-Unmute a principal[](#heading-2)
---------------------------------
+Unmute a principal
+------------------
1. Navigate to the Attack Paths page.
2. Expand the attack path finding and toggle the setting \`Show Muted\`.
diff --git a/docs/analyze-data/bloodhound-gui/overview.mdx b/docs/analyze-data/bloodhound-gui/overview.mdx
index 366acd1285..30b52990cb 100644
--- a/docs/analyze-data/bloodhound-gui/overview.mdx
+++ b/docs/analyze-data/bloodhound-gui/overview.mdx
@@ -1,6 +1,6 @@
---
-title: The BloodHound GUI
-description: "Learn about the graphical user interface of BloodHound."
+title: The BloodHound Dashboard
+description: "Learn about the BloodHound dashboard."
mode: wide
sidebarTitle: Overview
---
diff --git a/docs/analyze-data/bloodhound-gui/posture-page.mdx b/docs/analyze-data/bloodhound-gui/posture-page.mdx
index d03f420847..e31bc9d44e 100644
--- a/docs/analyze-data/bloodhound-gui/posture-page.mdx
+++ b/docs/analyze-data/bloodhound-gui/posture-page.mdx
@@ -2,9 +2,7 @@
title: Posture Page
---
-
- 
diff --git a/docs/collect-data/enterprise-collection/create-collector.mdx b/docs/collect-data/enterprise-collection/create-collector.mdx
index 6065e15335..8e55e5ad88 100644
--- a/docs/collect-data/enterprise-collection/create-collector.mdx
+++ b/docs/collect-data/enterprise-collection/create-collector.mdx
@@ -2,9 +2,7 @@
title: Create a BloodHound Enterprise collector client
---
-
- 
-
+
## Purpose
@@ -13,7 +11,7 @@ This article outlines how to run an On Demand Scan to perform a one-time immedia
## Prerequisites
* Creation of one SharpHound Enterprise client, see [Create a SharpHound Enterprise collector client](/collect-data/enterprise-collection/create-collector)
-* Logged in as a user role which is authorized to run an On Demand Scan, see [User Role Definitions](/manage-bloodhound/auth/users-and-roles#h_01H6P9MK1XME9F91NR95XJXR3Z)
+* Logged in as a user role which is authorized to run an On Demand Scan, see [User Role Definitions](/manage-bloodhound/auth/users-and-roles)
## Process
@@ -32,7 +30,7 @@ This article outlines how to run an On Demand Scan to perform a one-time immedia
4. In the _On Demand Scan_ window, configure the scan:
1. **Data**: The type of data the schedule collects, see [SharpHound Enterprise Data Collection and Permissions](/collect-data/enterprise-collection/permissions)
- 2. **Advanced Options**: See the [Scanning section in the article SharpHound Enterprise Tenant Configuration](/install-data-collector/install-sharphound/tenant-configuration#h_01GECVA74SF7JN7XRYPFBXASYW)
+ 2. **Advanced Options**: See the [Scanning section in the article SharpHound Enterprise Tenant Configuration](/install-data-collector/install-sharphound/tenant-configuration)
diff --git a/docs/collect-data/enterprise-collection/permissions.mdx b/docs/collect-data/enterprise-collection/permissions.mdx
index a5a72e8996..6b4d51e8a2 100644
--- a/docs/collect-data/enterprise-collection/permissions.mdx
+++ b/docs/collect-data/enterprise-collection/permissions.mdx
@@ -2,9 +2,7 @@
title: SharpHound Enterprise Data Collection and Permissions
---
-
- 
-
+
SharpHound Enterprise data collection utilizes the open-source [SharpHound Common](https://github.com/BloodHoundAD/SharpHoundCommon) library, maintained by the BloodHound Enterprise Engineering team.
diff --git a/docs/collect-data/enterprise-collection/privileged-collection.mdx b/docs/collect-data/enterprise-collection/privileged-collection.mdx
index f0cd054509..87a5c2a7b3 100644
--- a/docs/collect-data/enterprise-collection/privileged-collection.mdx
+++ b/docs/collect-data/enterprise-collection/privileged-collection.mdx
@@ -2,9 +2,7 @@
title: Why perform privileged collection in SharpHound
---
-
-
-
+
Privileged collection allows BloodHound Enterprise to analyze Attack Paths based on non-centralized configurations, the local groups, active sessions, and user rights assignments configured on each domain-joined system in your environment. Without this data, BloodHound Enterprise will be limited in its ability to accurately assess the true risk each Attack Path poses to your environment.
diff --git a/docs/collect-data/overview.mdx b/docs/collect-data/overview.mdx
index 6153ec5768..2cb7b8ea0f 100644
--- a/docs/collect-data/overview.mdx
+++ b/docs/collect-data/overview.mdx
@@ -2,14 +2,14 @@
title: Data Collection
sidebarTitle: Overview
mode: wide
-description: "How attack path data collection and ingestion works, and how to run attack path data collection."
+description: "Learn how to run attack path data collection and ingestion."
---
## BloodHound Enterprise Collection
-
+
Set up BloodHound Community Edition (BloodHound CE) with Docker Compose and start identifying and visualizing security risks..
diff --git a/docs/get-started/quickstart/enterprise-quickstart.mdx b/docs/get-started/quickstart/enterprise-quickstart.mdx
index 80fc53144b..450a5ca1d5 100644
--- a/docs/get-started/quickstart/enterprise-quickstart.mdx
+++ b/docs/get-started/quickstart/enterprise-quickstart.mdx
@@ -2,9 +2,7 @@
title: BloodHound Enterprise Quickstart
---
-
- 
-
+ 
Get started with your BloodHound Enterprise instance and start identifying and remediating security risks.
diff --git a/docs/get-started/security-boundaries/enterprise-security-overview.mdx b/docs/get-started/security-boundaries/enterprise-security-overview.mdx
index 87be2ac450..dc69a36268 100644
--- a/docs/get-started/security-boundaries/enterprise-security-overview.mdx
+++ b/docs/get-started/security-boundaries/enterprise-security-overview.mdx
@@ -2,9 +2,7 @@
title: BloodHound Enterprise Security Overview
---
-
- 
-
+
_**© 2023 Specter Ops, Inc. ALL RIGHTS RESERVED.**_
diff --git a/docs/get-started/security-boundaries/modifying-tier-zero.mdx b/docs/get-started/security-boundaries/modifying-tier-zero.mdx
index c5772fb45e..7747cc4e0d 100644
--- a/docs/get-started/security-boundaries/modifying-tier-zero.mdx
+++ b/docs/get-started/security-boundaries/modifying-tier-zero.mdx
@@ -3,9 +3,7 @@ title: Modifying Tier Zero
description: "This article outlines how to modify Tier Zero's membership in BloodHound Enterprise."
---
-
-
-
+
## Purpose
diff --git a/docs/get-started/security-boundaries/tier-zero-members.mdx b/docs/get-started/security-boundaries/tier-zero-members.mdx
index 51dee2863c..17bcb2ab51 100644
--- a/docs/get-started/security-boundaries/tier-zero-members.mdx
+++ b/docs/get-started/security-boundaries/tier-zero-members.mdx
@@ -3,10 +3,7 @@ title: "Tier Zero: Members and Modification"
description: "Although implementing a tiered model remains the best path toward securing your overall environment, BloodHound Enterprise will enable your teams to identify and remediate the paths towards control of Tier Zero assets without necessarily implementing a strict tiering model."
---
-
-
-
-
+
BloodHound Enterprise borrows from [Microsoft's Enhanced Security Administration Environment (ESAE - Retired)](https://learn.microsoft.com/en-us/security/compass/esae-retirement) model in utilizing the term "Tier Zero." In this model, Tier Zero is the set of objects with full control over the environment AND _any objects with control over those objects_. You may also be familiar with [Microsoft's Enterprise Access Model (EAM)](https://learn.microsoft.com/en-us/security/compass/privileged-access-access-model), which later replaced ESAE; however, they recommend effectively the same advice.
diff --git a/docs/home.mdx b/docs/home.mdx
index f2455832cf..90b215c296 100644
--- a/docs/home.mdx
+++ b/docs/home.mdx
@@ -73,55 +73,65 @@ export function openSearch() {
marginRight: 'auto', paddingLeft: '1.25rem',
paddingRight: '1.25rem' }}
>
-
-
+ Get started
+
+
-
+
## Create the AzureHound Enterprise app
diff --git a/docs/install-data-collector/install-azurehound/create-configuration.mdx b/docs/install-data-collector/install-azurehound/create-configuration.mdx
index ffbfad61c7..f3a56d272f 100644
--- a/docs/install-data-collector/install-azurehound/create-configuration.mdx
+++ b/docs/install-data-collector/install-azurehound/create-configuration.mdx
@@ -2,9 +2,7 @@
title: Create an AzureHound Configuration
---
-
-
-
+
_
You will need your Tenant ID and Application ID from completing [AzureHound Enterprise Azure Configuration](/install-data-collector/install-azurehound/azure-configuration) prior to beginning this process.
diff --git a/docs/install-data-collector/install-azurehound/installation-options.mdx b/docs/install-data-collector/install-azurehound/installation-options.mdx
index 46c861fc68..3bab15f441 100644
--- a/docs/install-data-collector/install-azurehound/installation-options.mdx
+++ b/docs/install-data-collector/install-azurehound/installation-options.mdx
@@ -2,9 +2,7 @@
title: Install and Upgrade AzureHound (Windows, Docker, or Kubernetes)
---
-
-
-
+
_You will need your AzureHound Enterprise configuration file from [Create an AzureHound Configuration](/install-data-collector/install-azurehound/create-configuration) prior to beginning this process.
diff --git a/docs/install-data-collector/install-azurehound/multiple-collectors.mdx b/docs/install-data-collector/install-azurehound/multiple-collectors.mdx
index e826db8806..8c95792a0f 100644
--- a/docs/install-data-collector/install-azurehound/multiple-collectors.mdx
+++ b/docs/install-data-collector/install-azurehound/multiple-collectors.mdx
@@ -2,9 +2,7 @@
title: Running multiple AzureHound Enterprise collectors on one server with Scheduled Tasks
---
-
-
-
+
## Purpose
diff --git a/docs/install-data-collector/install-azurehound/system-requirements.mdx b/docs/install-data-collector/install-azurehound/system-requirements.mdx
index 58a457d0ab..8b9cd38b97 100644
--- a/docs/install-data-collector/install-azurehound/system-requirements.mdx
+++ b/docs/install-data-collector/install-azurehound/system-requirements.mdx
@@ -2,9 +2,8 @@
title: AzureHound Enterprise System Requirements and Deployment Process
---
-
-
-
+
+
The AzureHound Enterprise service is a critical element in your deployment that collects and uploads data about your Azure environment to your BloodHound Enterprise tenant for processing and analysis.
diff --git a/docs/install-data-collector/install-sharphound/create-gmsa.mdx b/docs/install-data-collector/install-sharphound/create-gmsa.mdx
index 4317d558d9..dfd0949647 100644
--- a/docs/install-data-collector/install-sharphound/create-gmsa.mdx
+++ b/docs/install-data-collector/install-sharphound/create-gmsa.mdx
@@ -2,9 +2,8 @@
title: Create a gMSA for use with SharpHound Enterprise
---
-
-
-
+
+
Group Managed Service Accounts (gMSA) are managed domain accounts that provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other objects.
Detailed software requirements from Microsoft are available [here](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831782(v=ws.11)#software-requirements).
@@ -111,7 +110,7 @@ Perform the following steps from/against a writeable Domain Controller.
2. Grant the gMSA the "Log on as a service" User Rights Assignment on the SharpHound Enterprise server. This can for example be done through \`secpol.msc\`, or policy deployment methods like a GPO.
-3. Optional: Test that the SharpHound Enterprise server can retrieve the gMSA password, see _[Test the gMSA (optional)](#h_01HBG90GWZDZZ3KE4FPGAKFF1Y)
+3. Optional: Test that the SharpHound Enterprise server can retrieve the gMSA password, see Test the gMSA.
_
4. The gMSA is now ready to be used on the SharpHound Enterprise server. Follow [Install and Upgrade SharpHound Enterprise](/install-data-collector/install-sharphound/installation-upgrade) to complete the installation of the SharpHound Enterprise service.
diff --git a/docs/install-data-collector/install-sharphound/installation-upgrade.mdx b/docs/install-data-collector/install-sharphound/installation-upgrade.mdx
index aa6244b494..cbfdb8fa4b 100644
--- a/docs/install-data-collector/install-sharphound/installation-upgrade.mdx
+++ b/docs/install-data-collector/install-sharphound/installation-upgrade.mdx
@@ -2,15 +2,14 @@
title: Install and Upgrade SharpHound Enterprise
---
-
-
-
+
+
## Purpose
This article outlines how to:
-* [Install SharpHound Enterprise](#h_01J8R1CP6JCXSCYRBWGZCN3KYR)
-* [Upgrade the SharpHound Enterprise](#h_01HF6RH9VBHXVPR4M1QKAFHSQN)
+* Install SharpHound Enterprise
+* Upgrade the SharpHound Enterprise
BHE users may use it during SharpHound Enterprise deployment or upgrades.
@@ -77,7 +76,7 @@ BHE users may use it during SharpHound Enterprise deployment or upgrades.
-13. The "SharpHoundDelegator" service has now been installed. If you don't see the service, see the headline: [I don't see the SHDelegator Service](#h_01GECRFRNEMXKS76D21VFYBK5C)
+13. The "SharpHoundDelegator" service has now been installed. If you don't see the service, see the section _I don't see the SHDelegator Service_.
@@ -90,7 +89,7 @@ BHE users may use it during SharpHound Enterprise deployment or upgrades.
* Set "RestEndpoint" to the BloodHound Enterprise domain name in the format: "CODENAME.bloodhoundenterprise.io". This is the domain that the service connects to.
* If using a proxy, set "Proxy" to the proxy name and port in the format: "proxy.acme.com:8080"
* [Create a BloodHound Enterprise collector client](/collect-data/enterprise-collection/create-collector), and then in "auth.json" set "Token" and "TokenID" to the values given after you created the client. This is the secret that the service authenticates with.
-17. Start the service. If service start fails see the headline: [The SharpHound Delegator Service won't start](#h_01GECRNKQG8YEXEEEDHTE4CG1B)
+17. Start the service. If service start fails see the section _The SharpHound Delegator Service won't start_
18. Return to BloodHound Enterprise, and you should see the client reporting "🟢 Ready"
@@ -123,7 +122,7 @@ BHE users may use it during SharpHound Enterprise deployment or upgrades.
8. SharpHound Enterprise has now been upgraded.
-9. Start the "SharpHound Delegator" service. If you can't start the service, see the headline: [The SharpHound Delegator Service won't start](#h_01GECRNKQG8YEXEEEDHTE4CG1B)
+9. Start the "SharpHound Delegator" service. If you can't start the service, see the section _The SharpHound Delegator Service won't start_.
### Common installation issues
diff --git a/docs/install-data-collector/install-sharphound/local-configuration.mdx b/docs/install-data-collector/install-sharphound/local-configuration.mdx
index c79fdf8208..45f9d7a58d 100644
--- a/docs/install-data-collector/install-sharphound/local-configuration.mdx
+++ b/docs/install-data-collector/install-sharphound/local-configuration.mdx
@@ -2,9 +2,7 @@
title: SharpHound Enterprise Local Configuration
---
-
-
-
+
The local configuration of SharpHound Enterprise occurs within two files: [settings.json](#settings-json) and [auth.json](#auth-json), their file paths can be found in the table below. Note that %AppData% is the directory of the service account: "C:\\Users\\SERVICE_ACCOUNT$\\AppData\\Roaming".
diff --git a/docs/install-data-collector/install-sharphound/modify-service-account.mdx b/docs/install-data-collector/install-sharphound/modify-service-account.mdx
index 98ac8553ba..28cea07a3c 100644
--- a/docs/install-data-collector/install-sharphound/modify-service-account.mdx
+++ b/docs/install-data-collector/install-sharphound/modify-service-account.mdx
@@ -2,9 +2,8 @@
title: Modify the service account used by SharpHound Enterprise
---
-
-
-
+
+
SharpHound Enterprise utilizes the Windows Service manager to handle authentication. In certain cases, you may need to modify the user account utilized by the SharpHound Enterprise service. The steps to perform that modification are as follows.
1. Log into your SharpHound Enterprise server.
diff --git a/docs/install-data-collector/install-sharphound/system-requirements.mdx b/docs/install-data-collector/install-sharphound/system-requirements.mdx
index d1ce4dcda7..815739688d 100644
--- a/docs/install-data-collector/install-sharphound/system-requirements.mdx
+++ b/docs/install-data-collector/install-sharphound/system-requirements.mdx
@@ -2,9 +2,7 @@
title: SharpHound Enterprise System Requirements and Deployment Process
---
-
-
-
+
The SharpHound Enterprise service is a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis.
diff --git a/docs/install-data-collector/install-sharphound/tenant-configuration.mdx b/docs/install-data-collector/install-sharphound/tenant-configuration.mdx
index 9198fa180b..d66bf22107 100644
--- a/docs/install-data-collector/install-sharphound/tenant-configuration.mdx
+++ b/docs/install-data-collector/install-sharphound/tenant-configuration.mdx
@@ -2,9 +2,7 @@
title: SharpHound Enterprise Tenant Configuration
---
-
-
-
+
## Configuration location
1. Tenant configuration of SharpHound Enterprise occurs within the Config -> Administration -> Manage clients view.
@@ -33,7 +31,7 @@ Opens the client modification dialog, providing multiple options:
| **Option** | **Description** |
| --- | --- |
| Client Name | An identifiable name for the collector. Many customers utilize the name of the domain it collects from or the system it runs on. |
-| Collection Schedule | Click the + sign to add a new schedule or the - sign to delete a schedule. See [Collection Scheduling](#h_01GECVQCVDK8KMMENQ4D7J0NKH) for more. |
+| Collection Schedule | Click the + sign to add a new schedule or the - sign to delete a schedule. |
| Advanced Options -> Domain Controller | By default, SharpHound automatically selects a Domain Controller for LDAP queries. Specifying a Domain Controller hostname or FQDN here will define the default value utilized on all scheduled collections.We recommend not configuring a Domain Controller manually. | diff --git a/docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx b/docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx index f778be4b4d..e3344dcc15 100644 --- a/docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx +++ b/docs/install-data-collector/install-sharphound/tiered-collector-strategy.mdx @@ -2,9 +2,7 @@ title: Deploying a tiered SharpHound Enterprise collector strategy --- - -
-
+
## Purpose
diff --git a/docs/install-data-collector/install-sharphound/troubleshooting.mdx b/docs/install-data-collector/install-sharphound/troubleshooting.mdx
index a45712a9db..f58a28acda 100644
--- a/docs/install-data-collector/install-sharphound/troubleshooting.mdx
+++ b/docs/install-data-collector/install-sharphound/troubleshooting.mdx
@@ -2,9 +2,7 @@
title: Troubleshooting Local Collection Coverage
---
-
-
-
+
SharpHound collects data from domain-joined systems utilizing SMB/RPC on port 445/TCP and requires the account running SharpHound (e.g., the SharpHound Enterprise gMSA) to have local administrator membership on each system in scope, see [SharpHound Data Collection and Permissions](/collect-data/enterprise-collection/permissions).
diff --git a/docs/install-data-collector/overview.mdx b/docs/install-data-collector/overview.mdx
index 7ba7afae8f..2d80ddb913 100644
--- a/docs/install-data-collector/overview.mdx
+++ b/docs/install-data-collector/overview.mdx
@@ -1,16 +1,13 @@
---
-title: Deployment
+title: Install Data Collectors
mode: wide
sidebarTitle: Overview
---
-Deploying a BloodHound instance (database and GUI) and the Enterprise collectors; SharpHound Enterprise and AzureHound Enterprise.
+Get started with SharpHound Enterprise or AzureHound Enterprise for continuous, automatic collection of attack path data.
-## Deploying BloodHound Enterprise
-
-
+
BloodHound requires collected data to be in in a specific JSON format, which is documented in this article.
diff --git a/docs/integrations/bloodhound-api/working-with-api.mdx b/docs/integrations/bloodhound-api/working-with-api.mdx
index 9c5d01236f..cb7025095b 100644
--- a/docs/integrations/bloodhound-api/working-with-api.mdx
+++ b/docs/integrations/bloodhound-api/working-with-api.mdx
@@ -2,9 +2,7 @@
title: Working with the BloodHound API
---
-
-
-
+
The BloodHound product family are API-first products, meaning everything functions on the underlying API layer. All data displayed in the portal, all commands given to SharpHound or AzureHound Enterprise collectors, and all data uploaded pass through the BloodHound APIs. Customers may utilize these APIs to extend the use of the BloodHound product to function with other tools in their environment. This article will show how to access the API and include some example use cases.
diff --git a/docs/integrations/integrations/overview.mdx b/docs/integrations/integrations/overview.mdx
index 6166296efc..8522026ada 100644
--- a/docs/integrations/integrations/overview.mdx
+++ b/docs/integrations/integrations/overview.mdx
@@ -2,9 +2,7 @@
title: Overview of BloodHound Integrations
---
-
-
-
+
# Integrations Overview
diff --git a/docs/integrations/integrations/splunk.mdx b/docs/integrations/integrations/splunk.mdx
index 600cfa6f36..42d4740e40 100644
--- a/docs/integrations/integrations/splunk.mdx
+++ b/docs/integrations/integrations/splunk.mdx
@@ -2,9 +2,7 @@
title: Integrate BloodHound Enterprise with Splunk
---
-
-
-
+
The BloodHound Enterprise Splunk app allows you to view and analyze BloodHound Enterprise data in Splunk. This integration provides:
diff --git a/docs/integrations/overview.mdx b/docs/integrations/overview.mdx
index f2320f5b65..143a7aa0d3 100644
--- a/docs/integrations/overview.mdx
+++ b/docs/integrations/overview.mdx
@@ -1,6 +1,6 @@
---
title: API and Integrations
-description: "Interacting with BloodHound through it's REST API and integrations which uses the API."
+description: "Leverage BloodHound's REST API and third-party integrations to extend functionality and maximize your security infrastructure investments."
mode: wide
sidebarTitle: Overview
---
diff --git a/docs/manage-bloodhound/auth/mfa.mdx b/docs/manage-bloodhound/auth/mfa.mdx
index b07c169efa..2c766c6b70 100644
--- a/docs/manage-bloodhound/auth/mfa.mdx
+++ b/docs/manage-bloodhound/auth/mfa.mdx
@@ -2,9 +2,7 @@
title: Enable/Disable Multi-Factor Authentication
---
-
-
-
+
## Purpose
@@ -27,8 +25,8 @@ This article describes how to enable/disable Multi-Factor Authentication (MFA) f
4. Continue in one of the two headings below:
- * [Enabling MFA](#h_01HTJDE0SANNG8DTEBVWK03RB2)
- * [Disabling MFA](#h_01HTJDE5C3X0QXRDZWPA8XM0G9)
+ * Enabling MFA
+ * Disabling MFA
### **Enabling MFA**
diff --git a/docs/manage-bloodhound/auth/oidc.mdx b/docs/manage-bloodhound/auth/oidc.mdx
index 95b8406c28..cd7dc3896f 100644
--- a/docs/manage-bloodhound/auth/oidc.mdx
+++ b/docs/manage-bloodhound/auth/oidc.mdx
@@ -2,9 +2,7 @@
title: OIDC in BloodHound
description: 'BloodHound supports OIDC for Single Sign On to authenticate users to your tenant environment.'
---
-
-
-
+
This integration only provides authentication; user creation and role management will still occur within BloodHound's "Manage Users" interface.
@@ -33,7 +31,7 @@ If your IDP supports custom icons for configured applications, please feel free
## Create the OIDC Configuration
-Before proceeding, please make sure you have set up an Identity Provider for BloodHound as described in the [Order of Operations](#h_01HCX8STC6B053TQJ72YQVDZSC).
+Before proceeding, please make sure you have set up an Identity Provider for BloodHound as described in the Order of Operations section.
1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
diff --git a/docs/manage-bloodhound/auth/saml-adfs.mdx b/docs/manage-bloodhound/auth/saml-adfs.mdx
index 29490627d8..d3c806ea90 100644
--- a/docs/manage-bloodhound/auth/saml-adfs.mdx
+++ b/docs/manage-bloodhound/auth/saml-adfs.mdx
@@ -3,9 +3,7 @@ title: "SAML: ADFS Configuration"
description: "This document provides instructions for creating an application within ADFS for compatibility with BloodHound Enterprise."
---
-
-
-
+
For general instructions on adding a SAML provider to BloodHound Enterprise or for configuring users to utilize a SAML provider, see [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml).
diff --git a/docs/manage-bloodhound/auth/saml-okta.mdx b/docs/manage-bloodhound/auth/saml-okta.mdx
index 2237aeaf23..f40b62151c 100644
--- a/docs/manage-bloodhound/auth/saml-okta.mdx
+++ b/docs/manage-bloodhound/auth/saml-okta.mdx
@@ -3,9 +3,7 @@ title: "SAML: Okta Configuration"
description: "This document provides instructions for creating an application within Okta for compatibility with BloodHound Enterprise."
---
-
-
-
+
For general instructions on adding a SAML provider to BloodHound Enterprise, or for configuring users to utilize a SAML provider, see [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml).
diff --git a/docs/manage-bloodhound/auth/saml.mdx b/docs/manage-bloodhound/auth/saml.mdx
index d1ec025aeb..77fe3c834e 100644
--- a/docs/manage-bloodhound/auth/saml.mdx
+++ b/docs/manage-bloodhound/auth/saml.mdx
@@ -3,9 +3,7 @@ title: SAML in BloodHound
description: "BloodHound supports SAML 2.0 for Single Sign On to authenticate users to your tenant environment."
---
-
-
-
+
This integration provides authentication only, user creation and role management will still occur from within BloodHound's "Manage Users" interface.
@@ -24,7 +22,7 @@ Currently, BloodHound requires the configuration of SAML system in the following
* [SAML: Auth0 Configuration](/manage-bloodhound/auth/saml-auth0)
* [SAML: Entra ID Configuration](/manage-bloodhound/auth/saml-entra-id)
* [SAML: Google IDP Configuration](/manage-bloodhound/auth/saml-google)
-3. [Create the SAML Configuration in BloodHound](#h_01HCX8STC69AP9T3TSXRRPJGJW).
+3. Create the SAML Configuration in BloodHound.
4. [Create new users or modify existing users](/manage-bloodhound/auth/users-and-roles) to utilize the newly created SAML provider.
* You must ensure SAML users do not share email with built-in users.
@@ -46,7 +44,7 @@ If your IDP supports custom icons for configured applications, please feel free
## Create the SAML Configuration
-Ensure you have configured an Identity Provider for BloodHound as described in [Order of Operations](#h_01HCX8STC6B053TQJ72YQVDZSC) before proceeding.
+Ensure you have configured an Identity Provider for BloodHound as described in Order of Operations before proceeding.
1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
diff --git a/docs/manage-bloodhound/auth/users-and-roles.mdx b/docs/manage-bloodhound/auth/users-and-roles.mdx
index a16a702b4f..8a5800b80e 100644
--- a/docs/manage-bloodhound/auth/users-and-roles.mdx
+++ b/docs/manage-bloodhound/auth/users-and-roles.mdx
@@ -2,9 +2,8 @@
title: Administering users and roles
---
-
-
-
+
+
## Purpose
This article provides a summary of assignable roles that are available when creating new users in BloodHound.
@@ -24,7 +23,7 @@ The following properties must be set on each user:
| Authentication Method | Drop-down selection for one of the available authentication methods to be used for the user.* Username / Password - Built-in authentication via username and password, supports TOTP-based multi-factor authentication.
* SAML - SAML 2.0-based Single-Sign-On as described in SAML in BloodHound Enterprise.
Read more in the article [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml). | | Initial Password | Text field for the user's initial password. | | Force Password Reset? | Selecting this check box forces the user to reset their password on the next logon. Must comply with password requirements:
* At least 12 characters long
* Contain at least 1 lowercase character, 1 uppercase character, 1 number and 1 special character (!@#$%^&*) | -| Role | Drop-down selection for one the available roles.
For role access control definitions, see [User Role Definitions](#h_01H6P9MK1XME9F91NR95XJXR3Z). | +| Role | Drop-down selection for one the available roles.| ## User Role Definitions diff --git a/docs/manage-bloodhound/overview.mdx b/docs/manage-bloodhound/overview.mdx index 41e0c83e84..84663e6b4c 100644 --- a/docs/manage-bloodhound/overview.mdx +++ b/docs/manage-bloodhound/overview.mdx @@ -1,6 +1,6 @@ --- title: Administration -description: "Administering a BloodHound instance and its related components; users, roles, authentication, collector status, and general security." +description: "Administer a BloodHound instance and its related components: users, roles, authentication, collector status, and general security." mode: wide sidebarTitle: Overview --- @@ -96,20 +96,4 @@ sidebarTitle: Overview />
-
+
+
Many of the attacks involve privileged collection, in which the SharpHound service account gathers data from domain-joined Windows computers. During privileged collection, an attacker with administrative access to a computer in the domain could attempt to compromise the SharpHound service account, as the account will log in on the computer during the collection.
This page will describe the attacks we want to prevent and the remediations that can be applied. All attacks can be remediated in more than one method. The first section will highlight the remediations that we recommend without going into detail about the different attack techniques and alternative remediations.
diff --git a/docs/mint.json b/docs/mint.json
index 2628aa2784..6db15fc4af 100644
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -169,7 +169,7 @@
"pages": [
"analyze-data/overview",
{
- "group": "BloodHound GUI",
+ "group": "BloodHound Dashboard",
"pages": [
"analyze-data/bloodhound-gui/overview",
"analyze-data/bloodhound-gui/posture-page",
@@ -427,48 +427,54 @@
"resources/release-notes/overview",
"resources/release-notes/summary",
"resources/release-notes/2024-12-09-v6-3-0",
- "resources/release-notes/2024-11-14-v6-2-0",
- "resources/release-notes/2024-10-22-v6-1-0",
- "resources/release-notes/2024-09-30-v6-0-0",
- "resources/release-notes/2024-09-10-v5-15-0",
- "resources/release-notes/2024-08-20-v5-14-0",
- "resources/release-notes/2024-08-06-v5-13-1",
- "resources/release-notes/2024-08-01-v5-13-0",
- "resources/release-notes/2024-07-17-v5-12-0",
- "resources/release-notes/2024-06-17-v5-11-0",
- "resources/release-notes/2024-05-28-v5-10-0",
- "resources/release-notes/2024-05-09-v5-9-0",
- "resources/release-notes/2024-04-15-v5-8-1",
- "resources/release-notes/2024-03-27-v5-8-0",
- "resources/release-notes/2024-03-04-v5-7-0",
- "resources/release-notes/2024-02-14-v5-6-0",
- "resources/release-notes/2024-01-23-v5-5-0",
- "resources/release-notes/2024-01-04-v5-4-0",
- "resources/release-notes/2023-12-05-v5-3-0",
- "resources/release-notes/2023-11-06-v5-2-0",
- "resources/release-notes/2023-10-16-v5-1-0",
- "resources/release-notes/2023-09-19-v5-0-9",
- "resources/release-notes/2023-08-31-v5-0-8",
- "resources/release-notes/2023-08-30-v5-0-7",
- "resources/release-notes/2023-08-08",
- "resources/release-notes/2023-06-20",
- "resources/release-notes/2023-05-16",
- "resources/release-notes/2023-04-25",
- "resources/release-notes/2023-04-13",
- "resources/release-notes/2023-03-27",
- "resources/release-notes/2023-03-06",
- "resources/release-notes/2023-02-21",
- "resources/release-notes/2023-02-07",
- "resources/release-notes/2023-01-31",
- "resources/release-notes/2023-01-18",
- "resources/release-notes/2022-12-19",
- "resources/release-notes/2022-12-13",
- "resources/release-notes/2022-11-21",
- "resources/release-notes/2022-11-03",
- "resources/release-notes/2022-10-24",
- "resources/release-notes/2022-10-11"
+ {
+ "group": "Archive",
+ "pages": [
+ "resources/release-notes/2024-11-14-v6-2-0",
+ "resources/release-notes/2024-10-22-v6-1-0",
+ "resources/release-notes/2024-09-30-v6-0-0",
+ "resources/release-notes/2024-09-10-v5-15-0",
+ "resources/release-notes/2024-08-20-v5-14-0",
+ "resources/release-notes/2024-08-06-v5-13-1",
+ "resources/release-notes/2024-08-01-v5-13-0",
+ "resources/release-notes/2024-07-17-v5-12-0",
+ "resources/release-notes/2024-06-17-v5-11-0",
+ "resources/release-notes/2024-05-28-v5-10-0",
+ "resources/release-notes/2024-05-09-v5-9-0",
+ "resources/release-notes/2024-04-15-v5-8-1",
+ "resources/release-notes/2024-03-27-v5-8-0",
+ "resources/release-notes/2024-03-04-v5-7-0",
+ "resources/release-notes/2024-02-14-v5-6-0",
+ "resources/release-notes/2024-01-23-v5-5-0",
+ "resources/release-notes/2024-01-04-v5-4-0",
+ "resources/release-notes/2023-12-05-v5-3-0",
+ "resources/release-notes/2023-11-06-v5-2-0",
+ "resources/release-notes/2023-10-16-v5-1-0",
+ "resources/release-notes/2023-09-19-v5-0-9",
+ "resources/release-notes/2023-08-31-v5-0-8",
+ "resources/release-notes/2023-08-30-v5-0-7",
+ "resources/release-notes/2023-08-08",
+ "resources/release-notes/2023-06-20",
+ "resources/release-notes/2023-05-16",
+ "resources/release-notes/2023-04-25",
+ "resources/release-notes/2023-04-13",
+ "resources/release-notes/2023-03-27",
+ "resources/release-notes/2023-03-06",
+ "resources/release-notes/2023-02-21",
+ "resources/release-notes/2023-02-07",
+ "resources/release-notes/2023-01-31",
+ "resources/release-notes/2023-01-18",
+ "resources/release-notes/2022-12-19",
+ "resources/release-notes/2022-12-13",
+ "resources/release-notes/2022-11-21",
+ "resources/release-notes/2022-11-03",
+ "resources/release-notes/2022-10-24",
+ "resources/release-notes/2022-10-11"
+ ]
+ }
]
- }
+ },
+ "resources/legacy"
]
},
{
diff --git a/docs/resources/community-support/getting-help.mdx b/docs/resources/community-support/getting-help.mdx
index c8f7767fc9..37f413cac4 100644
--- a/docs/resources/community-support/getting-help.mdx
+++ b/docs/resources/community-support/getting-help.mdx
@@ -2,9 +2,8 @@
title: Getting Help and the BloodHound community
---
-
-
-
+
+
## SpecterOps ❤️ Community
diff --git a/docs/resources/community-support/overview.mdx b/docs/resources/community-support/overview.mdx
index 9b035a0497..b86c498e9e 100644
--- a/docs/resources/community-support/overview.mdx
+++ b/docs/resources/community-support/overview.mdx
@@ -4,3 +4,8 @@ description: Connect with the BloodHound community, seek assistance, and find re
mode: wide
sidebarTitle: Overview
---
+
+
-
+
+
This enterprise CA is trusted for NT authentication in the forest, along with the certificate chain up to the root CA certificate. This setup lets the principal enroll certificates for any AD forest user or computer, enabling authentication and impersonation of any AD forest user or computer without their credentials.
diff --git a/docs/resources/edges/adcs-esc10a.mdx b/docs/resources/edges/adcs-esc10a.mdx
index 89bd0cba28..fa96bfdbb5 100644
--- a/docs/resources/edges/adcs-esc10a.mdx
+++ b/docs/resources/edges/adcs-esc10a.mdx
@@ -3,9 +3,8 @@ title: ADCSESC10a
description: "This edge indicates that the principal has control over a victim principal with permission to enroll on one or more certificate templates, configured to enable certificate authentication and require the userPrincipalName (UPN) of the enrollee included in the Subject Alternative Name (SAN)."
---
-
-
-
+
+
The victim also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow UPN certificate mapping. This setup lets the principal impersonate any AD forest computer, or any user where UPN does not match their sAMAccountName, without knowing their credentials.
diff --git a/docs/resources/edges/adcs-esc10b.mdx b/docs/resources/edges/adcs-esc10b.mdx
index df861093ac..1c7ee2f5e3 100644
--- a/docs/resources/edges/adcs-esc10b.mdx
+++ b/docs/resources/edges/adcs-esc10b.mdx
@@ -4,9 +4,8 @@ description: "The principal has control over a victim computer with permission t
---
-
-
-
+
+
The victim computer also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow UPN certificate mapping. This setup lets the principal impersonate any AD forest computer without their credentials.
diff --git a/docs/resources/edges/adcs-esc13.mdx b/docs/resources/edges/adcs-esc13.mdx
index 3aa4893f3c..acaa67429c 100644
--- a/docs/resources/edges/adcs-esc13.mdx
+++ b/docs/resources/edges/adcs-esc13.mdx
@@ -3,9 +3,8 @@ title: ADCSESC13
description: "The ADCSESC13 edge indicates that the principal has the privileges to perform the ADCS ESC13 abuse against the target AD group. The principal has enrollment rights on a certificate template configured with an issuance policy extension."
---
-
-
-
+
+
The issuance policy has an OID group link to an AD group. The principal also has enrollment permission for an enterprise CA with the necessary template published. This enterprise CA is trusted for NT authentication and chains up to a root CA for the forest. This setup allows the principal to enroll a certificate that the principal can use to obtain access to the environment as a member of the group specified in the OID group link.
diff --git a/docs/resources/edges/adcs-esc3.mdx b/docs/resources/edges/adcs-esc3.mdx
index 2e797cd45a..1c6c2a6d96 100644
--- a/docs/resources/edges/adcs-esc3.mdx
+++ b/docs/resources/edges/adcs-esc3.mdx
@@ -4,9 +4,8 @@ description: "The principal has permission to enroll on a certificate allowing t
certificate."
---
-
-
-
+
+
They also have permission to enroll for a certificate template that permits enrollment by
enrollment agents and can be used for authentication. Additionally, they also have enrollment
diff --git a/docs/resources/edges/adcs-esc4.mdx b/docs/resources/edges/adcs-esc4.mdx
index da098c4208..6e4ebc3f11 100644
--- a/docs/resources/edges/adcs-esc4.mdx
+++ b/docs/resources/edges/adcs-esc4.mdx
@@ -4,9 +4,8 @@ description: "The ADCSESC4 edge indicates that the principal has the privileges
---
-
-
-
+
+
The principal has permissions to modify the settings on one or more certificate templates, enabling the principal configure the certificate templates for ADCS ESC1 conditions, which allows them to specify an alternate subject name and use the certificate for authentication. They also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication and chains up to a root CA for the forest. This setup lets the principal modify the certificate templates to allow enrollment as any targeted AD forest user or computer without knowing their credentials, and impersonation of those targets by certificate authentication.
diff --git a/docs/resources/edges/adcs-esc6a.mdx b/docs/resources/edges/adcs-esc6a.mdx
index 1e84405db3..6504f6532f 100644
--- a/docs/resources/edges/adcs-esc6a.mdx
+++ b/docs/resources/edges/adcs-esc6a.mdx
@@ -3,9 +3,7 @@ title: ADCSESC6a
description: The principal has permission to enroll on one or more certificate templates allowing for authentication.
---
-
-
-
+
They also have enrollment permission for an enterprise CA with the necessary templates published. This
diff --git a/docs/resources/edges/adcs-esc6b.mdx b/docs/resources/edges/adcs-esc6b.mdx
index 87a2806a96..e9e1c8b76f 100644
--- a/docs/resources/edges/adcs-esc6b.mdx
+++ b/docs/resources/edges/adcs-esc6b.mdx
@@ -4,9 +4,8 @@ description: The principal has permission to enroll on one or more certificate t
---
-
-
-
+
+
They also have enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. The enterprise CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of any published certificate template. This setup allows an attacker principal to obtain a malicious certificate as another principal. There is an affected Domain Controller configured to allow weak certificate mapping enforcement, which enables the attacker principal to authenticate with the malicious certificate and thereby impersonating any AD forest user or computer without their credentials.
diff --git a/docs/resources/edges/adcs-esc9a.mdx b/docs/resources/edges/adcs-esc9a.mdx
index 144b915fac..d0e9e04551 100644
--- a/docs/resources/edges/adcs-esc9a.mdx
+++ b/docs/resources/edges/adcs-esc9a.mdx
@@ -3,9 +3,8 @@ title: ADCSESC9a
description: "The principal has control over a victim principal with permission to enroll on one or more certificate templates, configured to: 1) enable certificate authentication, 2) require the `userPrincipalName` (UPN) of the enrollee included in the Subject Alternative Name (SAN), and 3) do not have the security extension enabled."
---
-
-
-
+
+
The victim also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow weak certificate binding enforcement. This setup lets the principal impersonate any AD forest principal (user or computer) without their credentials. The attacker principal can abuse their control over the victim principal to modify the victim's UPN to match the `sAMAccountName` of a targeted principal. Example: If the targeted principal is Administrator@corp.local user, the victim's UPN will be populated with "Administrator" (without the @corp.local ending). The attacker principal will then abuse their control over the victim principal to obtain the credentials of the victim principal, or a session as the victim principal, and enroll a certificate as the victim in one of the affected certificate templates. The UPN of the victim ("Administrator") will be included in the issued certificate under the SAN. As the certificate template does not have the security extension, it will NOT include the SID of the victim user in the issued certificate. Next, the attacker principal will again set the UPN of the victim, this time to an arbitrary string (e.g. the original value). The issued certificate can now be used for authentication against an affected DC. The weak certificate binding configuration on the DC will make the DC accept that the SID of the victim user is not present in the issued certificate when performing Kerberos authentication, and it will use the SAN value to map the certificate to a principal. The DC will attempt to find a principal with a UPN matching the SAN value ("Administrator") but as the victim's UPN has been changed after the enrollment, there will be no principals with this UPN. The DC will then attempt to find a principal with a `sAMAccountName` matching the SAN value and find the targeted user. At last, the DC issues a Kerberos TGT as the targeted user to the attacker, which means the attacker now has a session as the targeted user. In case the target is a computer, the DC will find it as well as the DC will attempt `sAMAccountName` matching with a $ at the end of the SAN value as last resort.
diff --git a/docs/resources/edges/adcs-esc9b.mdx b/docs/resources/edges/adcs-esc9b.mdx
index bb2578d4d6..4a15091f4d 100644
--- a/docs/resources/edges/adcs-esc9b.mdx
+++ b/docs/resources/edges/adcs-esc9b.mdx
@@ -3,9 +3,8 @@ title: ADCSESC9b
description: "The principal has control over a victim computer with permission to enroll on one or more certificate templates, configured to: 1) enable certificate authentication, 2) require the `dNSHostName` of the enrollee included in the Subject Alternative Name (SAN), and 3) not have the security extension enabled."
---
-
-
-
+
+
The victim computer also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow weak certificate binding enforcement. This setup lets the principal impersonate any AD forest computer without their credentials.
diff --git a/docs/resources/edges/add-allowed-to-act.mdx b/docs/resources/edges/add-allowed-to-act.mdx
index f60d9dbe3a..ee49de7fae 100644
--- a/docs/resources/edges/add-allowed-to-act.mdx
+++ b/docs/resources/edges/add-allowed-to-act.mdx
@@ -3,9 +3,8 @@ title: AddAllowedToAct
description: "This edge means it's possible to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property of a target."
---
-
-
-
+
+
For information on the abuse scenario of the property, see [AllowedToAct](/resources/edges/allowed-to-act).
## Abuse Info
diff --git a/docs/resources/edges/add-key-credential-link.mdx b/docs/resources/edges/add-key-credential-link.mdx
index 157ae68478..38d6611911 100644
--- a/docs/resources/edges/add-key-credential-link.mdx
+++ b/docs/resources/edges/add-key-credential-link.mdx
@@ -3,9 +3,8 @@ title: AddKeyCredentialLink
description: 'The ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.'
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/add-member.mdx b/docs/resources/edges/add-member.mdx
index a4389b801d..bac3c5943f 100644
--- a/docs/resources/edges/add-member.mdx
+++ b/docs/resources/edges/add-member.mdx
@@ -3,9 +3,8 @@ title: AZMGAddMember
description: "This edge is created during post-processing."
---
-
-
-
+
+
It is created against non-role assignable Entra ID security groups when a Service Principal has one of the following MS Graph app role assignments:
diff --git a/docs/resources/edges/add-members.mdx b/docs/resources/edges/add-members.mdx
index c073dc59c3..bf51072e1d 100644
--- a/docs/resources/edges/add-members.mdx
+++ b/docs/resources/edges/add-members.mdx
@@ -3,9 +3,7 @@ title: AZAddMembers
description: "The ability to add other principals to an Azure security group"
---
-
-
-
+
## Abuse Info
diff --git a/docs/resources/edges/add-owner.mdx b/docs/resources/edges/add-owner.mdx
index 46f77d7526..ad587848f7 100644
--- a/docs/resources/edges/add-owner.mdx
+++ b/docs/resources/edges/add-owner.mdx
@@ -3,9 +3,8 @@ title: AZMGAddOwner
description: "This edge is created during post-processing."
---
-
-
-
+
+
It is created against all App Registrations and Service Principals within the same tenant when a Service Principal has the following MS Graph app role:
diff --git a/docs/resources/edges/add-secret.mdx b/docs/resources/edges/add-secret.mdx
index d0172a6d6c..ede14beeb2 100644
--- a/docs/resources/edges/add-secret.mdx
+++ b/docs/resources/edges/add-secret.mdx
@@ -3,9 +3,8 @@ title: AZMGAddSecret
description: "This edge is created during post-processing."
---
-
-
-
+
+
It is created against all Azure App Registrations and Service Principals when a Service Principal has one of the following MS Graph app roles:
diff --git a/docs/resources/edges/add-self.mdx b/docs/resources/edges/add-self.mdx
index 0512cce8df..be24814d1c 100644
--- a/docs/resources/edges/add-self.mdx
+++ b/docs/resources/edges/add-self.mdx
@@ -3,10 +3,8 @@ title: AddSelf
description: "This edge indicates the principal has the ability to add itself to the target security group. Because of security group delegation, the members of a security group have the same privileges as that group."
---
+
-
-
-
By adding yourself to a group and refreshing your token, you gain all the same privileges that group has.
diff --git a/docs/resources/edges/admin-to.mdx b/docs/resources/edges/admin-to.mdx
index 26e0a89259..d5e3513249 100644
--- a/docs/resources/edges/admin-to.mdx
+++ b/docs/resources/edges/admin-to.mdx
@@ -3,9 +3,8 @@ title: AdminTo
description: "This edge indicates that principal is a local administrator on the target computer."
---
-
-
-
+
+
By default, administrators have several ways to perform remote code execution on Windows systems, including via RDP, WMI, WinRM, the Service Control Manager, and remote DCOM execution.
diff --git a/docs/resources/edges/aks-contributor.mdx b/docs/resources/edges/aks-contributor.mdx
index 9919cfa466..41bc6dfab7 100644
--- a/docs/resources/edges/aks-contributor.mdx
+++ b/docs/resources/edges/aks-contributor.mdx
@@ -3,9 +3,8 @@ title: AZAKSContributor
description: "The Azure Kubernetes Service Contributor role grants full control of the target Azure Kubernetes Service Managed Cluster."
---
-
-
-
+
+
This includes the ability to remotely fetch administrator credentials for the cluster as well as the ability to execute arbitrary commands on compute nodes associated with the AKS Managed Cluster.
diff --git a/docs/resources/edges/all-extended-rights.mdx b/docs/resources/edges/all-extended-rights.mdx
index 47a9a744f0..37dc99b7da 100644
--- a/docs/resources/edges/all-extended-rights.mdx
+++ b/docs/resources/edges/all-extended-rights.mdx
@@ -3,10 +3,8 @@ title: AllExtendedRights
description: "Extended rights are special rights granted on objects which allow reading of privileged attributes, as well as performing special actions."
---
+
-
-
-
## Abuse Info
### **User**
diff --git a/docs/resources/edges/allowed-to-act.mdx b/docs/resources/edges/allowed-to-act.mdx
index f8f105cbf8..685bab5d41 100644
--- a/docs/resources/edges/allowed-to-act.mdx
+++ b/docs/resources/edges/allowed-to-act.mdx
@@ -1,10 +1,8 @@
---
title: AllowedToAct
---
+
-
-
-
This edge allows an attacker to abuse resource-based constrained delegation to compromise the target. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
diff --git a/docs/resources/edges/allowed-to-delegate.mdx b/docs/resources/edges/allowed-to-delegate.mdx
index 84f54ae94d..ff55eaa01e 100644
--- a/docs/resources/edges/allowed-to-delegate.mdx
+++ b/docs/resources/edges/allowed-to-delegate.mdx
@@ -3,9 +3,7 @@ title: AllowedToDelegate
description: "The constrained delegation primitive allows a principal to authenticate as any user to specific services (found in the msds-AllowedToDelegateTo LDAP property in the source node tab) on the target computer."
---
-
-
-
+
That is, a node with this privilege can impersonate any domain principal (including Domain Admins) to the specific service on the target host. One caveat- impersonated users can not be in the “Protected Users” security group or otherwise have delegation privileges revoked.
diff --git a/docs/resources/edges/app-admin.mdx b/docs/resources/edges/app-admin.mdx
index 2bca61482d..7f7509fef0 100644
--- a/docs/resources/edges/app-admin.mdx
+++ b/docs/resources/edges/app-admin.mdx
@@ -3,9 +3,8 @@ title: AZAppAdmin
description: "Principals with the Application Admin role can control tenant-resident apps."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/app-role-assignment-readwrite-all.mdx b/docs/resources/edges/app-role-assignment-readwrite-all.mdx
index 48d7eb9977..9d5fa97f57 100644
--- a/docs/resources/edges/app-role-assignment-readwrite-all.mdx
+++ b/docs/resources/edges/app-role-assignment-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGAppRoleAssignment_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the AppRoleAssignment.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/application-readwrite-all.mdx b/docs/resources/edges/application-readwrite-all.mdx
index 61e6f2f9e3..be17767b25 100644
--- a/docs/resources/edges/application-readwrite-all.mdx
+++ b/docs/resources/edges/application-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGApplication_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the Application.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/automation-contributor.mdx b/docs/resources/edges/automation-contributor.mdx
index 7ccb644f2c..e463137171 100644
--- a/docs/resources/edges/automation-contributor.mdx
+++ b/docs/resources/edges/automation-contributor.mdx
@@ -2,9 +2,8 @@
title: AZAutomationContributor
---
-
-
-
+
+
The Azure Automation Contributor role grants full control of the target Azure Automation Account. This includes the ability to execute arbitrary commands on the Automation Account.
diff --git a/docs/resources/edges/avere-contributor.mdx b/docs/resources/edges/avere-contributor.mdx
index 896d0eecea..2e4d013a02 100644
--- a/docs/resources/edges/avere-contributor.mdx
+++ b/docs/resources/edges/avere-contributor.mdx
@@ -2,9 +2,7 @@
title: AZAvereContributor
---
-
-
-
+
Any principal granted the Avere Contributor role, scoped to the affected VM, can reset the built-in administrator password on the VM.
diff --git a/docs/resources/edges/can-ps-remote.mdx b/docs/resources/edges/can-ps-remote.mdx
index 54c28f362c..da097eda8c 100644
--- a/docs/resources/edges/can-ps-remote.mdx
+++ b/docs/resources/edges/can-ps-remote.mdx
@@ -3,9 +3,8 @@ title: CanPSRemote
description: "PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system."
---
-
-
-
+
+
-
+
+
This edge is created when BloodHound finds that a principal has RDP access to a computer through the edges [MemberOfLocalGroup](/resources/edges/member-of-local-group) and [RemoteInteractiveLogonPrivilege](/resources/edges/remote-interactive-logon-privilege).
diff --git a/docs/resources/edges/cloud-app-admin.mdx b/docs/resources/edges/cloud-app-admin.mdx
index 4ce3089d87..5a9a543f07 100644
--- a/docs/resources/edges/cloud-app-admin.mdx
+++ b/docs/resources/edges/cloud-app-admin.mdx
@@ -3,9 +3,8 @@ title: AZCloudAppAdmin
description: "Principals with the Cloud App Admin role can control tenant-resident apps."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/coerce-to-tgt.mdx b/docs/resources/edges/coerce-to-tgt.mdx
index cbfad7312e..cb6edd0cc0 100644
--- a/docs/resources/edges/coerce-to-tgt.mdx
+++ b/docs/resources/edges/coerce-to-tgt.mdx
@@ -3,9 +3,8 @@ title: CoerceToTGT
description: "The computer/user account is configured with Kerberos unconstrained delegation."
---
-
-
-
+
+
In a standard Kerberos authentication process, when a principal accesses a Kerberos-enabled service, they present a service ticket to the service host (a computer or service account). This ticket cannot be used to authenticate against other services. However, if a computer or service account is trusted for unconstrained delegation, the principal sends their full Kerberos Ticket Granting Ticket (TGT). This TGT can be forwarded, allowing the service host to impersonate the principal across other services within the environment.
diff --git a/docs/resources/edges/contains.mdx b/docs/resources/edges/contains.mdx
index 05d4aaaea5..2d4636f29d 100644
--- a/docs/resources/edges/contains.mdx
+++ b/docs/resources/edges/contains.mdx
@@ -2,9 +2,8 @@
title: AZContains
description: "This indicates that the parent object contains the child object, such as a resource group containing a virtual machine, or a tenant “containing” a subscription."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/contributor.mdx b/docs/resources/edges/contributor.mdx
index bbae756206..7d30a62c66 100644
--- a/docs/resources/edges/contributor.mdx
+++ b/docs/resources/edges/contributor.mdx
@@ -3,9 +3,8 @@ title: AZContributor
description: "The contributor role grants almost all abusable privileges in all circumstances, with some exceptions. Those exceptions are not collected by AzureHound."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/dc-for.mdx b/docs/resources/edges/dc-for.mdx
index 778339c6d2..bd3007fe52 100644
--- a/docs/resources/edges/dc-for.mdx
+++ b/docs/resources/edges/dc-for.mdx
@@ -3,9 +3,8 @@ title: DCFor
description: "This edge indicates that the computer is a domain controller for the domain. This edge is not created for read-only domain controllers."
---
-
-
-
+
+
## Abuse Info
Domain Controllers store all Active Directory credentials and configurations for all principals in the domain. If an adversary gains administrative access to a Domain Controller, there are several options at their disposal for compromising domain identities and domain-managed systems. Please see the references section for more information.
diff --git a/docs/resources/edges/dc-sync.mdx b/docs/resources/edges/dc-sync.mdx
index 9432ad687f..841e9c5b09 100644
--- a/docs/resources/edges/dc-sync.mdx
+++ b/docs/resources/edges/dc-sync.mdx
@@ -3,9 +3,8 @@ title: DCSync
description: "This edge represents the combination of GetChanges and GetChangesAll. The combination of both these privileges grants a principal the ability to perform the DCSync attack."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/delegated-enrollment-agent.mdx b/docs/resources/edges/delegated-enrollment-agent.mdx
index 60c7b47cdb..ea942dcc01 100644
--- a/docs/resources/edges/delegated-enrollment-agent.mdx
+++ b/docs/resources/edges/delegated-enrollment-agent.mdx
@@ -3,9 +3,8 @@ title: DelegatedEnrollmentAgent
description: "The certificate template is published to an enterprise CA where the enrollment agent restrictions are configured to allow this principal to enroll certificates against this template as an enrollment agent."
---
-
-
-
+
+
BloodHound does not assess what principals the enrollment agent is allowed to enroll on behalf of.
diff --git a/docs/resources/edges/directory-readwrite-all.mdx b/docs/resources/edges/directory-readwrite-all.mdx
index 193823e82c..c4b4d395b6 100644
--- a/docs/resources/edges/directory-readwrite-all.mdx
+++ b/docs/resources/edges/directory-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGDirectory_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the Directory.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/dump-smsa-password.mdx b/docs/resources/edges/dump-smsa-password.mdx
index 4d70e209c7..c36f1465ef 100644
--- a/docs/resources/edges/dump-smsa-password.mdx
+++ b/docs/resources/edges/dump-smsa-password.mdx
@@ -3,9 +3,8 @@ title: DumpSMSAPassword
description: "A computer with this indicates that a Standalone Managed Service Account (sMSA) is installed on it."
---
-
-
-
+
+
An actor with administrative privileges on the computer can retrieve the sMSA’s password by dumping LSA secrets.
diff --git a/docs/resources/edges/enroll-on-behalf-of.mdx b/docs/resources/edges/enroll-on-behalf-of.mdx
index 9cc4081553..f5165fd5d5 100644
--- a/docs/resources/edges/enroll-on-behalf-of.mdx
+++ b/docs/resources/edges/enroll-on-behalf-of.mdx
@@ -3,9 +3,7 @@ title: EnrollOnBehalfOf
description: 'The certificate template "A" is configured to be used as an enrollment agent.'
---
-
-
-
+
The certificate template "B" is configured to allow enrollment by enrollment agents. Both certificate templates are published by an enterprise CA which is trusted for NT authentication and chain up to a root CA for the domain. This enables a principal with a certificate of certificate template "A" to enroll on behalf of other principals for certificate template "B" as long as enrollment agent restrictions configured on the enterprise CA permit it.
diff --git a/docs/resources/edges/enroll.mdx b/docs/resources/edges/enroll.mdx
index c04aff9b84..74e56fe6b8 100644
--- a/docs/resources/edges/enroll.mdx
+++ b/docs/resources/edges/enroll.mdx
@@ -2,9 +2,8 @@
title: Enroll
description: "The target node may be a Certificate Template or an Enterprise Certification Authority."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/enterprise-ca-for.mdx b/docs/resources/edges/enterprise-ca-for.mdx
index 29aac2e55d..b85c435605 100644
--- a/docs/resources/edges/enterprise-ca-for.mdx
+++ b/docs/resources/edges/enterprise-ca-for.mdx
@@ -3,9 +3,8 @@ title: EnterpriseCAFor
description: The Enterprise Certification Authority node is the enrollment service LDAP object for the target Root Certification Authority node.
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/execute-command.mdx b/docs/resources/edges/execute-command.mdx
index 3901fa6c50..8889a9409b 100644
--- a/docs/resources/edges/execute-command.mdx
+++ b/docs/resources/edges/execute-command.mdx
@@ -3,9 +3,8 @@ title: AZExecuteCommand
description: "Principals with the Intune Administrators role are able to execute arbitrary PowerShell scripts on devices that are joined to the Azure tenant."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/execute-dcom.mdx b/docs/resources/edges/execute-dcom.mdx
index bac1fe2de8..99caf02f95 100644
--- a/docs/resources/edges/execute-dcom.mdx
+++ b/docs/resources/edges/execute-dcom.mdx
@@ -3,9 +3,8 @@ title: ExecuteDCOM
description: This can allow code execution under certain conditions by instantiating a COM object on a remote machine and invoking its methods.
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/extended-by-policy.mdx b/docs/resources/edges/extended-by-policy.mdx
index 5960ebd1d6..1488462a6b 100644
--- a/docs/resources/edges/extended-by-policy.mdx
+++ b/docs/resources/edges/extended-by-policy.mdx
@@ -3,9 +3,8 @@ title: ExtendedByPolicy
description: "The edge indicates that a certificate template includes an issuance policy as a certificate extension."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/force-change-password.mdx b/docs/resources/edges/force-change-password.mdx
index ac8d7f784d..4e4ab6a5a3 100644
--- a/docs/resources/edges/force-change-password.mdx
+++ b/docs/resources/edges/force-change-password.mdx
@@ -3,10 +3,8 @@ title: ForceChangePassword
description: "This edge indicates that the principal can reset the password of the target user without knowing the current password of that user."
---
+
-
-
-
To see an example of this edge being abused, see this clip from Derbycon 2017:
diff --git a/docs/resources/edges/generic-all.mdx b/docs/resources/edges/generic-all.mdx
index b604d337ea..5f78895145 100644
--- a/docs/resources/edges/generic-all.mdx
+++ b/docs/resources/edges/generic-all.mdx
@@ -2,9 +2,8 @@
title: GenericAll
---
-
-
-
+
+
This is also known as full control. This privilege allows the trustee to manipulate the target object however they wish.
@@ -91,7 +90,7 @@ Full control of a domain object (the head object of the Default Naming Context)
With full control of a domain node, you may add a new ACE on the domain that will inherit down to all the objects with ACL inheritance enabled in the domain.
-See the the sections "Generic Descendent Object Takeover" and "Targeted Descendent Object Takeover" under [With GenericAll Over an OU](#h_01HM28BQ05RS9DY84W2B93MJ0T).
+See the the sections "Generic Descendent Object Takeover" and "Targeted Descendent Object Takeover" under With GenericAll Over an OU.
#### Objects for which ACL inheritance is disabled
diff --git a/docs/resources/edges/generic-write.mdx b/docs/resources/edges/generic-write.mdx
index 18491a8dbd..2ae15e1f25 100644
--- a/docs/resources/edges/generic-write.mdx
+++ b/docs/resources/edges/generic-write.mdx
@@ -2,9 +2,8 @@
title: GenericWrite
---
-
-
-
+
+
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "servicePrincipalNames" for a user.
diff --git a/docs/resources/edges/get-certificates.mdx b/docs/resources/edges/get-certificates.mdx
index 51e445f642..733d97f055 100644
--- a/docs/resources/edges/get-certificates.mdx
+++ b/docs/resources/edges/get-certificates.mdx
@@ -3,9 +3,8 @@ title: AZGetCertificates
description: "The ability to read certificates from key vaults."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/get-changes-all.mdx b/docs/resources/edges/get-changes-all.mdx
index 08f1334ab4..10eac81063 100644
--- a/docs/resources/edges/get-changes-all.mdx
+++ b/docs/resources/edges/get-changes-all.mdx
@@ -2,9 +2,8 @@
title: GetChangesAll
---
-
-
-
+
+
The principal is granted the GetChangesAll right on the domain.
## Abuse Info
diff --git a/docs/resources/edges/get-changes-in-filtered-set.mdx b/docs/resources/edges/get-changes-in-filtered-set.mdx
index 49014142b0..d5a664f333 100644
--- a/docs/resources/edges/get-changes-in-filtered-set.mdx
+++ b/docs/resources/edges/get-changes-in-filtered-set.mdx
@@ -2,9 +2,8 @@
title: GetChangesInFilteredSet
---
-
-
-
+
+
The principal is allowed to synchronize (DCSync) the Filtered Attribute Set (FAS), which are the attributes not replicated to RODCs.
diff --git a/docs/resources/edges/get-changes.mdx b/docs/resources/edges/get-changes.mdx
index c0600b1cc8..70c50a310e 100644
--- a/docs/resources/edges/get-changes.mdx
+++ b/docs/resources/edges/get-changes.mdx
@@ -2,10 +2,8 @@
title: GetChanges
description: "The principal is granted the GetChanges right on the domain."
---
+
-
-
-
## Abuse Info
diff --git a/docs/resources/edges/get-keys.mdx b/docs/resources/edges/get-keys.mdx
index aeabd0d354..7410252c29 100644
--- a/docs/resources/edges/get-keys.mdx
+++ b/docs/resources/edges/get-keys.mdx
@@ -3,9 +3,7 @@ title: AZGetKeys
description: "The ability to read keys from key vaults."
---
-
-
-
+
## Abuse Info
diff --git a/docs/resources/edges/get-secrets.mdx b/docs/resources/edges/get-secrets.mdx
index 1b8fc8697c..b27052e84f 100644
--- a/docs/resources/edges/get-secrets.mdx
+++ b/docs/resources/edges/get-secrets.mdx
@@ -2,12 +2,9 @@
title: AZGetSecrets
description: "The ability to read secrets from key vaults."
---
+
-
-
-
-
## Abuse Info
diff --git a/docs/resources/edges/global-admin.mdx b/docs/resources/edges/global-admin.mdx
index 0a6969618d..7fbb767754 100644
--- a/docs/resources/edges/global-admin.mdx
+++ b/docs/resources/edges/global-admin.mdx
@@ -2,9 +2,8 @@
title: AZGlobalAdmin
description: "This edge indicates the principal has the Global Admin role active against the target tenant. In other words, the principal is a Global Admin. Global Admins can do almost anything against almost every object type in the tenant, this is the highest privilege role in Azure."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/golden-cert.mdx b/docs/resources/edges/golden-cert.mdx
index 4ae6b402f3..83b2ea4452 100644
--- a/docs/resources/edges/golden-cert.mdx
+++ b/docs/resources/edges/golden-cert.mdx
@@ -2,9 +2,8 @@
title: GoldenCert
---
-
-
-
+
+
The victim principal has a certificate private key that can be abused to sign "golden" certificates for authentication of any enabled principal in the AD forest of the domain.
diff --git a/docs/resources/edges/gp-link.mdx b/docs/resources/edges/gp-link.mdx
index ed7f940417..24fbf7d478 100644
--- a/docs/resources/edges/gp-link.mdx
+++ b/docs/resources/edges/gp-link.mdx
@@ -2,9 +2,8 @@
title: GPLink
---
-
-
-
+
+
A linked GPO applies its settings to objects in the linked container.
diff --git a/docs/resources/edges/grant-app-roles.mdx b/docs/resources/edges/grant-app-roles.mdx
index b6e2ce8ae9..ff5b06f793 100644
--- a/docs/resources/edges/grant-app-roles.mdx
+++ b/docs/resources/edges/grant-app-roles.mdx
@@ -3,9 +3,8 @@ title: AZMGGrantAppRoles
description: "This edge is created during post-processing."
---
-
-
-
+
+
It is created against AzureAD tenant objects when a Service Principal has one of the following MS Graph app role assignments:
diff --git a/docs/resources/edges/grant-role.mdx b/docs/resources/edges/grant-role.mdx
index 0977e3cb98..9c537fe740 100644
--- a/docs/resources/edges/grant-role.mdx
+++ b/docs/resources/edges/grant-role.mdx
@@ -3,9 +3,8 @@ title: AZMGGrantRole
description: "This edge is created during post-processing."
---
-
-
-
+
+
It is created against all Entra ID admin roles when a Service Principal has the following MS Graph app role assignment:
diff --git a/docs/resources/edges/group-member-readwrite-all.mdx b/docs/resources/edges/group-member-readwrite-all.mdx
index 116945d733..2ee688d9e7 100644
--- a/docs/resources/edges/group-member-readwrite-all.mdx
+++ b/docs/resources/edges/group-member-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGGroupMember_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the GroupMember.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
The edge is not abusable, but is used during post-processing to create abusable edges.
diff --git a/docs/resources/edges/group-readwrite-all.mdx b/docs/resources/edges/group-readwrite-all.mdx
index 3275c73faa..f7a492d623 100644
--- a/docs/resources/edges/group-readwrite-all.mdx
+++ b/docs/resources/edges/group-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGGroup_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the Group.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/has-role.mdx b/docs/resources/edges/has-role.mdx
index 5db65bcb53..44330820f3 100644
--- a/docs/resources/edges/has-role.mdx
+++ b/docs/resources/edges/has-role.mdx
@@ -2,9 +2,7 @@
title: AZHasRole
---
-
-
-
+
This edge indicates that a principal has been granted a particular AzureAD admin role.
diff --git a/docs/resources/edges/has-session.mdx b/docs/resources/edges/has-session.mdx
index 8cc109a0ee..3a8d1a2956 100644
--- a/docs/resources/edges/has-session.mdx
+++ b/docs/resources/edges/has-session.mdx
@@ -2,9 +2,8 @@
title: HasSession
---
-
-
-
+
+
When a user authenticates to a computer, they often leave credentials exposed on the system, which can be retrieved through LSASS injection, token manipulation or theft, or injecting into a user’s process.
@@ -16,8 +15,8 @@ This video explains how BloodHound CE's session data collection method works:
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+-----------
When a user has a session on the computer, you may be able to obtain credentials for the user via credential dumping or token impersonation. You must be able to move laterally to the computer, have administrative access on the computer, and the user must have a non-network logon session on the computer.
@@ -31,13 +30,13 @@ You may run into a situation where a user is logged onto the system, but you can
User sessions can be short lived and only represent the sessions that were present at the time of collection. A user may have ended their session by the time you move to the computer to target them. However, users tend to use the same machines, such as the workstations or servers they are assigned to use for their job duties, so it can be valuable to check multiple times if a user session has started.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
An EDR product may detect your attempt to inject into lsass and alert a SOC analyst. There are many more opsec considerations to keep in mind when stealing credentials or tokens. For more information, see the References section.
-References[](#heading-3)
-------------------------
+References
+----------
* [http://blog.gentilkiwi.com/mimikatz](http://blog.gentilkiwi.com/mimikatz)
* [https://github.com/gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz)
diff --git a/docs/resources/edges/has-sid-history.mdx b/docs/resources/edges/has-sid-history.mdx
index 7cba383a21..eb4826e634 100644
--- a/docs/resources/edges/has-sid-history.mdx
+++ b/docs/resources/edges/has-sid-history.mdx
@@ -2,29 +2,27 @@
title: HasSIDHistory
---
-
-
-
+
The given source principal has, in its SIDHistory attribute, the SID for the target principal.
When a Kerberos ticket is created for source principal, it will include the SID for the target principal, and therefore grant the source principal the same privileges and permissions as the target principal.
-Abuse Info[](#h_01H9SWEN9DVS86517XBBG5H885)
--------------------------------------------
+Abuse Info
+-----------
No special actions are needed to abuse this, as the Kerberos tickets created will have all SIDs in the object’s SID history attribute added to them; however, if traversing a domain trust boundary, ensure that SID filtering is not enforced, as SID filtering will ignore any SIDs in the SID history portion of a Kerberos ticket.
By default, SID filtering is not enabled for all domain trust types.
-Opsec Considerations[](#h_01H9SWEN9DG0D90F408ASFJ79P)
------------------------------------------------------
+Opsec Considerations
+--------------------
No opsec considerations apply to this edge.
-References[](#h_01H9SWEN9DNNY6A44GEQZ55WQD)
--------------------------------------------
+References
+----------
* [https://blog.harmj0y.net/redteaming/the-trustpocalypse/](https://blog.harmj0y.net/redteaming/the-trustpocalypse/)
* [https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/](https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/)
diff --git a/docs/resources/edges/hosts-ca-service.mdx b/docs/resources/edges/hosts-ca-service.mdx
index 2f08ae8544..32865c8f74 100644
--- a/docs/resources/edges/hosts-ca-service.mdx
+++ b/docs/resources/edges/hosts-ca-service.mdx
@@ -2,9 +2,7 @@
title: HostsCAService
---
-
-
-
+
The Enterprise Certification Authority node is the enrollment service LDAP object for CA hosted on the computer node.
diff --git a/docs/resources/edges/issued-signed-by.mdx b/docs/resources/edges/issued-signed-by.mdx
index 27ec59f374..73fa0b148c 100644
--- a/docs/resources/edges/issued-signed-by.mdx
+++ b/docs/resources/edges/issued-signed-by.mdx
@@ -2,25 +2,23 @@
title: IssuedSignedBy
---
-
-
-
+
When Windows assesses the validity and trustworthiness of a certificate it verifies the certificate chain up to a trusted root certificate. The IssuedSignedBy edge represent a link within the certificate chain.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+-----------
An attacker may perform several attacks that rely on the certificate chain, such as ESC1. This relationship alone is not enough to escalate rights or impersonate other principals. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#heading-3)
-------------------------
+References
+-----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/key-vault-contributor.mdx b/docs/resources/edges/key-vault-contributor.mdx
index f5dc90e70b..5dbde2a90d 100644
--- a/docs/resources/edges/key-vault-contributor.mdx
+++ b/docs/resources/edges/key-vault-contributor.mdx
@@ -3,9 +3,8 @@ title: AZKeyVaultContributor
description: "The Key Vault Contributor role grants full control of the target Key Vault. This includes the ability to read all secrets stored on the Key Vault."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/local-to-computer.mdx b/docs/resources/edges/local-to-computer.mdx
index 69f6ccb123..5494e2c943 100644
--- a/docs/resources/edges/local-to-computer.mdx
+++ b/docs/resources/edges/local-to-computer.mdx
@@ -2,9 +2,7 @@
title: LocalToComputer
---
-
-
-
+
From LocalGroup to Computer: The LocalGroup is a local group on the Computer.
diff --git a/docs/resources/edges/logic-app-contributor.mdx b/docs/resources/edges/logic-app-contributor.mdx
index ae9c379cd9..06b2446d1b 100644
--- a/docs/resources/edges/logic-app-contributor.mdx
+++ b/docs/resources/edges/logic-app-contributor.mdx
@@ -3,9 +3,8 @@ title: AZLogicAppContributor
description: The Logic Contributor role grants full control of the target Logic App. This includes the ability to execute arbitrary commands on the Logic App.
---
-
-
-
+
+
## Abuse Info
Currently you need access to the portal GUI to execute this abuse. The abuse involves adding or modifying an existing logic app to coerce the logic app into sending a JWT for its managed identity service principal to a web server you control.
diff --git a/docs/resources/edges/manage-ca.mdx b/docs/resources/edges/manage-ca.mdx
index 0fa8728a80..60110b05aa 100644
--- a/docs/resources/edges/manage-ca.mdx
+++ b/docs/resources/edges/manage-ca.mdx
@@ -2,25 +2,24 @@
title: ManageCA
---
-
-
-
+
+
The principal has the "Manage CA", also known as "CA Administrator", permission on the EnterpriseCA. This permission allows the principal to configure the CA to allow subject alternate names, publish certificate templates, grant "Manage Certificates" and more.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+-----------
This relationship alone is not enough to perform a privilege escalation or impersonation primitive. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/manage-certificates.mdx b/docs/resources/edges/manage-certificates.mdx
index 4804a7a468..f8015301e3 100644
--- a/docs/resources/edges/manage-certificates.mdx
+++ b/docs/resources/edges/manage-certificates.mdx
@@ -2,9 +2,7 @@
title: ManageCertificates
---
-
-
-
+
The principal has the "Manage Certificates", also known as "CA Officer", permission on the Enterprise CA. This permission allows the principal to force the CA to issue certificates that the CA had previously denied issuance of.
diff --git a/docs/resources/edges/managed-identity.mdx b/docs/resources/edges/managed-identity.mdx
index 166d5f9d3c..39836fc237 100644
--- a/docs/resources/edges/managed-identity.mdx
+++ b/docs/resources/edges/managed-identity.mdx
@@ -2,10 +2,8 @@
title: AZManagedIdentity
description: "Azure resources like Virtual Machines, Logic Apps, and Automation Accounts can be assigned to either System- or User-Assigned Managed Identities."
---
+
-
-
-
This assignment allows the Azure resource to authenticate to Azure services as the Managed Identity without needing to know the credential for that Managed Identity. Managed Identities, whether System- or User-Assigned, are AzureAD Service Principals.
diff --git a/docs/resources/edges/member-of-local-group.mdx b/docs/resources/edges/member-of-local-group.mdx
index d0947601cd..13d8a160de 100644
--- a/docs/resources/edges/member-of-local-group.mdx
+++ b/docs/resources/edges/member-of-local-group.mdx
@@ -2,25 +2,23 @@
title: MemberOfLocalGroup
---
-
-
-
+
From a Principal to LocalGroup: Principal is a member of the LocalGroup.
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
The principal will have all privileges granted to the group.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
No opsec considerations apply to this edge.
-References[](#heading-3)
-------------------------
+References
+----------
* [https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725622(v=ws.11)](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725622(v=ws.11))
diff --git a/docs/resources/edges/member-of.mdx b/docs/resources/edges/member-of.mdx
index 75f1265bcf..e1bbc1da52 100644
--- a/docs/resources/edges/member-of.mdx
+++ b/docs/resources/edges/member-of.mdx
@@ -3,9 +3,7 @@ title: AZMemberOf
description: "The given asset is a member of the group."
---
-
-
-
+
Groups in Entra ID grant their direct members any privileges the group itself has. If a group has an Entra admin role, its direct members inherit those permissions.
diff --git a/docs/resources/edges/node-resource-group.mdx b/docs/resources/edges/node-resource-group.mdx
index 135817ea08..af80f2a26f 100644
--- a/docs/resources/edges/node-resource-group.mdx
+++ b/docs/resources/edges/node-resource-group.mdx
@@ -3,10 +3,7 @@ title: AZNodeResourceGroup
description: "This edge is created to link Azure Kubernetes Service Managed Clusters to the Virtual Machine Scale Sets they use to execute commands on."
---
-
-
-
-
+
The system-assigned identity for the AKS Cluster will have the Contributor role against the target Resource Group and its child Virtual Machine Scale Sets.
diff --git a/docs/resources/edges/nt-auth-store-for.mdx b/docs/resources/edges/nt-auth-store-for.mdx
index 9c8b742ff4..bcabc619c9 100644
--- a/docs/resources/edges/nt-auth-store-for.mdx
+++ b/docs/resources/edges/nt-auth-store-for.mdx
@@ -2,9 +2,7 @@
title: NTAuthStoreFor
---
-
-
-
+
The NTAuthStore is the Enterprise NTAuth store (NTAuthCertificates object) for the the AD forest of the domain node. The NTAuthStore holds the list of certificates trusted for authentication in the AD forest of the domain. When a user attempts to authenticate against a domain with a certificate, a domain controller will verify that the certificate is signed by a certificate in the NTAuthStore.
diff --git a/docs/resources/edges/oid-group-link.mdx b/docs/resources/edges/oid-group-link.mdx
index 3170d4da38..7b222adea4 100644
--- a/docs/resources/edges/oid-group-link.mdx
+++ b/docs/resources/edges/oid-group-link.mdx
@@ -1,27 +1,25 @@
---
title: OIDGroupLink
---
+
-
-
-
The edge indicates that an IssuancePolicy has an OID group link to a group.
Certificate templates may include the IssuancePolicy as an issuance policy extension. Users authenticating using a certificate of such a certificate template will be granted access as a member of the group.
-Abuse Info[](#h_01HZ7C2A3P68728AS1KESC5R59)
--------------------------------------------
+Abuse Info
+-----------
An attacker may perform the ADCS ESC13 abuse which relies on the OID group link. This relationship alone is not enough to escalate rights or impersonate other principals.
-Opsec Considerations[](#h_01HZ7C2A3PBG7CXN767B2E029D)
------------------------------------------------------
+Opsec Considerations
+---------------------
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#h_01HZ7C2A3P1X6A8N9YB4RR83ZJ)
--------------------------------------------
+References
+----------
* [ADCS ESC13 Abuse Technique](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
* [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)?redirectedfrom=MSDN)
diff --git a/docs/resources/edges/overview.mdx b/docs/resources/edges/overview.mdx
index 6ca9f0e217..d363676bf9 100644
--- a/docs/resources/edges/overview.mdx
+++ b/docs/resources/edges/overview.mdx
@@ -3,9 +3,7 @@ title: About BloodHound Edges
description: "Edges are part of the graph construct and are represented as links/relationships that connect one node to another node."
---
-
-
-
+
For example, the image below shows three User nodes (left side) connected to one Group node (right side), via the “MemberOf” edge, indicating the three users belong to the group:
diff --git a/docs/resources/edges/owner.mdx b/docs/resources/edges/owner.mdx
index 235ae4327c..6c6927fb17 100644
--- a/docs/resources/edges/owner.mdx
+++ b/docs/resources/edges/owner.mdx
@@ -3,10 +3,8 @@ title: AZOwner
description: "The principal is granted the Owner role on the resource."
---
+
-
-
-
AZOwner targets resources in AzureRM (for example [AZResourceGroup](/resources/nodes/az-resource-group), [AZSubscription](/resources/nodes/az-subscription), and [AZVM](/resources/nodes/az-vm)) through role assignment called "Owner".
diff --git a/docs/resources/edges/owns.mdx b/docs/resources/edges/owns.mdx
index 1f9f44af11..9b3cf8eed5 100644
--- a/docs/resources/edges/owns.mdx
+++ b/docs/resources/edges/owns.mdx
@@ -2,12 +2,9 @@
title: AZOwns
description: "The principal is granted owner rights on the principal."
---
+
-
-
-
-
AZOwns targets resources in Entra ID (for example [AZGroup](/resources/nodes/az-group), [AZServicePrincipal](/resources/nodes/az-service-principal), and [AZDevice](/resources/nodes/az-device)) from various object-specific ownership.
-
-
-
Principals with this role can update sensitive properties for all users. Privileged Authentication Administrator can set or reset any authentication method (including passwords) for any user, including Global Administrators.
diff --git a/docs/resources/edges/privileged-role-admin.mdx b/docs/resources/edges/privileged-role-admin.mdx
index ab6fd34a1f..1537ce3541 100644
--- a/docs/resources/edges/privileged-role-admin.mdx
+++ b/docs/resources/edges/privileged-role-admin.mdx
@@ -3,9 +3,7 @@ title: AZPrivilegedRoleAdmin
description: "The Privileged Role Admin role can grant any other admin role to another principal at the tenant level."
---
-
-
-
+
## Abuse Info
diff --git a/docs/resources/edges/published-to.mdx b/docs/resources/edges/published-to.mdx
index 55870470ce..7a87da989e 100644
--- a/docs/resources/edges/published-to.mdx
+++ b/docs/resources/edges/published-to.mdx
@@ -2,26 +2,25 @@
title: PublishedTo
---
-
-
-
+
+
The certificate template is published to an enterprise certification authority. This relationship means
the certificate template can be used when submitting an enrollment request to the specified
certification authority.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+----------
An attacker may perform several attacks that rely on a template being published to a certification authority. This relationship alone is not enough to escalate rights or impersonate other principals. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When an attacker abuses an escalation or impersonation primitive that relies on a template being published to a certification authority, a copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/read-gmsa-password.mdx b/docs/resources/edges/read-gmsa-password.mdx
index c314587882..f6ed0a8cc2 100644
--- a/docs/resources/edges/read-gmsa-password.mdx
+++ b/docs/resources/edges/read-gmsa-password.mdx
@@ -2,17 +2,16 @@
title: ReadGMSAPassword
---
-
-
-
+
+
This privilege allows you to read the password for a Group Managed Service Account (GMSA). Group Managed Service Accounts are a special type of Active Directory object, where the password for that object is managed by and automatically changed by Domain Controllers on a set interval (check the MSDS-ManagedPasswordInterval attribute).
The intended use of a GMSA is to allow certain computer accounts to retrieve the password for the GMSA, then run local services as the GMSA. An attacker with control of an authorized principal may abuse that privilege to impersonate the GMSA.`;
-Abuse Info[](#h_01HKYM4WQGKY3BRR1SW6CGBVNK)
--------------------------------------------
+Abuse Info
+----------
There are several ways to abuse the ability to read the GMSA password. The most straightforward abuse is possible when the GMSA is currently logged on to a computer, which is the intended behavior for a GMSA.
@@ -37,15 +36,15 @@ At this point, you are ready to use the NT hash like you would with a regular us
[gMSADumper.py](https://github.com/micahvandeusen/gMSADumper) can be used to obtain the NT hash.
-Opsec Considerations[](#h_01HKYM4WQGYD3TZKEE5A15G0VB)
------------------------------------------------------
+Opsec Considerations
+--------------------
When abusing a GMSA that is already logged onto a system, you will have the same opsec considerations as when abusing a standard user logon. For more information about that, see the “HasSession” modal’s opsec considerations tab.
When retrieving the GMSA password from Active Directory, you may generate a 4662 event on the Domain Controller; however, that event will likely perfectly resemble a legitimate event if you request the password from the same context as a computer account that is already authorized to read the GMSA password.
-References[](#h_01HKYM4WQGNZFNABFYF5C6W9ZK)
--------------------------------------------
+References
+----------
* [https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/](https://www.dsinternals.com/en/retrieving-cleartext-gmsa-passwords-from-active-directory/)
* [https://www.powershellgallery.com/packages/DSInternals/](https://www.powershellgallery.com/packages/DSInternals/)
diff --git a/docs/resources/edges/read-laps-password.mdx b/docs/resources/edges/read-laps-password.mdx
index 6b78f00ed7..2e270facdb 100644
--- a/docs/resources/edges/read-laps-password.mdx
+++ b/docs/resources/edges/read-laps-password.mdx
@@ -2,9 +2,8 @@
title: Working with the BloodHound API
---
-
-
-
+
+
This privilege allows a principal to read the LAPS password from a computer.
diff --git a/docs/resources/edges/remote-interactive-logon-privilege.mdx b/docs/resources/edges/remote-interactive-logon-privilege.mdx
index 3a0a611521..7efd7d8194 100644
--- a/docs/resources/edges/remote-interactive-logon-privilege.mdx
+++ b/docs/resources/edges/remote-interactive-logon-privilege.mdx
@@ -2,26 +2,25 @@
title: RemoteInteractiveLogonPrivilege
---
-
-
-
+
+
From Principal to Computer: Principal has the SeRemoteInteractiveLogonPrivilege on the Computer.
For RDP access the principal also needs membership in the computer's local Remote Desktop Users group, which related to the edge [MemberOfLocalGroup](/resources/edges/member-of-local-group). When RDP access is possible, the prinicpal will have the edge [CanRDP](/resources/edges/can-rdp).
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
This edge alone does not enable abuse.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
No opsec considerations apply to this edge.
-References[](#heading-3)
-------------------------
+References
+----------
* [https://blog.cptjesus.com/posts/userrightsassignment/](https://blog.cptjesus.com/posts/userrightsassignment/)
* [https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment)
diff --git a/docs/resources/edges/reset-password.mdx b/docs/resources/edges/reset-password.mdx
index c2ecef1c63..0e35304a38 100644
--- a/docs/resources/edges/reset-password.mdx
+++ b/docs/resources/edges/reset-password.mdx
@@ -3,9 +3,8 @@ title: AZResetPassword
description: "The ability to change another user’s password without knowing their current password."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/role-management-readwrite-directory.mdx b/docs/resources/edges/role-management-readwrite-directory.mdx
index da11e501cb..1a6f252bf4 100644
--- a/docs/resources/edges/role-management-readwrite-directory.mdx
+++ b/docs/resources/edges/role-management-readwrite-directory.mdx
@@ -3,9 +3,8 @@ title: AZMGRoleManagement_ReadWrite_Directory
description: "This edge is created when a Service Principal has been granted the RoleManagement.ReadWrite.Directory edge."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/root-ca-for.mdx b/docs/resources/edges/root-ca-for.mdx
index 89d62a9cf3..908bdd45ad 100644
--- a/docs/resources/edges/root-ca-for.mdx
+++ b/docs/resources/edges/root-ca-for.mdx
@@ -2,28 +2,27 @@
title: RootCAFor
---
-
-
-
+
+
The CA is trusted as a root certification authority by the domain. Any certificates signed by this CA
will be trusted by the domain and all hosts in the domain.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+----------
An attacker may perform several attacks that rely on the existence of a root CA, such as ESC1. This edge
alone is not enough to escalate rights or impersonate other principals. This edge may contribute to other
edges and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/run-as.mdx b/docs/resources/edges/run-as.mdx
index 8110bf1a6f..cf654d2c36 100644
--- a/docs/resources/edges/run-as.mdx
+++ b/docs/resources/edges/run-as.mdx
@@ -3,9 +3,8 @@ title: AZRunAs
description: "The Azure App runs as the Service Principal when it needs to authenticate to the tenant."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/scoped-to.mdx b/docs/resources/edges/scoped-to.mdx
index 90e0b6dbea..3c494674f3 100644
--- a/docs/resources/edges/scoped-to.mdx
+++ b/docs/resources/edges/scoped-to.mdx
@@ -3,9 +3,8 @@ title: AZScopedTo
description: "Is used to distinguish whether an EntraID (AzureAD) admin role such as Application Administrator or Cloud Application Administrator is scoped to the tenant or to a particular app registration or service principal."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/service-principal-endpoint-readwrite-all.mdx b/docs/resources/edges/service-principal-endpoint-readwrite-all.mdx
index 33abc64aca..f0caef095a 100644
--- a/docs/resources/edges/service-principal-endpoint-readwrite-all.mdx
+++ b/docs/resources/edges/service-principal-endpoint-readwrite-all.mdx
@@ -3,9 +3,8 @@ title: AZMGServicePrincipalEndpoint_ReadWrite_All
description: "This edge is created when a Service Principal has been granted the ServicePrincipalEndpoint.ReadWrite.All edge."
---
-
-
-
+
+
## Abuse Info
The edge is not abusable, but is used during post-processing to create abusable edges.
diff --git a/docs/resources/edges/sql-admin.mdx b/docs/resources/edges/sql-admin.mdx
index f4f0724741..6fbdd73dc9 100644
--- a/docs/resources/edges/sql-admin.mdx
+++ b/docs/resources/edges/sql-admin.mdx
@@ -2,9 +2,8 @@
title: SQLAdmin
---
-
-
-
+
+
The user is a SQL admin on the target computer
@@ -16,8 +15,8 @@ This clip demonstrates how to abuse this edge:
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+-----------
Scott Sutherland from NetSPI has authored PowerUpSQL, a PowerShell Toolkit for Attacking SQL Server. Major contributors include Antti Rantasaari, Eric Gruber, and Thomas Elling. Before executing any of the below commands, download PowerUpSQL and load it into your PowerShell instance. Get PowerUpSQL here: [https://github.com/NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL)
@@ -87,8 +86,8 @@ Get-SQLQuery -Verbose -Query "xp_test" -Instance sqlserver\instance
```
Get-SQLQuery -Verbose -Query "sp\_dropextendedproc 'xp\_test'" -Instance sqlserver\instance
```
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+---------------------
Prior to executing operating system commands through SQL Server, review the audit configuration and choose a command execution method that is not being monitored.
@@ -137,8 +136,8 @@ If database audit specifications are configured on the SQL Server, event ID 3320
A summary of the what will show up in the logs, along with the TSQL queries for viewing and configuring audit configurations can be found at [https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Audit%20Command%20Execution%20Template.sql](https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Audit%20Command%20Execution%20Template.sql)
-References[](#heading-3)
-------------------------
+References
+----------
* [https://github.com/NetSPI/PowerUpSQL/wiki](https://github.com/NetSPI/PowerUpSQL/wiki)
* [https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa-arsenal-presentation](https://www.slideshare.net/nullbind/powerupsql-2018-blackhat-usa-arsenal-presentation)
diff --git a/docs/resources/edges/sync-laps-password.mdx b/docs/resources/edges/sync-laps-password.mdx
index fbd9bd6474..756faff548 100644
--- a/docs/resources/edges/sync-laps-password.mdx
+++ b/docs/resources/edges/sync-laps-password.mdx
@@ -2,14 +2,13 @@
title: SyncLAPSPassword
---
-
-
-
+
+
A principal with this signifies the capability of retrieving, through a directory synchronization, the value of confidential and RODC filtered attributes, such as LAPS’ _ms-Mcs-AdmPwd_.
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
To abuse these privileges, use DirSync:
@@ -17,8 +16,8 @@ Sync-LAPS -LDAPFilter '(samaccountname=TargetComputer$)'
For other optional parameters, view the DirSync documentation.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
Executing the attack will generate a 4662 (An operation was performed on an object) event at the domain controller if an appropriate SACL is in place on the target object.
diff --git a/docs/resources/edges/synced-to-ad-user.mdx b/docs/resources/edges/synced-to-ad-user.mdx
index 9d398838b8..7e6c8f7fc5 100644
--- a/docs/resources/edges/synced-to-ad-user.mdx
+++ b/docs/resources/edges/synced-to-ad-user.mdx
@@ -2,26 +2,25 @@
title: SyncedToADUser
---
-
-
-
+
+
The Entra user is synchronized to the on-prem AD user.
The Entra user may be able to authenticate as the on-prem AD user with its own password if password write-back is enabled. The Entra user may already have the same password as the on-prem user if password hash synchronization is enabled.
-Abuse Info[](#h_01HM2BCKV2PZ36VCYNETATDB50)
--------------------------------------------
+Abuse Info
+----------
An attacker may authenticate as the on-prem AD user using the Entra user’s credentials, for example by key-logging the user’s password, or by changing the Entra user’s password and waiting for the password write-back operation to complete.
-Opsec Considerations[](#h_01HM2BCKV33DRMF9D94AD7J1FH)
------------------------------------------------------
+Opsec Considerations
+--------------------
The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password write-back operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry indicating the Entra user’s password was changed.
-References[](#h_01HM2BCKV3WNEN9J413M1AWHNP)
--------------------------------------------
+References
+----------
[Concept SSPR WriteBack](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback)
diff --git a/docs/resources/edges/synced-to-entra-user.mdx b/docs/resources/edges/synced-to-entra-user.mdx
index 187fc0e354..0e68dcd019 100644
--- a/docs/resources/edges/synced-to-entra-user.mdx
+++ b/docs/resources/edges/synced-to-entra-user.mdx
@@ -2,26 +2,25 @@
title: SyncedToEntraUser
---
-
-
-
+
+
The on-prem AD user is synchronized to the Entra ID user.
The on-prem user may be able to authenticate as the Entra user with its own password if password hash synchronization, pass-through authentication, or seamless single sign-on is enabled.
-Abuse Info[](#h_01HM2BCKV2PZ36VCYNETATDB50)
--------------------------------------------
+Abuse Info
+----------
An attacker may authenticate as the synchronized Entra user using the on-prem user’s credentials, for example by dumping the user’s plain-text credential from memory, key-logging the user’s password, or by changing the on-prem user’s password and authenticating with that new password.
-Opsec Considerations[](#h_01HM2BCKV33DRMF9D94AD7J1FH)
------------------------------------------------------
+Opsec Considerations
+--------------------
The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password reset operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry when the on-prem agent synchronizes the new password hash up to Entra.
-References[](#h_01HM2BCKV3WNEN9J413M1AWHNP)
--------------------------------------------
+References
+----------
[What is Password Hybrid Sync](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs)
[How to connect Pass-Through Auth](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta)
diff --git a/docs/resources/edges/traversable-edges.mdx b/docs/resources/edges/traversable-edges.mdx
index 039d48ddc5..43c2c878a3 100644
--- a/docs/resources/edges/traversable-edges.mdx
+++ b/docs/resources/edges/traversable-edges.mdx
@@ -2,9 +2,8 @@
title: Traversable and Non-Traversable Edge Types
---
-
-
-
+
+
## Traversable Edges
diff --git a/docs/resources/edges/trusted-by.mdx b/docs/resources/edges/trusted-by.mdx
index 66613f313a..c2f249ca80 100644
--- a/docs/resources/edges/trusted-by.mdx
+++ b/docs/resources/edges/trusted-by.mdx
@@ -2,18 +2,17 @@
title: TrustedBy
---
-
-
-
+
+
This edge is used to keep track of domain trusts, and maps to the direction of access.
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
This edge will come in handy when analzying how to jump a forest trust to get enterprise admin access from domain admin access within a forest. For more information about that attack, see [https://blog.harmj0y.net/redteaming/the-trustpocalypse/](https://blog.harmj0y.net/redteaming/the-trustpocalypse/)
-References[](#heading-2)
-------------------------
+References
+----------
* [https://blog.harmj0y.net/redteaming/the-trustpocalypse/](https://blog.harmj0y.net/redteaming/the-trustpocalypse/)
diff --git a/docs/resources/edges/trusted-for-nt-auth.mdx b/docs/resources/edges/trusted-for-nt-auth.mdx
index f2382b63ca..2e5b7f4210 100644
--- a/docs/resources/edges/trusted-for-nt-auth.mdx
+++ b/docs/resources/edges/trusted-for-nt-auth.mdx
@@ -2,9 +2,8 @@
title: TrustedForNTAuth
---
-
-
-
+
+
The NTAuthStore contains the certificate of the Enterprise CA. The consequence of the relationship is that certificate issued by the Enterprise CA are trusted for authentication in the AD forest of the NTAuthStore.
diff --git a/docs/resources/edges/user-access-administrator.mdx b/docs/resources/edges/user-access-administrator.mdx
index 1ce5bc596b..3fd65f26e8 100644
--- a/docs/resources/edges/user-access-administrator.mdx
+++ b/docs/resources/edges/user-access-administrator.mdx
@@ -3,9 +3,8 @@ title: AZUserAccessAdministrator
description: "The User Access Admin role can edit roles against many other objects."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/vm-admin-login.mdx b/docs/resources/edges/vm-admin-login.mdx
index d5fd2e8370..6a814aae47 100644
--- a/docs/resources/edges/vm-admin-login.mdx
+++ b/docs/resources/edges/vm-admin-login.mdx
@@ -3,9 +3,8 @@ title: AZVMAdminLogin
description: "When a virtual machine is configured to allow logon with Azure credentials, the VM automatically has certain principals added to its local administrators group, including any principal granted the Virtual Machine Administrator Login (or “VMAL”) admin role."
---
-
-
-
+
+
Any principal granted this role, scoped to the affected VM, can connect to the VM via RDP and will be granted local admin rights on the VM.
diff --git a/docs/resources/edges/vm-contributor.mdx b/docs/resources/edges/vm-contributor.mdx
index 83c24a2c46..2eae13e58d 100644
--- a/docs/resources/edges/vm-contributor.mdx
+++ b/docs/resources/edges/vm-contributor.mdx
@@ -3,9 +3,8 @@ title: AZVMContributor
description: "The Virtual Machine contributor role grants almost all abusable privileges against Virtual Machines."
---
-
-
-
+
+
## Abuse Info
The Virtual Machine Contributor role allows you to run SYSTEM commands on the VM
diff --git a/docs/resources/edges/website-contributor.mdx b/docs/resources/edges/website-contributor.mdx
index ba72123aa6..11fce2f8f7 100644
--- a/docs/resources/edges/website-contributor.mdx
+++ b/docs/resources/edges/website-contributor.mdx
@@ -3,9 +3,8 @@ title: AZWebsiteContributor
description: "The Website Contributor role grants full control of the target Function App or Web App. Full control of either of those types of resources allows for arbitrary command execution against the target resoruce."
---
-
-
-
+
+
## Abuse Info
diff --git a/docs/resources/edges/write-account-restrictions.mdx b/docs/resources/edges/write-account-restrictions.mdx
index 912834b9d9..8968df57c7 100644
--- a/docs/resources/edges/write-account-restrictions.mdx
+++ b/docs/resources/edges/write-account-restrictions.mdx
@@ -2,9 +2,8 @@
title: WriteAccountRestrictions
---
-
-
-
+
+
This edge indicates the principal has the ability to modify several properties on the target principal, most notably the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
@@ -12,18 +11,18 @@ This clip demonstrates how to abuse this edge:
-Abuse Info[](#h_01HETHXTS5T30JA6XYAKPMW08G)
--------------------------------------------
+Abuse Info
+----------
See the AllowedToAct edge section for abuse info
-Opsec Considerations[](#h_01HETHXTS59KV2D82SX61Z7ADG)
------------------------------------------------------
+Opsec Considerations
+--------------------
See the AllowedToAct edge section for opsec considerations
-References[](#h_01HETHXTS5DGQJEB1BMGESNZSZ)
--------------------------------------------
+References
+----------
* [https://attack.mitre.org/techniques/T1098/](https://attack.mitre.org/techniques/T1098/)
* [https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/](https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/)
diff --git a/docs/resources/edges/write-dacl.mdx b/docs/resources/edges/write-dacl.mdx
index f91db346bb..0fef6351e0 100644
--- a/docs/resources/edges/write-dacl.mdx
+++ b/docs/resources/edges/write-dacl.mdx
@@ -2,14 +2,13 @@
title: WriteDacl
---
-
-
-
+
+
With write access to the target object’s DACL, you can grant yourself any privilege you want on the object.
-Abuse Info[](#h_01HM2CH96APS2E6T2092J4CRR8)
--------------------------------------------
+Abuse Info
+-----------
With the ability to modify the DACL on the target object, you can grant yourself almost any privilege against the object you wish.
@@ -61,8 +60,8 @@ Add-DomainObjectAcl -TargetIdentity (OU GUID) -Rights All
Then add a new ACE to the OU that inherits down to child objects to take over those child objects.
-Opsec Considerations[](#h_01HM2CH96B67RT53RDDN20Z9R9)
------------------------------------------------------
+Opsec Considerations
+---------------------
When using the PowerView functions, keep in mind that PowerShell v5 introduced several security mechanisms that make it much easier for defenders to see what’s going on with PowerShell in their network, such as script block logging and AMSI. You can bypass those security mechanisms by downgrading to PowerShell v2, which all PowerView functions support.
@@ -70,8 +69,8 @@ Modifying permissions on an object will generate 4670 and 4662 events on the dom
Additional opsec considerations depend on the target object and how to take advantage of this privilege.
-References[](#h_01HM2CH96B42XD736RMHC41Q0Q)
--------------------------------------------
+References
+-----------
* [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
* [https://www.youtube.com/watch?v=z8thoG7gPd0](https://www.youtube.com/watch?v=z8thoG7gPd0)
diff --git a/docs/resources/edges/write-gp-link.mdx b/docs/resources/edges/write-gp-link.mdx
index 9f2dd9f36f..109a138a62 100644
--- a/docs/resources/edges/write-gp-link.mdx
+++ b/docs/resources/edges/write-gp-link.mdx
@@ -2,9 +2,8 @@
title: WriteGPLink
---
-
-
-
+
+
The WriteGPLink edge indicates that the principal has the permissions to modify the gPLink attribute of the targeted OU/domain node.
@@ -14,8 +13,8 @@ Successful exploitation will require the possibility to add non-existing DNS rec
Alternatively, the ability to modify the gPLink attribute can be exploited in conjunction with write permissions on a GPO. In such a situation, an attacker could first inject a malicious scheduled task in the controlled GPO, and then link the GPO to the target through its gPLink attribute, making all child users and computers apply the malicious GPO and execute arbitrary commands.
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
### Windows abuse
@@ -29,13 +28,13 @@ From a Linux machine, the WriteGPLink permission may be abused using the [OUned.
Be mindful of the number of users and computers that are in the given domain as they all will attempt to fetch and apply the malicious GPO.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
The present attack vector relies on the execution of a malicious Group Policy Object. In case some objects in the target Organizational Unit are unable to apply said Group Policy Object (for instance, because these objects cannot reach the attacker's machine in the internal network), events related to failed GPO application will be created. Furthermore, the execution of this attack will result in the modification of the gPLink property of the target Organizational Unit. The property should be reset to its original value after attack execution to avoid detection and ensure the OU child items can apply their legitimate Group Policy Objects again.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK technique:
diff --git a/docs/resources/edges/write-owner.mdx b/docs/resources/edges/write-owner.mdx
index 98722c907d..a2a14892df 100644
--- a/docs/resources/edges/write-owner.mdx
+++ b/docs/resources/edges/write-owner.mdx
@@ -2,9 +2,8 @@
title: WriteOwner
---
-
-
-
+
+
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object’s DACL.
@@ -13,8 +12,8 @@ This clip shows an example of abusing this edge:
-Abuse Info[](#heading-1)
-------------------------
+Abuse Info
+----------
To change the ownership of the object, you may use the Set-DomainObjectOwner function in PowerView.
@@ -31,8 +30,8 @@ Set-DomainObjectOwner -Credential $Cred -TargetIdentity "Domain Admins" -OwnerId
```
Now, with ownership of the object, you may modify the DACL of the object however you wish. For more information about that, see the WriteDacl edge section.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
This depends on the target object and how to take advantage of this privilege.
@@ -40,7 +39,7 @@ When using the PowerView functions, keep in mind that PowerShell v5 introduced s
Modifying permissions on an object will generate 4670 and 4662 events on the domain controller that handled the request.
-References[](#heading-3)
-------------------------
+References
+----------
* [https://www.youtube.com/watch?v=z8thoG7gPd0](https://www.youtube.com/watch?v=z8thoG7gPd0)
diff --git a/docs/resources/edges/write-pki-enrollment-flag.mdx b/docs/resources/edges/write-pki-enrollment-flag.mdx
index ea0dda96f6..957b62576e 100644
--- a/docs/resources/edges/write-pki-enrollment-flag.mdx
+++ b/docs/resources/edges/write-pki-enrollment-flag.mdx
@@ -2,24 +2,23 @@
title: WritePKIEnrollmentFlag
---
-
-
-
+
+
The attacker principal has the ability to write to the msPKI-Enrollment-Flag attribute on the victim principal, which allows the attacker principal to configure "manager approval" for the certificate template and other settings.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+----------
This relationship alone is not enough to perform a privilege escalation or impersonation primitive. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/write-pki-name-flag.mdx b/docs/resources/edges/write-pki-name-flag.mdx
index de75449272..a4bdde2899 100644
--- a/docs/resources/edges/write-pki-name-flag.mdx
+++ b/docs/resources/edges/write-pki-name-flag.mdx
@@ -2,24 +2,23 @@
title: WritePKINameFlag
---
-
-
-
+
+
The attacker principal has the ability to write to the msPKI-Certificate-Name-Flag attribute on the victim principal, which allows the attacker principal to configure "enrollee supplies subject" for the certificate template and other settings.
-Abuse Info[](#h_01HPHZJSTFS46D4BFVYAB25KTE)
--------------------------------------------
+Abuse Info
+----------
This relationship alone is not enough to perform a privilege escalation or impersonation primitive. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
-Opsec Considerations[](#heading-2)
-----------------------------------
+Opsec Considerations
+--------------------
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
-References[](#heading-3)
-------------------------
+References
+----------
This edge is related to the following MITRE ATT&CK tactic and techniques:
diff --git a/docs/resources/edges/write-spn.mdx b/docs/resources/edges/write-spn.mdx
index febeafff59..b661abb85b 100644
--- a/docs/resources/edges/write-spn.mdx
+++ b/docs/resources/edges/write-spn.mdx
@@ -2,9 +2,8 @@
title: WriteSPN
---
-
-
-
+
+
The ability to write directly to the servicePrincipalNames attribute on a user object. Writing to this property gives you the opportunity to perform a targeted kerberoasting attack against that user.
diff --git a/docs/resources/glossary/overview.mdx b/docs/resources/glossary/overview.mdx
index 19ca9f65b1..d1c82e2bd9 100644
--- a/docs/resources/glossary/overview.mdx
+++ b/docs/resources/glossary/overview.mdx
@@ -2,9 +2,8 @@
title: "BloodHound Glossary"
---
-
- 
-
+
+
Understand the terminology used in BloodHound software and documentation.
diff --git a/docs/resources/legacy.mdx b/docs/resources/legacy.mdx
new file mode 100644
index 0000000000..98ceea4d88
--- /dev/null
+++ b/docs/resources/legacy.mdx
@@ -0,0 +1,7 @@
+---
+title: Legacy BloodHound
+---
+
+Legacy BloodHound is no longer maintained.
+
+For the Legacy BloodHound documentation, go to https://bloodhound.readthedocs.io/en/latest.
\ No newline at end of file
diff --git a/docs/resources/nodes/ad-local-group.mdx b/docs/resources/nodes/ad-local-group.mdx
index 26e41e8ccd..ba26fa31e4 100644
--- a/docs/resources/nodes/ad-local-group.mdx
+++ b/docs/resources/nodes/ad-local-group.mdx
@@ -2,12 +2,7 @@
title: ADLocalGroup
---
-
-
-
-
- 
-
+
This article outlines the ADLocalGroup node in BloodHound, it describes the node's properties and possible incoming/outgoing edges.
diff --git a/docs/resources/nodes/ad-local-user.mdx b/docs/resources/nodes/ad-local-user.mdx
index c7dcef6d76..847fc6e1ac 100644
--- a/docs/resources/nodes/ad-local-user.mdx
+++ b/docs/resources/nodes/ad-local-user.mdx
@@ -3,12 +3,7 @@ title: ADLocalUser
description: "This article outlines the ADLocalUser node in BloodHound, it describes the node's properties and possible incoming/outgoing edges"
---
-
-
-
-
-
-
+
## Representation
diff --git a/docs/resources/nodes/az-app.mdx b/docs/resources/nodes/az-app.mdx
index c48cd9d53c..5835ad32ae 100644
--- a/docs/resources/nodes/az-app.mdx
+++ b/docs/resources/nodes/az-app.mdx
@@ -2,9 +2,7 @@
title: AZApp
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-automation-account.mdx b/docs/resources/nodes/az-automation-account.mdx
index 75de92ca48..164a095376 100644
--- a/docs/resources/nodes/az-automation-account.mdx
+++ b/docs/resources/nodes/az-automation-account.mdx
@@ -2,9 +2,7 @@
title: AZAutomationAccount
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-base.mdx b/docs/resources/nodes/az-base.mdx
index ffe91cfa8e..daeacad23c 100644
--- a/docs/resources/nodes/az-base.mdx
+++ b/docs/resources/nodes/az-base.mdx
@@ -2,13 +2,7 @@
title: AZBase
---
-
-
-
-
-
-
-
+
This article outlines the AZBase node in BloodHound, it describes the node's properties and possible incoming/outgoing edges.
diff --git a/docs/resources/nodes/az-container-registry.mdx b/docs/resources/nodes/az-container-registry.mdx
index 26ff48fc24..10ca488eac 100644
--- a/docs/resources/nodes/az-container-registry.mdx
+++ b/docs/resources/nodes/az-container-registry.mdx
@@ -2,9 +2,7 @@
title: AZContainerRegistry
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-device.mdx b/docs/resources/nodes/az-device.mdx
index 7a60ea7ad0..9e57adf07f 100644
--- a/docs/resources/nodes/az-device.mdx
+++ b/docs/resources/nodes/az-device.mdx
@@ -2,9 +2,7 @@
title: AZDevice
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-function-app.mdx b/docs/resources/nodes/az-function-app.mdx
index 8add981e6d..954eb770b1 100644
--- a/docs/resources/nodes/az-function-app.mdx
+++ b/docs/resources/nodes/az-function-app.mdx
@@ -2,9 +2,7 @@
title: AZFunctionApp
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-group.mdx b/docs/resources/nodes/az-group.mdx
index 293c6424a8..c970038f1f 100644
--- a/docs/resources/nodes/az-group.mdx
+++ b/docs/resources/nodes/az-group.mdx
@@ -2,9 +2,7 @@
title: AZGroup
---
-
-
-
+
## Node properties
The node supports the properties of the table below.
diff --git a/docs/resources/nodes/az-key-vault.mdx b/docs/resources/nodes/az-key-vault.mdx
index eb85b055f6..4d630eaaa4 100644
--- a/docs/resources/nodes/az-key-vault.mdx
+++ b/docs/resources/nodes/az-key-vault.mdx
@@ -2,9 +2,7 @@
title: AZKeyVault
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-logic-app.mdx b/docs/resources/nodes/az-logic-app.mdx
index e6468060ec..bc68056f67 100644
--- a/docs/resources/nodes/az-logic-app.mdx
+++ b/docs/resources/nodes/az-logic-app.mdx
@@ -2,9 +2,7 @@
title: AZLogicApp
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-managed-cluster.mdx b/docs/resources/nodes/az-managed-cluster.mdx
index 4916ffb852..f8a4904404 100644
--- a/docs/resources/nodes/az-managed-cluster.mdx
+++ b/docs/resources/nodes/az-managed-cluster.mdx
@@ -2,9 +2,7 @@
title: AZManagedCluster
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-management-group.mdx b/docs/resources/nodes/az-management-group.mdx
index 2d7d8f05de..05d5282857 100644
--- a/docs/resources/nodes/az-management-group.mdx
+++ b/docs/resources/nodes/az-management-group.mdx
@@ -2,9 +2,7 @@
title: AZManagementGroup
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-resource-group.mdx b/docs/resources/nodes/az-resource-group.mdx
index 35a4582f9a..bc63f4517d 100644
--- a/docs/resources/nodes/az-resource-group.mdx
+++ b/docs/resources/nodes/az-resource-group.mdx
@@ -2,9 +2,7 @@
title: AZResourceGroup
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-role.mdx b/docs/resources/nodes/az-role.mdx
index c4c8141c7f..cc0eca5ba2 100644
--- a/docs/resources/nodes/az-role.mdx
+++ b/docs/resources/nodes/az-role.mdx
@@ -2,9 +2,7 @@
title: AZRole
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-service-principal.mdx b/docs/resources/nodes/az-service-principal.mdx
index b8c3587038..f0ed3c0049 100644
--- a/docs/resources/nodes/az-service-principal.mdx
+++ b/docs/resources/nodes/az-service-principal.mdx
@@ -2,9 +2,7 @@
title: AZServicePrincipal
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-subscription.mdx b/docs/resources/nodes/az-subscription.mdx
index 57a68e4fb7..dd7b01725e 100644
--- a/docs/resources/nodes/az-subscription.mdx
+++ b/docs/resources/nodes/az-subscription.mdx
@@ -2,9 +2,7 @@
title: AZSubscription
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-tenant.mdx b/docs/resources/nodes/az-tenant.mdx
index 7b47136b79..552bc8ec05 100644
--- a/docs/resources/nodes/az-tenant.mdx
+++ b/docs/resources/nodes/az-tenant.mdx
@@ -2,9 +2,7 @@
title: AZTenant
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-user.mdx b/docs/resources/nodes/az-user.mdx
index 9fe990b264..2fc5535f6a 100644
--- a/docs/resources/nodes/az-user.mdx
+++ b/docs/resources/nodes/az-user.mdx
@@ -2,9 +2,7 @@
title: AZUser
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-vm-scale-set.mdx b/docs/resources/nodes/az-vm-scale-set.mdx
index f73ed19161..f6e3365fb0 100644
--- a/docs/resources/nodes/az-vm-scale-set.mdx
+++ b/docs/resources/nodes/az-vm-scale-set.mdx
@@ -2,9 +2,7 @@
title: AZVMScaleSet
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-vm.mdx b/docs/resources/nodes/az-vm.mdx
index 38958bd092..4557eae757 100644
--- a/docs/resources/nodes/az-vm.mdx
+++ b/docs/resources/nodes/az-vm.mdx
@@ -2,9 +2,7 @@
title: AZVM
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/az-web-app.mdx b/docs/resources/nodes/az-web-app.mdx
index 4b45e60ad2..8e92a79b80 100644
--- a/docs/resources/nodes/az-web-app.mdx
+++ b/docs/resources/nodes/az-web-app.mdx
@@ -2,9 +2,7 @@
title: AZWebApp
---
-
-
-
+
## Node Properties
diff --git a/docs/resources/nodes/base.mdx b/docs/resources/nodes/base.mdx
index 758fa53af3..ef26ff5225 100644
--- a/docs/resources/nodes/base.mdx
+++ b/docs/resources/nodes/base.mdx
@@ -3,9 +3,7 @@ title: Base
description: "This article outlines the Base node in BloodHound, it describes the node's properties and possible incoming/outgoing edges."
---
-
-
-
+
## Representation
diff --git a/docs/resources/nodes/computer.mdx b/docs/resources/nodes/computer.mdx
index 4b63dbd57d..8821a39ebf 100644
--- a/docs/resources/nodes/computer.mdx
+++ b/docs/resources/nodes/computer.mdx
@@ -2,9 +2,7 @@
title: Computer
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/container.mdx b/docs/resources/nodes/container.mdx
index fcfeae82a1..e161ea323a 100644
--- a/docs/resources/nodes/container.mdx
+++ b/docs/resources/nodes/container.mdx
@@ -2,9 +2,7 @@
title: Container
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/domain.mdx b/docs/resources/nodes/domain.mdx
index 915cda3089..0af4589cd0 100644
--- a/docs/resources/nodes/domain.mdx
+++ b/docs/resources/nodes/domain.mdx
@@ -2,9 +2,7 @@
title: Domain
---
-
-
-
+
## Node Properties
diff --git a/docs/resources/nodes/gpo.mdx b/docs/resources/nodes/gpo.mdx
index 8c65150eb4..ec947236d1 100644
--- a/docs/resources/nodes/gpo.mdx
+++ b/docs/resources/nodes/gpo.mdx
@@ -2,9 +2,7 @@
title: GPO
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/group.mdx b/docs/resources/nodes/group.mdx
index 87d46128ce..14f348ce67 100644
--- a/docs/resources/nodes/group.mdx
+++ b/docs/resources/nodes/group.mdx
@@ -2,9 +2,7 @@
title: Group
---
-
-
-
+
## Node properties
The node supports the properties of the table below.
diff --git a/docs/resources/nodes/issuance-policy.mdx b/docs/resources/nodes/issuance-policy.mdx
index 0e743cc1a5..3cc94c6e12 100644
--- a/docs/resources/nodes/issuance-policy.mdx
+++ b/docs/resources/nodes/issuance-policy.mdx
@@ -3,9 +3,7 @@ title: IssuancePolicy
description: "This article outlines the IssuancePolicy node in BloodHound, it describes what the node represents, the node's properties, and possible incoming/outgoing edges."
---
-
-
-
+
## Representation
diff --git a/docs/resources/nodes/ou.mdx b/docs/resources/nodes/ou.mdx
index 6094f09a1e..2f96de0335 100644
--- a/docs/resources/nodes/ou.mdx
+++ b/docs/resources/nodes/ou.mdx
@@ -2,9 +2,7 @@
title: OU
---
-
-
-
+
## Node properties
diff --git a/docs/resources/nodes/overview.mdx b/docs/resources/nodes/overview.mdx
index 7acb6c664b..7d9e907f69 100644
--- a/docs/resources/nodes/overview.mdx
+++ b/docs/resources/nodes/overview.mdx
@@ -2,9 +2,7 @@
title: About BloodHound Nodes
---
-
-
-
+
Nodes represent principals and other objects in the directory. BloodHound stores certain information about each node on the node itself in the neo4j database, and the GUI automatically performs several queries to gather insights about the node, such as how privileged the node is, or which GPOs apply to the node, etc. Simply click the node in the BloodHound GUI, and the "Node Info" tab will populate with all that information for the node.
diff --git a/docs/resources/nodes/user.mdx b/docs/resources/nodes/user.mdx
index 06ddfcc852..df1d944306 100644
--- a/docs/resources/nodes/user.mdx
+++ b/docs/resources/nodes/user.mdx
@@ -2,9 +2,7 @@
title: User
---
-
-
-
+
## Node properties
The node supports the properties of the table below.
diff --git a/docs/resources/overview.mdx b/docs/resources/overview.mdx
index da04641e73..4da53216f5 100644
--- a/docs/resources/overview.mdx
+++ b/docs/resources/overview.mdx
@@ -1,5 +1,6 @@
---
title: Resources
+description: Access comprehensive documentation about BloodHound graph components, terminology definitions, release information, and how to get help.
---