-
Notifications
You must be signed in to change notification settings - Fork 0
Excluded Relationships
Escalation paths can contain a lot of structural BloodHound edges. Some are useful for graph modelling but noisy in a report, and some are already covered by dedicated checks. ADPathfinder filters a default set of these relationships so path output stays readable.
The list lives in [EXCLUSIONS] excluded_relationships in config.ini. On first write, ADPathfinder bootstraps 43 audited defaults. To put an edge back into path output, remove it from the list and run the audit again.
-
Key absent - built-in defaults are used. Existing configs without an
[EXCLUSIONS]section keep working. -
Key present and empty (
excluded_relationships =) - no relationships are excluded. - Key present with values - only the listed relationships are excluded. The values are not merged with the defaults.
If you want a custom list, start from the bootstrap-written list and edit it.
The value is split on commas and newlines, so all of these are valid:
[EXCLUSIONS]
excluded_relationships = Contains, LocalToComputer, Enroll
# or
excluded_relationships = Contains
LocalToComputer
Enroll
# or the bootstrap format
excluded_relationships = Contains,
LocalToComputer,
EnrollDuplicates are collapsed case-insensitively. If the list contains contains, Contains, and CONTAINS, ADPathfinder keeps the first spelling and treats them as one relationship type.
If filtering removes every relationship type in the graph, escalation queries are skipped with a one-line notice instead of failing with a Cypher syntax error.
[EXCLUSIONS] excluded_relationships affects path discovery, which feeds the text audit and JSON output. The HTML client report has a second rendering-time suppression list in modules/client_report_generator.py:
HasSessionTrustedByNTAuthStoreForIssuedSignedByEnrollOnBehalfOf
Removing one of those five from [EXCLUSIONS] makes it visible in the text audit and JSON, but not in the HTML client report. Dedicated checks, including ADCS ESC checks, password audit checks, MSSQL/SCCM checks, and Tier 0 session exposure, render independently of both filters.