Threats
T1484Active Directory Attack Paths — ACL Abuse, Delegation, and Trust Attacks
How attackers exploit Active Directory ACLs, Kerberos delegation, and cross-forest trust relationships to escalate privileges and move laterally — and how SOC analysts can map, detect, and break these paths.
View on Graph
What Attack Paths Are and Why They Exist
- An Active Directory attack path is a sequence of permission relationships that allows an attacker to escalate from their current level of access to a target (typically Domain Admin or Enterprise Admin).
- Attack paths exist because AD’s permission model is granular and cumulative. A user may have
WriteOwneron Group A, which contains User B, who hasGenericAllon Group C, which is a member of Domain Admins. Each step is intentional, but the combination creates an unintended escalation. - BloodHound maps these paths using graph theory (shortest path to Domain Admin). Attackers use it to find the easiest route. Defenders use it to identify and break dangerous permission combinations.
- These attack paths are mapped to MITRE ATT&CK under
T1484(Domain Policy Modification),T1558(Steal or Forge Kerberos Tickets), andT1098(Account Manipulation).
ACL Abuse — Permission Chains That Escalate Privilege
AD access control lists (ACLs) define who can read, modify, delete, or change ownership of AD objects. An ACL entry that grants more privilege than intended creates an escalation path.
Dangerous ACL Permissions
| Permission | What It Allows | Escalation Path |
|---|---|---|
| GenericAll | Full control over the target object | Take over the object and all its privileges |
| GenericWrite | Modify any writable attribute on the object | Add the controlled object to a privileged group |
| WriteOwner | Change the ownership of the object | Take ownership and modify ACLs |
| WriteDACL | Modify the ACL on the object | Grant yourself any permission on the object |
| ForceChangePassword | Reset the user’s password without knowing the current one | Direct account takeover |
| AddMember | Add a member to a group | Join a privileged group |
| AllExtendedRights | Perform all extended operations (including password reset) | Same as ForceChangePassword on user objects |
| DS-Replication-Get-Changes | Replicate AD data (DCSync) | Dump all password hashes |
Common ACL Abuse Scenarios
Scenario 1 — Group Takeover via GenericAll:
User srvadmin has GenericAll on Group_ServerAdmins. Although srvadmin is not a member of that group, they can add themselves. Group_ServerAdmins is a member of Domain Admins. Result: srvadmin becomes Domain Admin.
Detection: Event ID 4732 (member added to security-enabled global group) from a non-admin account adding themselves.
Scenario 2 — Password Reset Without Privilege:
User helpdesk.joe has ForceChangePassword on user.executive. Joe can reset the executive’s password without knowing the current one, then log in as the executive and inherit their group memberships.
Detection: Event ID 4724 (password reset attempt) where the resetting account should not have reset privileges.
Scenario 3 — AdminSDHolder Modification:
The AdminSDHolder object protects privileged accounts by resetting their ACLs every 60 minutes. If an attacker gains WriteDACL on AdminSDHolder, they can modify the protection template. Next time the protection process runs, their ACL modifications are applied to all privileged accounts.
Detection: Event ID 5136 (directory service object modified) on CN=AdminSDHolder,CN=System — immediate escalation to critical.
BloodHound Query — Find Dangerous ACLs
// Find all users with GenericAll or GenericWrite on privileged groups
MATCH (u:User)-[r:GenericAll|GenericWrite|WriteOwner|WriteDACL]->(g:Group)
WHERE g.name CONTAINS 'Domain Admins' OR g.name CONTAINS 'Enterprise Admins'
RETURN u.name, type(r), g.nameDetection — ACL Abuse
SPL query — detect ACL modifications on sensitive objects:
index=windows EventCode=5136
| search ObjectDN IN ("*AdminSDHolder*", "*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*")
| stats count by Account_Name, ObjectDN, AttributeValue
| eval alert = "CRITICAL — ACL modification on " . ObjectDN . " by " . Account_Name
| table _time, Account_Name, ObjectDN, AttributeValue, alertKerberos Delegation Abuse
Kerberos delegation allows a service to impersonate a user to access another service. This is a legitimate Windows feature, but misconfigured delegation creates dangerous attack paths.
Unconstrained Delegation
When a server has unconstrained delegation enabled, any user who authenticates to that server sends their TGT (Ticket Granting Ticket) along with the TGS. If an attacker compromises that server, they can extract every TGT that has passed through it — including Domain Admin TGTs.
Detection: Use BloodHound or PowerShell to find computers with TrustedForDelegation = $true. Compromise one = compromise the domain.
Attack flow:
- Attacker compromises a web server with unconstrained delegation
- A Domain Admin connects to the web server (e.g., for management)
- The attacker extracts the DA’s TGT from LSASS
- The attacker uses the DA’s TGT to access the Domain Controller
Constrained Delegation Abuse
Constrained delegation limits which services a server can impersonate on behalf of users. However, if the constrained delegation allows access to a high-value service (e.g., CIFS/DC01 or LDAP/DC01), it still creates an escalation path.
Detection: Event ID 4769 with delegation flag (forwardable or delegation-ok) set for a non-DC service account.
Resource-Based Constrained Delegation (RBCD) Abuse
RBCD allows the target service to control which accounts can delegate to it. If an attacker has GenericWrite on a computer object, they can configure RBCD to allow their controlled account to impersonate any user to that service.
Detection: Event ID 5136 on msDS-AllowedToActOnBehalfOfOtherIdentity attribute — an attribute that should rarely change.
Trust Attacks — Crossing Domain and Forest Boundaries
Trust relationships connect domains within a forest and across forests. Attackers exploit trust relationships to move laterally between security boundaries.
SID History Abuse
SID History (sIDHistory) is a Kerberos attribute that allows a user to retain access to resources in their original domain when moved to a new domain. Attackers with Domain Admin in Domain A can add SID History entries for privileged users in Domain B.
Detection: Event ID 4768 where a TGT contains SID History entries that do not correspond to the user’s domain of origin.
Trust Ticket (Golden Ticket Variant for Trusts)
A variant of the Golden Ticket attack that targets inter-domain or inter-forest trusts. The attacker forges a referral ticket that impersonates the trust relationship itself, effectively bypassing the trust boundary.
| Trust Type | Attack Opportunity | Detection |
|---|---|---|
| Parent-child (intra-forest) | If the child domain is compromised, the attacker can forge tickets to the parent domain | TGT with SID History from child domain |
| Forest trust (inter-forest) | If the forest trust is configured with SID filter quarantine disabled | Authentication from external forest with anomalous SIDs |
| External trust (inter-domain) | If the external trust allows authentication to privileged groups | Logons from the trusted external domain to sensitive resources |
SID Filtering Bypass
Windows applies SID filtering to inter-forest trusts to prevent SID History-based privilege escalation from one forest to another. However, SID filtering can be disabled by an administrator — and attackers who discover this can exploit it.
Detection: Check trust attributes with Get-ADTrust -Filter * | fl * and verify SIDFilteringQuarantine is enabled on all forest trusts.
Breaking Attack Paths — Defensive Actions
| Path Type | How to Break It | Priority |
|---|---|---|
| ACL abuse | Run BloodHound, identify dangerous ACLs, remove excessive permissions | High |
| Unconstrained delegation | Disable unconstrained delegation, use constrained delegation instead | Critical |
| Constrained delegation | Audit delegation configurations, limit delegation to necessary services | High |
| RBCD | Monitor msDS-AllowedToActOnBehalfOfOtherIdentity modifications | High |
| SID History / Trust attacks | Enable SID filtering on all forest trusts, monitor SID History attributes | Medium |
| Trust tickets | Use the same krbtgt resets for inter-domain trust attack recovery | High |
Tools for Mapping and Breaking Attack Paths
| Tool | Purpose | Usage |
|---|---|---|
| BloodHound | Graph-based AD attack path analysis | SharpHound.exe -c All → load into BloodHound UI |
| PingCastle | AD security assessment and risk scoring | Runs health checks, reports risk levels |
| Purple Knight | AD security assessment (free) | Maps to MITRE ATT&CK, provides remediation steps |
| AD ACL Scanner | PowerShell-based ACL audit | Get-ACL on AD objects, filter for dangerous permissions |
Related
- Active Directory Basics — covers the active directory basics concepts
- Active Directory Compromise Response — detection and response for T1558 techniques
- Kerberos Attacks Deep Dive — detection and response for T1558 techniques
- Pass-the-Hash — detection and response for T1550.002 techniques
- BloodHound — detection and response for T1087 techniques