Internal Network & Active Directory · intermediate · ~11 min

Attack paths (BloodHound) and AD defenses

Explain graph-based attack-path analysis and the practical AD hardening that breaks paths.

Overview

AD compromise is a chain of small legitimate rights to Domain Admin; BloodHound graphs AD data to compute these attack paths (and defenders use it to cut them). Defenses that work: tiered administration, ACL/least-privilege hygiene, LAPS, gMSA, Protected Users, and monitoring.

Why it matters

Thinking in attack paths (not isolated bugs) is how modern AD assessment works, and the best reporting names the one change that breaks a path to Domain Admin. The structural defenses (tiering, LAPS, ACL hygiene) are what clients should hear.

Core concepts

Attack path. Chain of legitimate rights → Domain Admin. BloodHound graph. Computes shortest paths from controlled principals. Tiering. Tier-0 creds never exposed on low-trust hosts. LAPS/gMSA. Kill reuse and Kerberoasting. Reporting. The path + the single break.

Lesson

AD compromise is rarely one bug — it's a chain of small rights that lead, step by step, to Domain Admin. Finding and breaking those chains is the modern AD discipline.

BloodHound and attack paths

BloodHound ingests AD enumeration (users, groups, sessions, ACLs, GPO links) and builds a graph, then computes the shortest path from "what I control" to "Domain Admin". It surfaces non-obvious chains like:

You control user A → A can reset B's password (ACL) → B is in a group with admin on server X → an admin is logged into X → steal their token → Domain Admin. Each hop is a legitimate right; the combination is the vulnerability. Defenders use BloodHound too, to find and cut these paths before attackers do.

The defenses that actually work

  • Tiered administration: Tier-0 (DCs, domain admins) accounts never log into lower-tier hosts, so their credentials can't be harvested there.
  • Least privilege & ACL hygiene: remove dangerous rights (GenericAll, password-reset) and stale admin memberships.
  • LAPS: unique, rotated local-admin passwords kill credential reuse.
  • Managed service accounts (gMSA): long random passwords defeat Kerberoasting.
  • Protected Users group, credential guard, monitoring of 4624/4625/4768/4769 and unusual LDAP.

Reporting

For AD, the value is the path and the single change that breaks it: "remove this ACL / this group membership and the path to DA disappears." That's far more actionable than a list of individual findings.

Summary

AD attacks chain small rights into a path to Domain Admin; graph tools like BloodHound find them and defenders cut them. The durable fixes are tiered admin, ACL hygiene, LAPS, gMSA, and monitoring — and the best report shows the path and the break.