Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| BLOODHOUND_DOMAIN | Yes | Your BloodHound instance domain (e.g., your-bloodhound-instance.domain.com) | |
| BLOODHOUND_TOKEN_ID | Yes | Your BloodHound API Token ID | |
| BLOODHOUND_TOKEN_KEY | Yes | Your BloodHound API Token Key |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| get_domains | - |
| search_objects | Search for objects in the BloodHound database by name or Object ID.
This is useful for finding specific objects when you don't know their exact ID.
Args:
query: Search text - can be a partial name, full name, or Object ID
object_type: Optional filter by object type:
- For Active Directory: User, Computer, Group, GPO, OU, Domain
- For Azure: AZUser, AZGroup, AZDevice, etc.
limit: Maximum number of results to return (default: 100)
skip: Number of results to skip for pagination (default: 0) |
| get_users | Retrieves users from a specific domain in the Bloodhound database.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of users to return (default: 100)
skip: Number of users to skip for pagination (default: 0) |
| get_groups | Retrieves groups from a specific domain in the Bloodhound database.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of groups to return (default: 100)
skip: Number of groups to skip for pagination (default: 0) |
| get_computers | Retrieves computers from a specific domain in the Bloodhound database.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of computers to return (default: 100)
skip: Number of computers to skip for pagination (default: 0) |
| get_security_controllers | Retrieves security principals that have control relationships over other objects in the domain.
In Bloodhound terminology, a "controller" is any security principal (user, group, computer)
that has some form of control relationship (like AdminTo, WriteOwner, GenericAll, etc.)
over another security object in the domain. These are NOT domain controllers (AD servers),
but rather represent control edges in the graph.
These control relationships are key for identifying potential attack paths in the domain.
Example controllers might include:
- A user with AdminTo rights on a computer
- A group with GenericAll rights over another group
- A user with WriteOwner rights over another user
Args:
domain_id: The ID of the domain to query
limit: Maximum number of control relationships to return (default: 100)
skip: Number of control relationships to skip for pagination (default: 0) |
| get_gpos | Retrieves Group Policy Objects (GPOs) from a specific domain in the Bloodhound database.
GPOs are containers for policy settings that can be applied to users and computers in Active Directory.
These can be abused for persistence and privilege escalation and are key in idenitfying GPO related edges.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of GPOs to return (default: 100)
skip: Number of GPOs to skip for pagination (default: 0) |
| get_ous | Retrieves Organizational Units (OUs) from a specific domain in the Bloodhound database.
OUs are containers within a domain that can hold users, groups, computers, and other OUs.
These are key in understanding the structure of the domain.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of OUs to return (default: 100)
skip: Number of OUs to skip for pagination (default |
| get_dc_syncers | Retrieves security principals (users, groups, computers ) that are given the "GetChanges" and "GetChangesAll" permissions on the domain.
The security principals are therefore able to perform a DCSync attack.
They are are great targets for lateral movement or privilege escalation or domain compromise.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of DC Syncers to return (default: 100)
skip: Number of DC Syncers to skip for pagination (default: 0) |
| get_foreign_admins | Retrieves foreign admins from a specific domain in the Bloodhound database.
"Foreign Admins" are defined as security principals (users, groups, or computers) from one domain that have administrative privileges in another domain within the same forest.
These are potential targets for lateral movement and privilege escalation as well as cross domain compromise.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of foreign admins to return (default: 100)
skip: Number of foreign admins to skip for pagination (default: 0) |
| get_foreign_gpo_controllers | Retrieves foreign GPO controllers from a specific domain in the Bloodhound database.
"Foreign GPO Controllers" are defined as security principals (users, groups, or computers) from one domain that have the ability to modify or control Group Policy Objects (GPOs) in another domain within the same forest
These are potential targets for lateral movement and privilege escalation as well as cross domain compromise.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of foreign GPO controllers to return (default: 100)
skip: Number of foreign GPO controllers to skip for pagination (default: 0) |
| get_foreign_groups | Retrieves foreign groups from a specific domain in the Bloodhound database.
"Foreign Groups" are defined as security groups from one domain that have members from another domain within the same forest. They represent cross-domain group memberships in Active Directory.
These are potential targets for lateral movement and privilege escalation as well as cross domain compromise.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of foreign groups to return (default: 100)
skip: Number of foreign groups to skip for pagination (default: 0) |
| get_foreign_users | Retrieves foreign users from a specific domain in the Bloodhound database.
"Foreign Users" are defined as user accounts from one domain that are referenced in another domain within the same forest. These represent user accounts that have some form of relationship or access across domain boundaries.
These are potential targets for lateral movement and privilege escalation as well as cross domain compromise.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of foreign users to return (default: 100)
skip: Number of foreign users to skip for pagination (default: 0) |
| get_inbound_trusts | Retrieves inbound trusts from a specific domain in the Bloodhound database.
"Inbound Trusts" are defined as trust relationships where the domain is the trusted domain and other domains trust it.
These are potential targets for moving to other external domains or other domains within the forest
Args:
domain_id: The ID of the domain to query
limit: Maximum number of inbound trusts to return (default: 100)
skip: Number of inbound trusts to skip for pagination (default: 0) |
| get_linked_gpos | Retrieves linked GPOs from a specific domain in the Bloodhound database.
"Linked GPOs" are defined as Group Policy Objects that have been linked to or associated with specific Active Directory containers such as domains, organizational units (OUs), or sites
These are potential targets for moving laterally, elevating privileges, or maintaining persistence in the domain.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of linked GPOs to return (default: 100)
skip: Number of linked GPOs to skip for pagination (default: 0) |
| get_outbound_trusts | Retrieves outbound trusts from a specific domain in the Bloodhound database.
"Outbound Trusts" are defined as trust relationships where the domain trusts other domains.
These are potential targets for accessing resources within another domain and may provide a path into the domain if the external one has weaker security.
Args:
domain_id: The ID of the domain to query
limit: Maximum number of outbound trusts to return (default: 100)
skip: Number of outbound trusts to skip for pagination (default: 0) |
| get_user_info | Retrieves information about a specific user in a specific domain.
This provides a general overview of a user's information including their name, domain, and other attributes.
It can be used to conduct reconnaissance and start formulating and targeting users within the domain
Args:
user_id: The ID of the user to query |
| get_user_admin_rights | Retrieves the administrative rights of a specific user in the domain.
Administrative rights are privileges that allow a user to perform administrative tasks on a Security Principal (user, group, or computer) in Active Directory.
These rights can be abused in a variety of ways include lateral movement, persistence, and privilege escalation.
Args:
user_id: The ID of the user to query
limit: Maximum number of administrative rights to return (default: 100)
skip: Number of administrative rights to skip for pagination (default: 0) |
| get_user_constrained_delegation_rights | Retrieves the constrained delegation rights of a specific user within the domain.
Constrained delegation rights allow a user to impersonate another user or service when communicating with a service on another computer.
These rights can be abused for privilege escalation and lateral movement within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of constrained delegation rights to return (default: 100)
skip: Number of constrained delegation rights to skip for pagination (default: 0) |
| get_user_controllables | Retrieves the Security Princiapls within the domain that a specific user has administrative control over in the domain.
These are entities that the user can control and manipulate within the domain.
These are potential targets for lateral movement, privilege escalation, and persistence.
Args:
user_id: The ID of the user to query
limit: Maximum number of controllables to return (default: 100)
skip: Number of controllables to skip for pagination (default: 0) |
| get_user_controllers | Retrieves the controllers of a specific user in the domain.
Controllers are entities that have control over the specified user
This can be used to help identify paths to gain access to a specific user.
Args:
user_id: The ID of the user to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_user_dcom_rights | Retrieves the DCOM rights of a specific user within the domain.
DCOM rights allow a user to communicate with COM objects on another computer in the network.
These rights can be abused for privilege escalation and lateral movement within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of DCOM rights to return (default: 100)
skip: Number of DCOM rights to skip for pagination (default: 0) |
| get_user_memberships | Retrieves the group memberships of a specific user within the domain.
Group memberships are the groups that a user is a member of within the domain.
These memberships can be used to identify potential targets for lateral movement and privilege escalation.
Args:
user_id: The ID of the user to query
limit: Maximum number of memberships to return (default: 100)
skip: Number of memberships to skip for pagination (default: 0) |
| get_user_ps_remote_rights | Retrieves the remote PowerShell rights of a specific user within the domain.
Remote PowerShell rights allow a user to execute PowerShell commands on a remote computer.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of remote PowerShell rights to return (default: 100)
skip: Number of remote PowerShell rights to skip for pagination |
| get_user_rdp_rights | Retrieves the RDP rights of a specific user within the domain.
RDP rights allow a user to remotely connect to another computer using the Remote Desktop Protocol.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of RDP rights to return (default: 100)
skip: Number of RDP rights to skip for pagination (default: 0) |
| get_user_sessions | Retrieves the active sessions of a specific user within the domain.
Active sessions are the current sessions that a user has within the domain.
These sessions can be used to identify potential targets for lateral movement and privilege escalation.
It can also be used to indentify and plan attack paths within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of sessions to return (default: 100)
skip: Number of sessions to skip for pagination (default: 0) |
| get_user_sql_admin_rights | Retrieves the SQL administrative rights of a specific user within the domain.
SQL administrative rights allow a user to perform administrative tasks on a SQL Server.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
user_id: The ID of the user to query
limit: Maximum number of SQL administrative rights to return (default: 100)
skip: Number of SQL administrative rights to skip for pagination (default: 0) |
| get_group_info | Retrieves information about a specific group in a specific domain.
This provides a general overview of a group's information including their name, domain, and other attributes.
It can be used to conduct reconnaissance and start formulating and targeting groups within the domain
Args:
group_id: The ID of the group to query |
| get_group_admin_rights | Retrieves the administrative rights of a specific group in the domain.
Administrative rights are privileges that allow a group to perform administrative tasks on a Security Principal (user, group, or computer) in Active Directory.
These rights can be abused in a variety of ways include lateral movement, persistence, and privilege escalation.
Args:
group_id: The ID of the group to query
limit: Maximum number of administrative rights to return (default: 100)
skip: Number of administrative rights to skip for pagination (default: 0) |
| get_group_controllables | Retrieves the Security Princiapls within the domain that a specific group has administrative control over in the domain.
These are entities that the group can control and manipulate within the domain.
These are potential targets for lateral movement, privilege escalation, and persistence.
Args:
group_id: The ID of the group to query
limit: Maximum number of controllables to return (default: 100)
skip: Number of controllables to skip for pagination (default: 0) |
| get_group_controllers | Retrieves the controllers of a specific group in the domain.
Controllers are entities that have control over the specified group
This can be used to help identify paths to gain access to a specific group.
Args:
group_id: The ID of the group to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_group_dcom_rights | Retrieves the DCOM rights of a specific group within the domain.
DCOM rights allow a group to communicate with COM objects on another computer in the network.
These rights can be abused for privilege escalation and lateral movement within the domain.
Args:
group_id: The ID of the group to query
limit: Maximum number of DCOM rights to return (default: 100)
skip: Number of DCOM rights to skip for pagination (default: 0) |
| get_group_members | Retrieves the members of a specific group within the domain.
Group members are the users and groups that are members of the specified group.
These memberships can be used to identify potential targets for lateral movement and privilege escalation.
Args:
group_id: The ID of the group to query
limit: Maximum number of members to return (default: 100)
skip: Number of members to skip for pagination (default: 0) |
| get_group_memberships | Retrieves the group memberships of a specific group within the domain.
Group memberships are the groups that the specified group is a member of within the domain.
These memberships can be used to identify potential targets for lateral movement and privilege escalation.
Args:
group_id: The ID of the group to query
limit: Maximum number of memberships to return (default: 100)
skip: Number of memberships to skip for pagination (default: 0) |
| get_group_ps_remote_rights | Retrieves the remote PowerShell rights of a specific group within the domain.
Remote PowerShell rights allow a group to execute PowerShell commands on a remote computer.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
group_id: The ID of the group to query
limit: Maximum number of remote PowerShell rights to return (default: 100)
skip: Number of remote PowerShell rights to skip for pagination (default: 0) |
| get_group_rdp_rights | Retrieves the RDP rights of a specific group within the domain.
RDP rights allow a group to remotely connect to another computer using the Remote Desktop Protocol.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
group_id: The ID of the group to query
limit: Maximum number of RDP rights to return (default: 100)
skip: Number of RDP rights to skip for pagination (default: 0) |
| get_group_sessions | Retrieves the active sessions of the members of a specific group within the domain.
Active sessions are the current sessions that hte members of this group have within the domain.
These sessions can be used to identify potential targets for lateral movement and privilege escalation.
Args:
group_id: The ID of the group to query
limit: Maximum number of sessions to return (default: 100)
skip: Number of sessions to skip for pagination (default: 0) |
| get_computer_info | Retrieves information about a specific computer in a specific domain.
This provides a general overview of a computer's information including their name, domain, and other attributes.
It can be used to conduct reconnaissance and start formulating and targeting computers within the domain
Args:
computer_id: The ID of the computer to query |
| get_computer_admin_rights | Retrieves the administrative rights of a specific computer in the domain.
Administrative rights are privileges that allow a computer to perform administrative tasks on a Security Principal (user, group, or computer) in Active Directory.
These rights can be abused in a variety of ways include lateral movement, persistence, and privilege escalation.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of administrative rights to return (default: 100)
skip: Number of administrative rights to skip for pagination (default: 0) |
| get_computer_admin_users | Retrieves the administrative users of a specific computer in the domain.
Administrative users are the users that have administrative access to the specified computer.
These users can be used to identify potential targets for lateral movement and privilege escalation.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of administrative users to return (default: 100)
skip: Number of administrative users to skip for pagination (default: 0) |
| get_computer_constrained_delegation_rights | Retrieves the constrained delegation rights of a specific computer within the domain.
Constrained delegation rights allow a computer to impersonate another user or service when communicating with a service on another computer.
These rights can be abused for privilege escalation and lateral movement within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of constrained delegation rights to return (default: 100)
skip: Number of constrained delegation rights to skip for pagination (default: 0) |
| get_computer_constrained_users | Retrieves the constrained users of a specific computer in the domain.
Constrained users are the users that have constrained delegation access to the specified computer.
These users can be used to identify potential targets for lateral movement and privilege escalation.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of constrained users to return (default: 100)
skip: Number of constrained users to skip for pagination (default: 0) |
| get_computer_controllables | Retrieves the Security Princiapls within the domain that a specific computer has administrative control over in the domain.
These are entities that the computer can control and manipulate within the domain.
These are potential targets for lateral movement, privilege escalation, and persistence.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of controllables to return (default: 100)
skip: Number of controllables to skip for pagination (default: 0) |
| get_computer_controllers | Retrieves the controllers of a specific computer in the domain.
Controllers are entities that have control over the specified computer
This can be used to help identify paths to gain access to a specific computer.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_computer_dcom_rights | Retrieves the a list of security principals that a specific computer to execute COM on DCOM rights allow a computer to communicate with COM objects on another computer in the network. These rights can be abused for privilege escalation and lateral movement within the domain. |
| get_computer_dcom_users | Retrieves the users that have DCOM rights to a specific computer in the domain.
DCOM rights allow a user to communicate with COM objects on another computer in the network.
These rights can be abused for privilege escalation and lateral movement within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of DCOM rights to return (default: 100)
skip: Number of DCOM rights to skip for pagination (default: 0) |
| get_computer_memberships | Retrieves the group memberships of a specific computer within the domain.
Group memberships are the groups that the specified computer is a member of within the domain.
These memberships can be used to identify potential targets for lateral movement and privilege escalation.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of memberships to return (default: 100)
skip: Number of memberships to skip for pagination (default: 0) |
| get_computer_ps_remote_rights | Retrieves a list of hosts that this specific computer has the right to PS remote to
Remote PowerShell rights allow a computer to execute PowerShell commands on a remote computer.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of remote PowerShell rights to return (default: 100)
skip: Number of remote PowerShell rights to skip for pagination (default: 0) |
| get_computer_ps_remote_users | This retieves the users that have PS remote rights to this specific computer in the domain.
Remote PowerShell rights allow a user to execute PowerShell commands on a remote computer.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of remote PowerShell rights to return (default: 100)
skip: Number of remote PowerShell rights to skip for pagination (default: 0) |
| get_computer_rdp_rights | Retrieves a list of hosts that this specific computer has the right to RDP to
RDP rights allow a computer to remotely connect to another computer using the Remote Desktop Protocol.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of RDP rights to return (default: 100)
skip: Number of RDP rights to skip for pagination (default: 0) |
| get_computer_rdp_users | This retieves the users that have RDP rights to this specific computer in the domain.
RDP rights allow a user to remotely connect to another computer using the Remote Desktop Protocol.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of RDP rights to return (default: 100)
skip: Number of RDP rights to skip for pagination (default: 0) |
| get_computer_sessions | Retrieves the active sessions of a specific computer within the domain.
Active sessions are the current sessions that a computer has within the domain.
These sessions can be used to identify potential targets for lateral movement and privilege escalation.
These sessions can also be used to formulate and inform on attack paths because if a user has an active session on a host their credentials are cached in memory
Args:
computer_id: The ID of the computer to query
limit: Maximum number of sessions to return (default: 100)
skip: Number of sessions to skip for pagination (default: 0) |
| get_computer_sql_admin_rights | Retrieves the SQL administrative rights of a specific computer within the domain.
SQL administrative rights allow a computer to perform administrative tasks on a SQL Server.
These rights can be abused for lateral movement and privilege escalation within the domain.
Args:
computer_id: The ID of the computer to query
limit: Maximum number of SQL administrative rights to return (default: 100)
skip: Number of SQL administrative rights to skip for pagination (default: 0) |
| get_ou_info | Retrieves information about a specific OU in a specific domain.
This provides a general overview of an OU's information including their name, domain, and other attributes.
It can be used to conduct reconnaissance and start formulating and targeting OUs within the domain
Args:
ou_id: The ID of the OU to query |
| get_ou_computers | Retrieves the computers within a specific OU in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
ou_id: The ID of the OU to query
limit: Maximum number of computers to return (default: 100)
skip: Number of computers to skip for pagination (default: 0) |
| get_ou_groups | Retrieves the groups within a specific OU in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
ou_id: The ID of the OU to query
limit: Maximum number of groups to return (default: 100)
skip: Number of groups to skip for pagination (default: 0) |
| get_ou_gpos | Retrieves the GPOs within a specific OU in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
ou_id: The ID of the OU to query
limit: Maximum number of GPOs to return (default: 100)
skip: Number of GPOs to skip for pagination (default: 0) |
| get_ou_users | Retrieves the users within a specific OU in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
ou_id: The ID of the OU to query
limit: Maximum number of users to return (default: 100)
skip: Number of users to skip for pagination (default: 0) |
| get_gpo_info | Retrieves information about a specific GPO in a specific domain.
This provides a general overview of a GPO's information including their name, domain, and other attributes.
It can be used to conduct reconnaissance and start formulating and targeting GPOs within the domain
Args:
gpo_id: The ID of the GPO to query |
| get_gpo_computers | Retrieves the computers within a specific GPO in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
gpo_id: The ID of the GPO to query
limit: Maximum number of computers to return (default: 100)
skip: Number of computers to skip for pagination (default: 0) |
| get_gpo_controllers | Retrieves the controllers of a specific GPO in the domain.
Controllers are entities that have control over the specified GPO
This can be used to help identify paths to gain access to a specific GPO.
Args:
gpo_id: The ID of the GPO to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_gpo_ous | Retrieves the OUs that are linked to a specific GPO in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
gpo_id: The ID of the GPO to query
limit: Maximum number of OUs to return (default: 100)
skip: Number of OUs to skip for pagination (default: 0) |
| get_gpo_tier_zeros | Retrieves the Tier 0 groups that are linked to a specific GPO in the domain.
Tier 0 groups are the highest privileged groups in the domain and have access to all resources.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
gpo_id: The ID of the GPO to query
limit: Maximum number of Tier 0 groups to return (default: 100)
skip: Number of Tier 0 groups to skip for pagination (default: 0) |
| get_gpo_users | Retrieves the users within a specific GPO in the domain.
This can be used to identify potential targets for lateral movement and privilege escalation.
Args:
gpo_id: The ID of the GPO to query
limit: Maximum number of users to return (default: 100)
skip: Number of users to skip for pagination (default: 0) |
| search_graph | Search for nodes in the Bloodhound graph by name.
This function lets you find specific nodes in the graph based on a search query.
Results are typically returned as matches on node names.
Args:
query: Search text to find nodes by name
search_type: Type of search to perform - "fuzzy" (default) for approximate matches, "exact" for exact matches |
| get_shortest_path | Find the shortest path between two nodes in the Bloodhound graph.
This is useful for attack path analysis, showing the most direct route between two security principals.
The path will show all the intermediary nodes and the types of relationships connecting them.
If this returns a 500 or 404 error it is likely that the path does not exist within bloodhound
Args:
start_node: Object ID of the starting node (source)
end_node: Object ID of the ending node (target)
relationship_kinds: Optional comma-separated list of relationship types to include in the path |
| get_edge_composition | Analyze the components of a complex edge between two nodes.
In Bloodhound, many high-level edges (like "HasPath" or "AdminTo") are composed of multiple
individual relationships. This function reveals those underlying components.
This is useful for understanding exactly how security principals are connected.
Args:
source_node: ID of the source node
target_node: ID of the target node
edge_type: Type of edge to analyze (e.g., "MemberOf", "AdminTo", "CanRDP") |
| get_relay_targets | Find valid relay targets for a given edge in the Bloodhound graph.
Relay targets represent potential nodes that could be used to relay an attack or
privilege escalation between two nodes. This is critical for advanced attack path planning.
Args:
source_node: ID of the source node
target_node: ID of the target node
edge_type: Type of edge (relationship) between the nodes |
| get_cert_template_info | Retrieves information about a specific Certificate Template.
Certificate Templates define the properties and security settings for certificates that can be issued.
They can be abused for privilege escalation if misconfigured.
Args:
template_id: The ID of the Certificate Template to query |
| get_cert_template_controllers | Retrieves the controllers of a specific Certificate Template.
Controllers are security principals that can modify the Certificate Template or its properties.
This is critical for identifying ESC2 vulnerabilities (vulnerable Certificate Template access control).
Args:
template_id: The ID of the Certificate Template to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_root_ca_info | Retrieves information about a specific Root Certificate Authority.
Root CAs are the foundation of trust in a PKI infrastructure.
Controlling a Root CA allows an attacker to issue trusted certificates.
Args:
ca_id: The ID of the Root CA to query |
| get_root_ca_controllers | Retrieves the controllers of a specific Root Certificate Authority.
Controllers of a Root CA can compromise the entire PKI infrastructure.
This is critical for identifying ESC4 and ESC5 attack paths.
Args:
ca_id: The ID of the Root CA to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_enterprise_ca_info | Retrieves information about a specific Enterprise Certificate Authority.
Enterprise CAs issue certificates within the organization based on Certificate Templates.
They are critical components in the Active Directory PKI infrastructure.
Args:
ca_id: The ID of the Enterprise CA to query |
| get_enterprise_ca_controllers | Retrieves the controllers of a specific Enterprise Certificate Authority.
Controllers of an Enterprise CA can issue arbitrary certificates and potentially compromise the domain.
This is critical for identifying ESC3 and ESC6 attack paths.
Args:
ca_id: The ID of the Enterprise CA to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| get_aia_ca_controllers | Retrieves the controllers of a specific AIA Certificate Authority.
AIA (Authority Information Access) CAs provide additional trust information.
Controllers of an AIA CA may be able to perform certificate-based attacks.
Args:
ca_id: The ID of the AIA CA to query
limit: Maximum number of controllers to return (default: 100)
skip: Number of controllers to skip for pagination (default: 0) |
| run_cypher_query | Run a custom Cypher query on the BloodHound Neo4j database.
This tool properly interprets BloodHound's HTTP response codes:
- 200: Query successful with results
- 404: Query successful but no results found (NOT an error!)
- 400: Query syntax error
- 401/403: Authentication/permission issues
- 5xx: Server errors
Args:
query: The Cypher query to execute
include_properties: Whether to include node/edge properties in the response
Returns:
JSON response with graph data (nodes and edges) and execution metadata |
| interpret_cypher_result | Help interpret the results of a Cypher query for offensive security analysis.
Args:
query: The original Cypher query that was executed
result_json: The JSON result from run_cypher_query
Returns:
Human-readable interpretation of what the results mean for security analysis |
| create_saved_query | Create a new saved Cypher query.
Args:
name: Name for the saved query
query: The Cypher query to save
Returns:
JSON response with the created saved query data |
| list_saved_queries | List saved Cypher queries.
Args:
skip: Number of queries to skip for pagination
limit: Maximum number of queries to return
name: Filter by query name
Returns:
JSON response with list of saved queries |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| bloodhound_assistant |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| cypher_examples | Provides example Cypher queries for common BloodHound operations |
| cypher_patterns | Provides common patterns for BloodHound Cypher queries |