^.^;

AD Attack Path Mapper

Graph-Based Analysis • BloodHound • Attack Paths

Blue TeamActive DirectoryBloodHoundInteractive

What is BloodHound?

BloodHound uses graph theory to visualize Active Directory relationships and uncover hidden attack paths. It maps users, groups, computers, ACLs, and session data to show how an attacker can escalate from compromised user to Domain Admin.

Data Collection (SharpHound)

  • • User-to-Group memberships
  • • Group-to-Computer local admin rights
  • • Active user sessions (who's logged in where)
  • • ACL permissions (GenericAll, WriteOwner, etc.)
  • • Trust relationships between domains

Attack Path Analysis

  • • Shortest path from User A → Domain Admin
  • • Kerberoastable accounts (SPN set)
  • • AS-REP Roastable accounts (no pre-auth)
  • • Computers with unconstrained delegation
  • • High-value targets (DCSync rights)

Common AD Attack Paths

1. Group Membership Escalation

User → Group → Local Admin → DA Session → Domain Admin

alice@corp.com (member of) → IT_Support (local admin on) → SRV-01 (has DA session) → Domain Admin

2. ACL Abuse (GenericAll)

User has GenericAll permission on another user → Reset password → Impersonate

bob@corp.com (GenericAll on) → helpdesk_admin@corp.com → Reset password → Add to Domain Admins

3. Kerberoasting Path

Service account with SPN → Request TGS → Offline crack → Service Admin rights

svc_backup@corp.com (SPN: MSSQLSvc) → Kerberoast → Crack hash → Backup Operators → DCSync

4. Unconstrained Delegation

Computer with unconstrained delegation → Force auth → Extract TGT → Impersonate

WEB-01 (unconstrained delegation) → Coerce DC auth (PrinterBug) → Extract DC TGT → DCSync

Defense & Hardening

Protective Measures:

  • Tier 0/1/2 Admin Model: Separate DA from workstation admins
  • Disable LLMNR/NBT-NS: Prevent credential relay attacks
  • Protected Users Group: Disable delegation for sensitive accounts
  • LAPS: Rotate local admin passwords automatically
  • Honey accounts: Fake admin accounts as tripwires

Common Misconfigurations:

  • Nested group memberships: Hidden paths to DA
  • GenericAll on Domain Admins group: Instant escalation
  • Service accounts in DA group: Kerberoast → DA
  • Unconstrained delegation on servers: TGT extraction risk
  • Stale user accounts: Forgotten admin accounts with access

Essential BloodHound Queries

Shortest Path to Domain Admin

MATCH (u:User {name:"ALICE@CORP.COM"}), (g:Group {name:"DOMAIN ADMINS@CORP.COM"}), p=shortestPath((u)-[*1..]->(g)) RETURN p

All Kerberoastable Accounts

MATCH (u:User) WHERE u.hasspn=true RETURN u.name, u.serviceprincipalnames

Computers with Unconstrained Delegation

MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c.name

Users with DCSync Rights

MATCH p=(u)-[:MemberOf|GetChanges*1..]->(d:Domain) RETURN p

Active Directory Graph

Visualize attack paths from compromised user to Domain Admin

alice@corp.com
Compromised
IT_Support
Group
SRV-01
File Server
admin@corp.com
DA Session
Domain Admins
Target!

Remediation Steps

  • Disable DA sessions on non-DC servers: Use Protected Users group to prevent credential caching
  • Implement Tier 0/1/2 model: Separate admin accounts for DCs, servers, and workstations
  • Use LAPS: Rotate local admin passwords automatically
  • Monitor for Mimikatz usage: EDR should alert on LSASS access
  • Limit IT_Support privileges: Use JIT access instead of permanent local admin
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.