Skip to content

Excluded Relationships

danti1988 edited this page May 15, 2026 · 3 revisions

Excluded Relationships

Escalation paths can contain a lot of structural BloodHound edges. Some are useful for graph modelling but noisy in a report, and some are already covered by dedicated checks. ADPathfinder filters a default set of these relationships so path output stays readable.

The list lives in [EXCLUSIONS] excluded_relationships in config.ini. On first write, ADPathfinder bootstraps 43 audited defaults. To put an edge back into path output, remove it from the list and run the audit again.

Three States

  • Key absent - built-in defaults are used. Existing configs without an [EXCLUSIONS] section keep working.
  • Key present and empty (excluded_relationships =) - no relationships are excluded.
  • Key present with values - only the listed relationships are excluded. The values are not merged with the defaults.

If you want a custom list, start from the bootstrap-written list and edit it.

Parsing

The value is split on commas and newlines, so all of these are valid:

[EXCLUSIONS]
excluded_relationships = Contains, LocalToComputer, Enroll

# or
excluded_relationships = Contains
    LocalToComputer
    Enroll

# or the bootstrap format
excluded_relationships = Contains,
    LocalToComputer,
    Enroll

Duplicates are collapsed case-insensitively. If the list contains contains, Contains, and CONTAINS, ADPathfinder keeps the first spelling and treats them as one relationship type.

If filtering removes every relationship type in the graph, escalation queries are skipped with a one-line notice instead of failing with a Cypher syntax error.

HTML Report Scope

[EXCLUSIONS] excluded_relationships affects path discovery, which feeds the text audit and JSON output. The HTML client report has a second rendering-time suppression list in modules/client_report_generator.py:

  • HasSession
  • TrustedBy
  • NTAuthStoreFor
  • IssuedSignedBy
  • EnrollOnBehalfOf

Removing one of those five from [EXCLUSIONS] makes it visible in the text audit and JSON, but not in the HTML client report. Dedicated checks, including ADCS ESC checks, password audit checks, MSSQL/SCCM checks, and Tier 0 session exposure, render independently of both filters.

Clone this wiki locally