHound can detect. These are escalation techniques that abuse misconfigurations in certificate services.
The percentage of principals in a directory with a Tier Zeroattack path. It encompasses both principals with one-step paths (UserA -[ForceChangePassword]-> TierZero), and multi-step paths (UserA -[ForceChangePassword]-> UserB -[GenericAll]-> TierZero). BloodHound Enterprise calculates exposure for all choke points.
A specific instance of a vulnerability that an attacker could abuse to gain access to, and eventually take control of, a network. Each finding can be categorized as a specific attack path type.There are two types of findings in BloodHound:
List-based finding—A finding for a specific principal where the vulnerability is related to the principal itself, such as a misconfiguration. Because of this nature, list-based findings do not necessarily have an exposure metric (as they are theoretically completely exposed), but they will
have an impact metric.
Relationship-based finding—A finding for a pair of principals—a target that is privileged (such as belonging to Tier Zero) and a source/origin that is not—that can be compromised by one or more connections between said principals. Each relationship-based finding may be composed of one or many individual attack paths.A relationship-based finding can have an exposure metric (the exposure risk of the source/origin principal being compromised) and an impact metric (the impact risk of the target principal being compromised).
The graph database used by BloodHound. It stores the relationships between nodes and edges and feeds BloodHound functionality like visualizing and understanding complex attack paths and environment risks.
Refers to a risk measurement that quantifies how much of your environment could be affected by an attack path. Specifically:
Impact count—The number of principals/objects that could be compromised through an attack path.
Impact percentage—The percentage of the environment that could be impacted by a specific identity vulnerability.
Impact is closely related to exposure, which measures the percentage of principals with a Tier Zero attack path. Together, these metrics help organizations prioritize remediation by understanding which attack paths pose the greatest risk.
The schema-level classification or label applied to nodes in the graph, analogous to an entity type, not an individual node instance. Examples of node kinds include users, computers, groups, and domains. See About BloodHound Nodes.
A node is part of the graph construct and represents an entity in the environment as stored in the BloodHound graph. Nodes typically correspond to directory objects or other assets, such as users, computers, groups, or domains. Two nodes can be connected by an edge. See About BloodHound Nodes.
A directory-level entity within Active Directory and Entra ID directories, such as users, groups, computers, organizational units (OUs), domains, and trusts.Objects exist in the directory service itself; many of them are also represented as nodes in the BloodHound graph. Each object represents a distinct element contributing to the network’s overall structure and security posture. An object can also be referred to as an “asset”.
A type of object that can authenticate and be assigned permissions within the environment, also known as a security principal.Examples of principals include users and computers in Active Directory and users, virtual machines, and service principal objects in Entra ID and Azure. Principals are typically represented as nodes in the graph and play a central role in identity attack path mechanisms.
A level of access or permission a principal has on a specific object within the infrastructure.Privileges are generally more granular permissions that define how or to what extent a user or system can interact with specific resources, like reading, writing, or executing a file. While similar to rights, privileges focus on resource-specific actions and are a subset of broader rights.
Rights are broad permissions granted to a user, group, or system to perform specific actions at a system or role level, such as logging in or accessing a network. They are sometimes used interchangeably with privileges but typically encompass higher-level abilities that define what someone can do across the system.
Refers to a dedicated instance of BloodHound Enterprise (hosted and managed by SpecterOps) that contains its own data, configurations, and user access controls.
The most critical and sensitive objects in the network, typically including domain controllers and other core infrastructure components. The term stems from tiering.
The process of categorizing objects and privileges based on their criticality and importance to the organization. The term stems from Microsoft’s Active Directory tier model, which in most cases is superseded and replaced by the Enterprise Access Model. See Enterprise Access Model (EAM).
