What Are Active Directory Attack Paths?
Active Directory attack paths are chains of relationships — group memberships, ACL permissions, GPO links, delegation configurations, Kerberoastable accounts — that connect a low-privileged attacker to Domain Admin. No single misconfiguration needs to be critical in isolation: what matters is whether they can be chained together.
Modern adversaries do not exploit individual vulnerabilities. They map the entire AD environment as a graph, identify the shortest path from their current position to Domain Admin, and follow that path — one hop at a time. Each hop exploits a different misconfiguration: a password they cracked, a group nesting path, an ACL they can abuse, or a certificate they forged.
This article covers the three most reliable path categories: ACL paths, GPO paths, and Kerberoasting paths to Domain Admin.
How Active Directory Attack Paths Work
Attack path analysis treats AD as a directed graph:
- Nodes = users, computers, groups, GPOs, OUs, domains
- Edges = relationships that can be abused (MemberOf, GenericAll, WriteDACL, GpLink, etc.)
Tools like BloodHound (open source) collect this graph data and use Neo4j to find shortest paths between any two nodes. An attacker running BloodHound from a compromised standard user account can visualize the entire path to Domain Admin in minutes — often finding paths that took years of accumulated misconfiguration to create.
Common Path Categories
| Path Type | Example Chain |
|---|---|
| ACL to DA | User A has GenericWrite over User B (DA member) |
| GPO to DA | User A has GPO edit rights on a GPO linked to Domain Controllers OU |
| Kerberoasting to DA | Service account is Kerberoastable AND is a DA member |
| Group nesting | User A is in Group X, which is nested in Domain Admins |
| ADCS | User A can enroll in a vulnerable template that allows DA impersonation |
The Attack Chain
Step 1 - Collect AD Graph Data
# From Linux with valid credentials
bloodhound-python -u [email protected] -p password -ns 10.10.0.1 -d corp.local -c All --zip
# From Windows
.\SharpHound.exe -c All --zipfilename corp_bloodhound.zip
Step 2 - Find Shortest Paths to Domain Admin
In the BloodHound UI or Neo4j browser:
-- Shortest path from any user to Domain Admins
MATCH p=shortestPath((u:User {enabled:true})-[*1..]->(g:Group {name:"DOMAIN [email protected]"}))
RETURN p ORDER BY length(p) ASC LIMIT 10
-- Find all Kerberoastable users with path to DA
MATCH (u:User {hasspn:true})-[*1..]->(g:Group {name:"DOMAIN [email protected]"})
RETURN u.name, u.pwdlastset
-- Find GPO edit rights paths to DCs
MATCH p=(u:User)-[:GPLink|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(g:GPO)-[:GPLink]->(c:OU)
WHERE c.blocksinheritance = false
RETURN p
Step 3 - Follow the Shortest Path
A typical real-world path:
- Attacker compromises
jsmith(standard user) via phishing jsmithhasGenericWriteoversvc_deploy(left over from a project)svc_deployis Kerberoastable with a 3-year-old password- Attacker resets
svc_deploypassword via GenericWrite, or cracks it via Kerberoasting svc_deployis a member ofIT_AdminsgroupIT_Adminsis nested insideDomain Admins- Full domain compromise — 4 hops, no exploits
Step 4 - Maintain Persistence
Once DA access is achieved, the attacker establishes persistence via Golden Ticket, new backdoor accounts, or ADCS certificate backdoors — ensuring they survive password resets and remediation attempts.
Detection
Detecting attack path traversal requires monitoring each individual hop — no single log entry reveals the full path.
Windows Event IDs
| Event ID | Source | Path Hop Detected |
|---|---|---|
| 4769 | DC | Kerberoasting — TGS request for SPN |
| 4662 | DC | DCSync — replication rights exercised |
| 4738 | DC | Account modified — password reset via ACL abuse |
| 4728/4756 | DC | Group membership change — nesting path exploited |
| 5136 | DC | GPO modified — GPO path exploited |
💡 Tip: Implement BloodHound in defensive mode (BloodHound CE or Plume). Run weekly graph collection and alert when new shortest paths to Domain Admin appear that did not exist in the previous scan.
SIEM Correlation Query
# Detect rapid sequential privilege-escalation events from same source
event.code: ("4769" OR "4738" OR "4728" OR "5136") AND
@timestamp: [now-1h TO now]
| stats count() by winlog.event_data.SubjectUserName
| where count > 3
Remediation
💡 Quick Win: Run BloodHound on your environment today. The first scan almost always reveals at least one path to Domain Admin from a non-privileged account. Start with the shortest path and work outward.
1. Eliminate the Shortest Paths First
Run BloodHound and export the top 10 shortest paths to Domain Admin. For each path:
- ACL edge: Remove the dangerous ACE from the object
- Group nesting edge: Remove the group from the privileged group
- Kerberoastable edge: Rotate the password or migrate to gMSA
- GPO edge: Remove edit rights from the non-admin account
2. Implement Continuous Attack Path Monitoring
# Weekly BloodHound collection via scheduled task
$params = @{
CollectionMethods = "All"
ZipFileName = "weekly_$(Get-Date -Format yyyyMMdd).zip"
OutputDirectory = "C:\BloodHound\Collections\"
}
.\SharpHound.exe @params
# Compare with previous week's data and alert on new DA paths
3. Prioritize Kerberoastable Accounts in DA Path
# Find all Kerberoastable accounts with any path to DA privileges
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties MemberOf, PasswordLastSet |
Where-Object {
(Get-ADUser $_ -Properties MemberOf).MemberOf |
Get-ADGroup | Where-Object {$_.Name -match "Admin"}
} | Select-Object SamAccountName, PasswordLastSet
# Migrate these to gMSA accounts immediately
How EtcSec Detects This
EtcSec performs continuous attack path analysis across your entire AD graph, identifying all paths from low-privileged accounts to Domain Admin.
PATH_ACL_TO_DA maps every ACL-based path from standard users to Domain Admin, including multi-hop chains through intermediate objects.
PATH_GPO_TO_DA identifies paths where GPO edit rights on policies linked to Tier 0 OUs provide an indirect path to Domain Controller compromise.
PATH_KERBEROASTING_TO_DA flags Kerberoastable service accounts that have — directly or transitively — Domain Admin privileges, representing the single most common high-impact attack path in real environments.
ℹ️ Note: EtcSec continuously maps attack paths in your AD environment. Run a free audit to see your full attack surface from a graph perspective.
Review Priorities
Active Directory Attack Paths to Domain Admin should be handled as a real exposure inside your Active Directory estate, not as a single isolated setting. Start by defining the review perimeter: which privileged groups, service accounts, ACLs, GPO links, trusts, delegation settings, certificate templates, and admin workstations are affected, which business workflows depend on them, which privileges they expose, and which emergency exceptions were added over time. That scoping step prevents shallow remediation, because the technical symptom is often smaller than the operational blast radius. By documenting the full path from configuration to privilege, the team can prioritize changes that reduce risk quickly without breaking production access. This also creates a defensible baseline for later validation and gives leadership a clear explanation of why the issue matters now.
Adjacent Controls to Review
When attackers reach your Active Directory estate, they rarely stop at the first weak point. Around Active Directory Attack Paths to Domain Admin, they normally test whether the exposed path can be chained with stale privileged accounts, unsafe group nesting, excessive delegation, weak password settings, writable GPO paths, and inherited ACL abuse. That means defenders should review not just the headline weakness but every nearby dependency that turns access into persistence or privilege escalation. Confirm which identities, roles, permissions, and trust assumptions can be reused by a motivated operator. If a fix closes only one object while leaving adjacent privilege paths untouched, the effective risk barely changes. A disciplined review of chaining opportunities is what turns this article topic into a practical hardening exercise rather than a one-time checkbox.
Evidence and Telemetry to Pull
A strong response to Active Directory Attack Paths to Domain Admin needs evidence that can be reviewed by both engineering and detection teams. Pull Event IDs 4624, 4662, 4670, 4688, 4728, 4732, 4768, 4769, 5136, SYSVOL changes, and certificate or CA activity, compare recent changes with known maintenance windows, and isolate accounts or systems that changed behavior without a clear business reason. Use that evidence to answer three questions: when the risky path appeared, who can still use it, and whether similar exposure exists elsewhere in your Active Directory estate. Good telemetry review also helps you separate inherited technical debt from active misuse. That distinction matters, because the remediation plan for stale misconfiguration is different from the plan for a path that already shows attacker-like activity or repeated policy exceptions.
Adjacent Weaknesses Worth Reviewing
Very few environments contain Active Directory Attack Paths to Domain Admin alone. In practice, the same tenant or directory segment often contains stale privileged accounts, unsafe group nesting, excessive delegation, weak password settings, writable GPO paths, and inherited ACL abuse, and those neighboring weaknesses decide whether the issue is merely noisy or truly critical. Review shared owners, inherited permissions, duplicated exceptions, and long-lived administrative shortcuts. Check whether the same team approved similar risky patterns in multiple places, because repeated decisions usually point to a process gap rather than a single technical bug. This broader review prevents partial cleanup and gives you a better chance of removing the entire attack path. It also improves audit readiness, because the final state is easier to explain and easier to monitor over time.
Related Reading
Review this topic together with ACL Abuse and DCSync: The Silent Paths to Domain Admin, Dangerous Group Nesting: Hidden Paths to Domain Admin, Active Directory Trust Attacks: From Child Domain to Forest Root, GPO Misconfigurations: How Group Policy Becomes an Attack Vector, and Active Directory Monitoring: Security Event IDs That Matter. Those adjacent posts show how the same identity weaknesses usually chain together in a real assessment instead of appearing as isolated findings.
- ACL Abuse and DCSync: The Silent Paths to Domain Admin
- Dangerous Group Nesting: Hidden Paths to Domain Admin
- Active Directory Trust Attacks: From Child Domain to Forest Root
- GPO Misconfigurations: How Group Policy Becomes an Attack Vector
- Active Directory Monitoring: Security Event IDs That Matter
Using those references keeps the remediation discussion focused on the full attack path rather than a single control gap.
Validation Checklist
Before closing the review, rerun the same checks that exposed the issue and confirm the risky path no longer exists from the attacker perspective. Verify the relevant identities, privileges, inheritance paths, and compensating controls in production rather than only in staging or in documentation. Record the technical owner, the expected business dependency, and the evidence that shows the new configuration is both safer and operationally sustainable. That final validation step is what keeps the article grounded in how teams actually reduce identity risk.
