Active Directory Attack Path Analysis: BloodHound, ACL Abuse, and Privilege Escalation Remediation
Active Directory attack path analysis is the practice of mapping privilege escalation routes through AD misconfigurations before attackers find them. In a default AD environment, a standard domain user account can often reach Domain Admin in under 20 minutes by chaining ACL misconfigurations, Kerberoastable service accounts, unconstrained delegation settings, and group membership anomalies. BloodHound visualizes these paths as a directed graph, making attack chains visible that are completely invisible in traditional AD permission reviews.
This guide covers the full workflow: deploying SharpHound or AzureHound to collect AD data, running BloodHound analysis to identify critical paths, understanding the most exploitable relationship types (GenericAll, WriteDACL, DCSync rights, unconstrained delegation), and prioritizing remediation by path severity.
BloodHound Data Collection: SharpHound Deployment and OPSEC
BloodHound Community Edition (CE, formerly BloodHound CE after SpecterOps open-sourced it) uses SharpHound as its data collection agent. SharpHound enumerates AD objects, group memberships, ACLs, GPO links, trust relationships, session data, and local admin rights, then outputs JSON files for import into BloodHound's Neo4j graph database.
Running SharpHound:
# Standard collection (recommended for most environments)
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp\
# Stealth collection (avoids session enumeration, which generates Event ID 4624)
Invoke-BloodHound -CollectionMethod DCOnly -OutputDirectory C:\Temp\
# Loop collection (captures session data over time for better coverage)
Invoke-BloodHound -CollectionMethod Session -Loop -LoopDuration 02:00:00
OPSEC considerations for defenders running internal assessments:
SharpHound generates LDAP queries to domain controllers that are visible in DC LDAP query logs. In environments with advanced detection, run collection from a dedicated assessment machine with a service account that has minimal permissions. Use -CollectionMethod DCOnly first to collect structural data (GPOs, ACLs, groups) without triggering session enumeration alerts.
AzureHound for hybrid environments: If your AD syncs to Azure AD / Entra ID, run AzureHound alongside SharpHound. AzureHound collects Azure RBAC assignments, Entra ID group memberships, app role assignments, and conditional access policies. Import both datasets into BloodHound CE to see hybrid attack paths that span on-premises AD and Azure.
The Most Dangerous BloodHound Edges: What to Hunt First
BloodHound represents relationships between AD objects as edges. Not all edges are equally dangerous. Prioritize hunting for these edge types in order of exploitation difficulty (easiest first).
GenericAll / GenericWrite — Full control edges: GenericAll on a user object means any principal with that edge can reset the target's password, add them to groups, modify their attributes, and write their msDS-KeyCredentialLink attribute (enabling Shadow Credentials attack). Find all paths where non-privileged groups (Domain Users, Authenticated Users) have GenericAll on privileged accounts.
BloodHound query:
MATCH (n:Group {name: "DOMAIN USERS@DOMAIN.LOCAL"})
MATCH (m:User)
WHERE NOT m.name ENDS WITH '$'
MATCH p=shortestPath((n)-[r:GenericAll|GenericWrite|WriteDACL|WriteOwner*1..]->(m))
RETURN p
Kerberoastable accounts with high privilege: Service accounts with SPNs registered are Kerberoastable — any domain user can request their TGS ticket and attempt offline password cracking. The vulnerability is the combination of SPN + weak password. BloodHound marks Kerberoastable accounts; filter for those with paths to privileged groups.
Unconstrained delegation:
Computer objects with unconstrained delegation enabled cache TGTs for every user who authenticates to them. If an attacker compromises such a machine and a Domain Admin authenticates to it (via a printer spooler coercion or RPC call), the attacker captures the DA TGT and can impersonate that user. In BloodHound: MATCH (c:Computer {unconstraineddelegation: true}) RETURN c
DCSync rights: Accounts with Replicating Directory Changes and Replicating Directory Changes All permissions on the domain object can perform DCSync — requesting all password hashes from a DC without being on the DC itself. Find accounts with this right outside of Domain Admins and SYSTEM:
MATCH (n)-[:DCSync]->(d:Domain)
WHERE NOT (n)-[:MemberOf*1..]->(:Group {name: "DOMAIN ADMINS@DOMAIN.LOCAL"})
RETURN n.name, d.name
LAPS misconfigurations: In environments using Local Administrator Password Solution, the LAPS password attribute (ms-Mcs-AdmPwd) should only be readable by designated admin groups. BloodHound's ReadLAPSPassword edge shows which principals can read LAPS passwords for which computers.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Path Prioritization: Tier 0, Tier 1, Tier 2 Assets
Not all attack paths are equally urgent. Prioritize remediation using a tiering model that reflects the blast radius of compromise.
Tier 0 — Crown jewels (remediate immediately): Objects whose compromise gives attacker control over all of AD: Domain Controllers, the domain object itself, Domain Admin group members, Enterprise Admins, Schema Admins, KRBTGT account, AdminSDHolder, AD replication paths. Any path from a non-Tier 0 principal to a Tier 0 asset is critical.
Tier 1 — High-value servers (remediate within 30 days): Objects that control large numbers of endpoints or sensitive data: PKI servers, ADFS infrastructure, privileged access workstations, backup servers, privileged identity management systems. Compromise of these allows lateral movement to Tier 0.
Tier 2 — Standard workstations and users (remediate within 90 days): Standard endpoints and user accounts. Attack paths that start at Tier 2 and reach Tier 0 in fewer than 3 hops should be treated as Tier 1 priority.
BloodHound shortest path queries by tier:
-- Shortest path from any Domain User to Domain Admins
MATCH (n:Group {name: "DOMAIN USERS@DOMAIN.LOCAL"})
MATCH (m:Group {name: "DOMAIN ADMINS@DOMAIN.LOCAL"})
MATCH p=shortestPath((n)-[*1..]->(m))
RETURN p ORDER BY length(p) LIMIT 10
-- Count of unique attack paths to Domain Admin
MATCH (n:Group {name: "DOMAIN USERS@DOMAIN.LOCAL"})
MATCH (m:Group {name: "DOMAIN ADMINS@DOMAIN.LOCAL"})
MATCH p=(n)-[*1..]->(m)
RETURN count(p) as PathCount
Remediation Playbook: Breaking Attack Paths
Attack path remediation prioritizes breaking the highest-severity paths with the lowest operational impact. Use this sequenced approach.
Remove GenericAll / GenericWrite from broad groups
Export all ACEs where Domain Users, Authenticated Users, or Everyone has GenericAll/GenericWrite on user, computer, or group objects. These are almost always misconfiguration artifacts from application deployments or legacy scripted provisioning. Use AD ACL Scanner or ADACLScan.ps1 to enumerate and export all non-standard ACEs for review. Remove permissions that cannot be attributed to a documented business requirement.
Eliminate or tier Kerberoastable service accounts
Audit all accounts with SPNs registered: Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties ServicePrincipalName, PasswordLastSet, PasswordNeverExpires. For each: remove unnecessary SPNs (use SPN-less Kerberos for SQL via managed service accounts), migrate to group Managed Service Accounts (gMSA) which have 240-character auto-rotating passwords that are computationally infeasible to crack, and for remaining traditional service accounts enforce 25+ character complex passwords with 30-day rotation.
Disable unconstrained delegation on all non-DC systems
Run: Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Where-Object {$_.Name -ne 'DomainController'}. For each result, evaluate whether unconstrained delegation is actually required. Replace with constrained delegation (specific allowed services) or resource-based constrained delegation where possible. For systems that genuinely require it (legacy Exchange in some configurations), implement compensating controls: dedicated network segment, additional monitoring.
Audit and restrict DCSync rights
Use: (Get-ACL 'AD:DC=domain,DC=local').Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'}. This filters for Replicating Directory Changes All permissions. Only Domain Controllers and explicitly authorized accounts (some backup products) should hold these rights. Remove all other principals and confirm with your AD backup vendor whether DCSync rights are genuinely required or whether their agent uses an alternative replication method.
Implement AdminSDHolder ACL hardening
AdminSDHolder is a template object in AD whose ACL is propagated to all protected groups and accounts every 60 minutes by SDProp. Attackers who gain write access to AdminSDHolder can grant themselves persistent DA-equivalent rights that survive manual ACL corrections. Audit AdminSDHolder ACLs regularly and restrict write access to Domain Admins only. Monitor for unexpected ACE additions on AdminSDHolder as a high-priority alert.
Enforce Protected Users security group for privileged accounts
Add all Tier 0 and Tier 1 accounts to the Protected Users security group. This group disables NTLM authentication, prevents Kerberos delegation, prevents caching of cleartext credentials, and enforces short Kerberos ticket lifetimes. It does not require GPO configuration — membership alone applies the protections. Test for application compatibility before bulk enrollment: some legacy applications require NTLM or Kerberos delegation and will break.
Continuous Attack Path Monitoring
BloodHound CE provides point-in-time analysis. Production environments change daily — new group memberships, new service accounts, new ACLs added by application deployments. Implement continuous monitoring to catch new attack paths as they emerge.
Scheduled SharpHound collection: Run SharpHound on a weekly schedule from a dedicated service account. Import fresh data into BloodHound CE and compare path counts between runs. A spike in paths to Tier 0 objects should trigger immediate investigation.
BloodHound Enterprise: SpecterOps offers BloodHound Enterprise as a commercial platform that runs continuous collection, tracks attack path count trends over time, assigns risk scores to individual paths, integrates with ticketing systems, and provides remediation workflow management. For organizations where AD security is a compliance requirement (FedRAMP, CMMC, PCI-DSS Requirement 8), the audit trail and continuous monitoring justify the commercial cost.
Alert on high-value ACE additions: Configure alerting on Windows Security Event ID 5136 (directory service object modification) for ACE additions on the following objects: the domain root object (DCSync rights), AdminSDHolder, all Tier 0 group objects, and all Domain Controller computer objects. ACE additions to these objects outside of change control windows should be treated as a security incident.
The bottom line
Active Directory attack path analysis with BloodHound is one of the highest-ROI security activities an enterprise team can perform. The tool consistently surfaces privilege escalation routes that have existed undetected for years and that would never appear in a traditional permissions audit. Start with a DCOnly collection to identify structural paths (ACLs, delegation, DCSync rights) without generating session enumeration noise, then prioritize remediation using the Tier 0/1/2 framework. Schedule regular re-ingestion to catch new paths introduced by routine AD changes.
Frequently asked questions
Is BloodHound safe to run in a production Active Directory environment?
BloodHound's SharpHound collector is safe for production environments with appropriate scoping. DCOnly collection mode uses LDAP queries to Domain Controllers only and does not touch individual workstations or generate authentication events on endpoints. Session collection (which enumerates logged-in users on workstations via SMB) generates network traffic and authentication events that can trigger EDR and SIEM alerts. Coordinate with your detection team before running full collection, and run during a maintenance window if noise is a concern.
What is the difference between BloodHound Community Edition and BloodHound Enterprise?
BloodHound Community Edition (open source) provides point-in-time AD analysis, graph visualization, and Cypher query capability. It requires manual data collection runs and does not track changes over time. BloodHound Enterprise (commercial, from SpecterOps) adds continuous automated collection, attack path trending over time, risk scoring, remediation workflow integration with ticketing systems, Azure and Entra ID support, and audit-ready reporting. Community Edition is sufficient for periodic assessments; Enterprise is warranted when AD security requires continuous monitoring and compliance reporting.
What is a GenericAll edge in BloodHound and why is it dangerous?
A GenericAll edge means the source principal has full control over the target AD object. On a user object, GenericAll allows the source to reset the target's password, add the target to any group, modify SPN settings (enabling Kerberoasting), and write the msDS-KeyCredentialLink attribute (enabling Shadow Credentials attacks). On a group object, GenericAll allows adding arbitrary members. GenericAll on a Domain Admin account from any non-privileged account is a critical finding requiring immediate remediation.
How do I identify all Kerberoastable accounts in my environment?
Run: Get-ADUser -Filter {ServicePrincipalName -ne '$null' -and Enabled -eq $true} -Properties ServicePrincipalName, PasswordLastSet, PasswordNeverExpires, AdminCount | Select-Object Name, SamAccountName, ServicePrincipalName, PasswordLastSet, PasswordNeverExpires, AdminCount | Export-Csv kerberoastable_accounts.csv. Prioritize accounts where PasswordLastSet is more than 90 days ago, PasswordNeverExpires is true, or AdminCount is 1 (indicating protected group membership). These are the highest-risk Kerberoasting targets.
What does it mean when BloodHound shows a path length of 1 from Domain Users to Domain Admins?
A path length of 1 means a direct relationship exists between the Domain Users group and the Domain Admins group — for example, a direct ACE giving all domain users GenericAll on the DA group, or Domain Users directly nested inside Domain Admins. This is a critical misconfiguration requiring immediate remediation. Path length of 1 is rare in practice but path lengths of 2-4 are extremely common in enterprise environments and still represent trivially exploitable escalation routes.
How often should I re-run BloodHound analysis in a production environment?
Weekly re-analysis is the minimum for most organizations; daily is appropriate for high-security environments. AD changes that create new attack paths include: new user-to-group assignments, new service account SPN registrations, new GPO links, application deployments that write ACEs during installation, and AD join operations for new computer accounts. Track the count of paths to Tier 0 objects between runs — an increase since the previous run should trigger investigation of recent AD changes.
Can BloodHound detect Golden Ticket or Silver Ticket attacks?
BloodHound identifies the conditions that make Golden and Silver Ticket attacks possible (compromise of the KRBTGT account for Golden Tickets, or compromise of a service account for Silver Tickets) but does not detect active ticket-forging attacks. For active detection, monitor for Event ID 4769 with encryption type 0x17 (RC4-HMAC) on high-value service accounts, 4624 logon events with unusual ticket lifetimes, and Kerberos TGS requests for services on accounts with no interactive logon history. Microsoft Defender for Identity includes purpose-built Golden Ticket and Silver Ticket detection analytics.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.