Active Directory is the identity and access management backbone of the vast majority of enterprise environments. It is also one of the most consistently misconfigured systems in corporate infrastructure. Not because IT teams are careless — but because Active Directory accumulates complexity over years of organizational change, mergers, application deployments, and policy exceptions. The result is an environment where the logical access control model — who should be able to do what — has diverged significantly from the actual permissions model — who can actually do what. BloodHound is the tool that makes this divergence visible. For defenders who run it on their own environment, it is illuminating. For attackers who run it on yours, it is a roadmap.
TL;DR: BloodHound maps AD relationships to find the shortest attack path from any compromised account to Domain Admin. Common paths include ACL abuse (GenericAll/WriteDACL on privileged groups), unconstrained delegation, ADCS certificate template misconfigurations (ESC1/ESC8), and shadow admin accounts. Most enterprise environments have multiple viable paths. Running BloodHound defensively before attackers run it offensively is the starting point for AD hardening.
What BloodHound Does
BloodHound uses graph database analysis to model Active Directory as a network of relationships between principals (users, computers, groups, OUs, GPOs) and find paths between them. The key insight is that AD security is not about individual permissions — it is about chains of permissions. An account that cannot directly add itself to Domain Admins may be able to add itself to a group that has WriteOwner permission on Domain Admins, which allows changing the group's owner, which allows modifying its membership. This three-step chain is an effective path to domain compromise from what appears to be a low-privileged account.
The BloodHound data collection (via SharpHound or the newer AzureHound for Azure AD/Entra ID) ingests: group membership at all levels, ACL entries on all AD objects, Kerberos delegation settings, session data (which accounts are logged into which computers), local administrator relationships, and certificate template permissions. The graph analysis then runs shortest-path queries against this data to find attack paths.
Common Attack Paths Found in Real AD Environments
ACL abuse paths
The most common BloodHound finding in Lorikeet Security's internal network assessments is ACL misconfiguration enabling privilege escalation. The dangerous permissions are:
- GenericAll on a user or group — full control, including the ability to modify group membership, reset passwords, or configure the account for exploitation
- WriteDACL — the ability to modify the DACL of an object, which allows granting yourself any other permission on that object
- WriteOwner — the ability to change an object's owner, which provides full control over the object
- GenericWrite on a user — the ability to modify non-protected attributes, including setting a ServicePrincipalName for targeted Kerberoasting or writing the msDS-KeyCredentialLink attribute for Shadow Credentials attacks
Shadow admins
Shadow admins are accounts that have effective administrative rights through indirect permission chains rather than direct membership in privileged groups. Standard privileged user reports show who is in Domain Admins, Enterprise Admins, and Schema Admins — but they do not show which accounts have ACL-based paths to equivalent control. An account with GenericAll on Domain Admins is functionally a domain admin; it simply does not appear in any standard report or alert threshold. BloodHound specifically identifies these accounts, which is why defenders need to run it before attackers do.
ADCS misconfigurations (ESC vulnerabilities)
Active Directory Certificate Services (ADCS) introduced an entirely new class of AD privilege escalation when SpecterOps published "Certified Pre-Owned" documenting the ESC (Escalation via Certificate Services) vulnerabilities. The most common in enterprise environments:
- ESC1: A certificate template allows the Subject Alternative Name to be specified by the requestor AND allows any domain user to enroll. An attacker requests a certificate for a domain admin account, uses it for PKINIT Kerberos authentication, and gets a TGT as that domain admin — without knowing their password.
- ESC8: ADCS web enrollment (CES/CEP) is enabled and vulnerable to NTLM relay. An attacker relays a domain controller authentication to the CA web enrollment endpoint, obtains a DC certificate, and uses it for DCSync to extract all domain hashes.
These vulnerabilities are extremely common in environments that deployed ADCS several years ago before these attack classes were documented. Lorikeet Security finds exploitable ADCS configurations in the majority of enterprise AD environments assessed.
Unconstrained and constrained delegation
Kerberos delegation allows services to act on behalf of users. Unconstrained delegation — the legacy setting that allows any service to impersonate any user to any service — is extremely dangerous. Any account with unconstrained delegation that can be coerced to authenticate (via PrinterBug, PetitPotam, or similar techniques) allows an attacker to capture a domain controller's TGT, enabling full domain compromise.
Attack Path Risk by Type
| Attack Path Type | Typical Frequency | Impact | Primary Remediation |
|---|---|---|---|
| ACL abuse (GenericAll/WriteDACL) | Very Common | Domain Admin via group manipulation | Quarterly ACL audit; remove over-permissive ACEs |
| Shadow admins via indirect ACLs | Very Common | Equivalent to Domain Admin | BloodHound-based ACL audit; Protected Users group |
| ADCS ESC1 (SAN abuse) | Common | Domain Admin via certificate impersonation | Disable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT on templates; audit enrollment permissions |
| ADCS ESC8 (NTLM relay) | Common | Domain Admin via DC certificate relay | Disable HTTP enrollment; enable EPA; disable NTLM where possible |
| Unconstrained delegation | Common (legacy) | Domain Admin via TGT capture | Migrate to constrained or resource-based constrained delegation |
| Kerberoastable service accounts | Very Common | Service account password hash → lateral movement | gMSA for service accounts; AES-only encryption; long random passwords |
Running BloodHound Defensively
The most immediate value of BloodHound for a defender is running it yourself before an attacker does. From a domain user account — representing the starting point of any phishing-initiated breach — BloodHound will identify all paths to Domain Admin reachable from that starting position. The remediation priority is straightforward: close the shortest paths first.
A structured AD security review with BloodHound as part of the toolset includes: enumerating all paths from domain users to Domain Admin, Tier 0 asset identification, ADCS configuration assessment using Certipy, unconstrained delegation inventory, and Kerberoastable service account enumeration. This is a component of Lorikeet Security's Active Directory penetration testing service, which includes an AD hardening report alongside the attack demonstration.
Priority remediations
- Implement tiered administration. Tier 0 (domain controllers and AD itself), Tier 1 (servers and applications), and Tier 2 (workstations and users) should have strict separation — Tier 0 credentials should never touch Tier 1 or Tier 2 systems.
- Add privileged accounts to Protected Users. The Protected Users security group prevents credential caching, NTLM authentication, Kerberos delegation, and long-lived tickets for member accounts. Domain Admins and sensitive service accounts should be in this group.
- Run quarterly ACL audits. ACL creep is persistent — permissions accumulate through application deployments, temporary grants, and AD administration mistakes. Regular BloodHound-based ACL reviews should be a standard security operations activity.
- Audit ADCS templates immediately. Use Certipy to enumerate all certificate templates for ESC vulnerabilities. This is a quick assessment that frequently reveals immediate critical-severity findings.
Does your Active Directory have paths to Domain Admin you don't know about?
Lorikeet Security's Active Directory penetration testing uses BloodHound and comprehensive AD analysis to find the attack paths in your environment — and the remediation guidance to close them.
