Active Directory Attack Paths: How Attackers Chain Misconfigurations to Domain Admin

What Are Attack Paths to Domain Admin?

In Active Directory, attack paths are chains of relationships — group memberships, ACL permissions, GPO links, delegation configurations, Kerberoastable accounts — that connect a low-privileged attacker to Domain Admin. No single misconfiguration needs to be critical in isolation: what matters is whether they can be chained together.

Modern adversaries do not exploit individual vulnerabilities. They map the entire AD environment as a graph, identify the shortest path from their current position to Domain Admin, and follow that path — one hop at a time. Each hop exploits a different misconfiguration: a password they cracked, a group nesting path, an ACL they can abuse, or a certificate they forged.

This article covers the three most reliable path categories: ACL paths, GPO paths, and Kerberoasting paths to Domain Admin.

How It Works

Attack path analysis treats AD as a directed graph:

• Nodes = users, computers, groups, GPOs, OUs, domains
• Edges = relationships that can be abused (MemberOf, GenericAll, WriteDACL, GpLink, etc.)

Tools like BloodHound (open source) collect this graph data and use Neo4j to find shortest paths between any two nodes. An attacker running BloodHound from a compromised standard user account can visualize the entire path to Domain Admin in minutes — often finding paths that took years of accumulated misconfiguration to create.

Common Path Categories

The Attack Chain

Step 1 - Collect AD Graph Data

# From Linux with valid credentials
bloodhound-python -u [email protected] -p password -ns 10.10.0.1 -d corp.local -c All --zip

# From Windows
.\SharpHound.exe -c All --zipfilename corp_bloodhound.zip

Step 2 - Find Shortest Paths to Domain Admin

In the BloodHound UI or Neo4j browser:

-- Shortest path from any user to Domain Admins
MATCH p=shortestPath((u:User {enabled:true})-[*1..]->(g:Group {name:"DOMAIN [email protected]"}))
RETURN p ORDER BY length(p) ASC LIMIT 10

-- Find all Kerberoastable users with path to DA
MATCH (u:User {hasspn:true})-[*1..]->(g:Group {name:"DOMAIN [email protected]"})
RETURN u.name, u.pwdlastset

-- Find GPO edit rights paths to DCs
MATCH p=(u:User)-[:GPLink|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(g:GPO)-[:GPLink]->(c:OU)
WHERE c.blocksinheritance = false
RETURN p

Step 3 - Follow the Shortest Path

A typical real-world path:

1. Attacker compromises jsmith (standard user) via phishing
2. jsmith has GenericWrite over svc_deploy (left over from a project)
3. svc_deploy is Kerberoastable with a 3-year-old password
4. Attacker resets svc_deploy password via GenericWrite, or cracks it via Kerberoasting
5. svc_deploy is a member of IT_Admins group
6. IT_Admins is nested inside Domain Admins
7. Full domain compromise — 4 hops, no exploits

Step 4 - Maintain Persistence

Once DA access is achieved, the attacker establishes persistence via Golden Ticket, new backdoor accounts, or ADCS certificate backdoors — ensuring they survive password resets and remediation attempts.

Detection

Detecting attack path traversal requires monitoring each individual hop — no single log entry reveals the full path.

Windows Event IDs

💡 Tip: Implement BloodHound in defensive mode (BloodHound CE or Plume). Run weekly graph collection and alert when new shortest paths to Domain Admin appear that did not exist in the previous scan.

SIEM Correlation Query

# Detect rapid sequential privilege-escalation events from same source
event.code: ("4769" OR "4738" OR "4728" OR "5136") AND
@timestamp: [now-1h TO now]
| stats count() by winlog.event_data.SubjectUserName
| where count > 3

Remediation

💡 Quick Win: Run BloodHound on your environment today. The first scan almost always reveals at least one path to Domain Admin from a non-privileged account. Start with the shortest path and work outward.

1. Eliminate the Shortest Paths First

Run BloodHound and export the top 10 shortest paths to Domain Admin. For each path:

• ACL edge: Remove the dangerous ACE from the object
• Group nesting edge: Remove the group from the privileged group
• Kerberoastable edge: Rotate the password or migrate to gMSA
• GPO edge: Remove edit rights from the non-admin account

2. Implement Continuous Attack Path Monitoring

# Weekly BloodHound collection via scheduled task
$params = @{
    CollectionMethods = "All"
    ZipFileName       = "weekly_$(Get-Date -Format yyyyMMdd).zip"
    OutputDirectory   = "C:\BloodHound\Collections\"
}
.\SharpHound.exe @params
# Compare with previous week's data and alert on new DA paths

3. Prioritize Kerberoastable Accounts in DA Path

# Find all Kerberoastable accounts with any path to DA privileges
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties MemberOf, PasswordLastSet |
    Where-Object {
        (Get-ADUser $_ -Properties MemberOf).MemberOf |
        Get-ADGroup | Where-Object {$_.Name -match "Admin"}
    } | Select-Object SamAccountName, PasswordLastSet
# Migrate these to gMSA accounts immediately

How EtcSec Detects This

EtcSec performs continuous attack path analysis across your entire AD graph, identifying all paths from low-privileged accounts to Domain Admin.

PATH_ACL_TO_DA maps every ACL-based path from standard users to Domain Admin, including multi-hop chains through intermediate objects.

PATH_GPO_TO_DA identifies paths where GPO edit rights on policies linked to Tier 0 OUs provide an indirect path to Domain Controller compromise.

PATH_KERBEROASTING_TO_DA flags Kerberoastable service accounts that have — directly or transitively — Domain Admin privileges, representing the single most common high-impact attack path in real environments.

ℹ️ Note: EtcSec continuously maps attack paths in your AD environment. Run a free audit to see your full attack surface from a graph perspective.