-
Notifications
You must be signed in to change notification settings - Fork 0
Excluded Relationships
Escalation paths can include hundreds of relationship types. Most are structural BloodHound edges or duplicates of an attack already reported by a dedicated check, so they're filtered out by default to keep path output readable.
The list lives in [EXCLUSIONS] excluded_relationships in config.ini. Bootstrap (the first run that writes the file) populates it with 43 audited defaults. To restore an edge to path output, remove it from this list and re-run.
-
Key absent — built-in defaults are used. Existing configs without an
[EXCLUSIONS]section keep working unchanged. -
Key present and empty (
excluded_relationships =) — no exclusions; every edge in the graph appears in paths. Noisier but complete. - Key present with values — the listed edges are excluded verbatim, with no merge against the defaults. To customise, copy the bootstrap-written list and edit it.
The value is parsed by splitting on both commas and newlines, so any of these are valid:
[EXCLUSIONS]
excluded_relationships = Contains, LocalToComputer, Enroll
# or
excluded_relationships = Contains
LocalToComputer
Enroll
# or the bootstrap format (comma-and-newline)
excluded_relationships = Contains,
LocalToComputer,
EnrollDuplicates are collapsed case-insensitively (contains, Contains, CONTAINS count as one entry, first casing wins).
If your list ends up excluding every relationship the graph contains, escalation queries are skipped with a one-line notice on stdout rather than failing with a Cypher syntax error.
Editing [EXCLUSIONS] excluded_relationships affects path discovery — which feeds the text audit and the JSON output. The HTML client report has a second, independent suppression set in modules/client_report_generator.py (HasSession, TrustedBy, NTAuthStoreFor, IssuedSignedBy, EnrollOnBehalfOf) applied during rendering. Removing one of those five from [EXCLUSIONS] makes the edge visible in the text audit and JSON but not in HTML. Dedicated checks (ESC1/2/3/4/6/7/8/9, password audit, MSSQL/SCCM, Tier 0 session exposure) render independently of both filters.