What are Base nodes?

Question

I am currently doing some manual analysis of the data in neo4j data base gathered with the BloodHound tool.

When doing manual queries I can see a 'Base' type node that is not introduced in the BloodHound documentation.

MATCH (n) RETURN distinct labels(n) returns:

["Base", "User"]
["Base", "Group"]
["Base"]
["Base", "Computer"]
["Base", "Domain"]
["Base", "GPO"]
["Base", "OU"]

When checking properties of the Base nodes they seem to take properties of other node types.

My question is what exactly are those 'Base' nodes? I tried to find this info in BloodHound and Neo4j documentation but with no success.

Answer 1

You can create nodes with multiple labels in the graph database. I am not familiar with the bloodhound but it might be adding an extra label to nodes called "Base" to distinguish its data from the existing ones or There might be a good chance that there are several higher categories under which lower categories fall e.g., "User", "Group", "Computer"... fall under "Base". By doing MATCH (n:Base).... you are matching all the nodes under "Base" category.

Answer 2

The Base label, as previously suggested, has nothing to do with Neo internals.

While the documentation for the tool does not address the base label, the source code provides some hints. I recommend looking at these:

• https://github.com/BloodHoundAD/BloodHound/blob/08a3469c523b4066e8e5248bdbcfb985acab5117/src/js/newingestion.js
• https://github.com/BloodHoundAD/BloodHound/blob/08a3469c523b4066e8e5248bdbcfb985acab5117/src/js/newingestion.js
• https://github.com/BloodHoundAD/BloodHound/blob/67cf1dee4f6c8d77a71b3eceb49b4040a5eb9550/src/components/Graph.jsx

Base appears to be a convenience grouping. It is common to have multiple labels for any node. For example, you can have UserAccount nodes (~Base) that have also other labels that define the role of any specific UserAccount.