Path Finder Search Strings

The Path Finder supports the following search primitives:

card_id:TEXT, order:NUM, target_id:TEXT, target:TEXT, foothold:TEXT,
host:TEXT, identity:TEXT, prize:TEXT, criticality:TEXT, bim:TEXT, os:TEXT

And the following unique keywords:

Keyword	Result
VulnToHighValue	Display paths starting with a vulnerability and resulting in the compromise of a high-value target
VulnToAzBuiltinsL5	Display paths starting with a vulnerability and resulting in the compromise of Azure's most privileged roles. ["Global Administrator", "Privileged Role Administrator", "Privileged Authentication Administrator", "Azure AD Joined Device Local Administrator"]
VulnToAzBuiltinsL4	Display paths starting with a vulnerability and resulting in the compromise of Azure's second most privileged roles - ["Application Administrator","Authentication Administrator","Authentication Policy Administrator","Azure DevOps Administrator","B2C IEF Keyset Administrator","Cloud Application Administrator","Cloud Device Administrator","Directory Synchronization Accounts","Exchange Administrator","External Identity Provider Administrator","Helpdesk Administrator","Hybrid Identity Administrator","Intune Administrator","Partner Tier1 Support","Partner Tier2 Support","Password Administrator","Security Administrator","Security Operator","User Administrator","Windows 365 Administrator"]
AnyToDomain	Display any path that results in the compromise of a Domain
VulnToDC	Display paths starting with a vulnerability that results in the compromise of a Domain Controller
VulnToEA	Display paths starting with a vulnerability that results in the compromise of an Enterprise Administrator
AuthUToHighValue	Display paths starting with an authentication compromise and resulting in the compromise of a high-value target
VulnToDA	Display paths starting with a vulnerability and resulting in compromise of Domain Admin
VulnToBIM	Display paths starting with a vulnerability and resulting in the compromise of a Business Impact Matrix prioritized device

Keyword

Result

VulnToHighValue

Display paths starting with a vulnerability and resulting in the compromise of a high-value target

VulnToAzBuiltinsL5

Display paths starting with a vulnerability and resulting in the compromise of Azure's most privileged roles. ["Global Administrator", "Privileged Role Administrator", "Privileged Authentication Administrator", "Azure AD Joined Device Local Administrator"]

VulnToAzBuiltinsL4

Display paths starting with a vulnerability and resulting in the compromise of Azure's second most privileged roles - ["Application Administrator","Authentication Administrator","Authentication Policy Administrator","Azure DevOps Administrator","B2C IEF Keyset Administrator","Cloud Application Administrator","Cloud Device Administrator","Directory Synchronization Accounts","Exchange Administrator","External Identity Provider Administrator","Helpdesk Administrator","Hybrid Identity Administrator","Intune Administrator","Partner Tier1 Support","Partner Tier2 Support","Password Administrator","Security Administrator","Security Operator","User Administrator","Windows 365 Administrator"]

AnyToDomain

Display any path that results in the compromise of a Domain

VulnToDC

Display paths starting with a vulnerability that results in the compromise of a Domain Controller

VulnToEA

Display paths starting with a vulnerability that results in the compromise of an Enterprise Administrator

AuthUToHighValue

Display paths starting with an authentication compromise and resulting in the compromise of a high-value target

VulnToDA

Display paths starting with a vulnerability and resulting in compromise of Domain Admin

VulnToBIM

Display paths starting with a vulnerability and resulting in the compromise of a Business Impact Matrix prioritized device

PreviousPath Finder NextImpact Matrix

Last updated 11 months ago