The Active Directory Attack Path Audit We Run on Every Engagement

Cybersecurity

Most teams audit Active Directory as a tier-list of users. That is a description of a healthy AD, not a threat model. The threat model is the graph of who can become whom, which is rarely the same shape.

By Arjun Raghavan, Security & Systems Lead, BIPI · July 22, 2025 · 8 min read

Most teams that operate Active Directory audit it as a tier-list of users. Domain Admins, Domain Users, Service Accounts, helpdesk groups. The list is a description of a healthy AD, not a threat model. The threat model is the graph of who can become whom, and that graph is rarely the same shape as the tier-list.

We use BloodHound on every cybersecurity engagement that touches Active Directory. It is open-source, free, and tells us in 30 minutes what would take weeks of manual work. Here is the audit we run with it.

Why a graph beats a list

BloodHound builds a directed graph from AD objects. Nodes are users, computers, groups, OUs, and domains. Edges are relationships: MemberOf, AdminTo, HasSession, GenericAll, GenericWrite, ForceChangePassword, AddMember, AllExtendedRights, WriteDacl, and so on. Each edge is something that lets the source impersonate or take over the target.

A flat list of users tells you nothing about composition. The graph reveals that helpdesk-user-12, who is supposedly tier-2, can ForceChangePassword on a service account that has GenericAll on a privileged OU that contains the Domain Admins group. Nobody designed that path. It emerged because three teams added permissions independently over four years.

The five queries we run first

1. Shortest path from any low-privilege user to Domain Admins. Run unauthenticated, then run scoped to the user's actual department. The first query catches global escalations; the second catches lateral attacks from a phished helpdesk laptop.
2. Computers with unconstrained delegation enabled. Any account that authenticates to one of these gets its TGT cached in memory, harvestable with Mimikatz. Should be near zero in 2026.
3. Service accounts with Kerberoastable SPNs and weak passwords. We export the hash list, run hashcat against it for two hours. Anything that cracks gets a P1 finding.
4. Users with adminCount=1 but no longer in a privileged group. AdminCount is sticky — once set, AD does not unset it. These accounts retain elevated ACLs even after their tier-0 group membership is removed.
5. Groups with members that have direct local admin on tier-0 hosts (DCs, ADFS, key servers). Local admin on a DC is functionally Domain Admin via secrets dump.

Common attack paths we find

Three patterns show up in the majority of engagements.

GenericAll on an OU. Often granted to a 'helpdesk' or 'desktop support' group. GenericAll on the OU means the holder can modify every object in it, including resetting passwords on accounts they should never touch. The path from helpdesk to Domain Admins is two hops: reset the password on a service account inside the OU, log in as that account.

Kerberos delegation to a wide scope. Constrained delegation to a service that is itself widely trusted creates an escalation. Resource-Based Constrained Delegation (RBCD) is similar but managed at the target side. Both fail audit if the trust boundary is wider than 'this service trusts these specific identities to act on its behalf.'

Stale Local Admin via Group Policy Preferences (GPP). The cpassword field in old GPP XML files contained AES-encrypted local admin passwords with a Microsoft-published key. Patched in 2014, but legacy SYSVOL files still leak the credential on engagements where AD has been around since 2010.

What 'good' looks like

A clean Active Directory has these five properties.

• Tier-0 group membership is under 10 accounts. Domain Admins, Enterprise Admins, Schema Admins.
• Zero unconstrained-delegation computers outside the DC role.
• All service accounts have AES-only Kerberos enabled and strong managed-service-account passwords (or are gMSAs).
• AdminSDHolder is reviewed monthly. Any object with adminCount=1 not currently in a tier-0 group has its ACLs reset.
• BloodHound is run quarterly with the path-to-DA query, and the result is reviewed in the security committee.

AD is not a list of users. It is a graph of who can become whom. Audit the graph.

Closing

Active Directory ages badly. Permissions get added, never removed. Service accounts proliferate. Trust relationships drift. An audit that only checks user tiers will miss the actual escalation paths every time. Run BloodHound. Treat the path-to-Domain-Admins query as the canonical health check. Your environment will look surprisingly different to the org chart.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.