Active Directory Attack Paths
What Red Teams Love, What Blue Teams Miss, and the Danger Lurking Between the Lines
Every Active Directory environment believes it knows where the danger is. Domain Admins are protected like crown jewels. Tier 0 systems are locked down. Everyone feels reasonably confident. Meanwhile, red teams are smiling quietly, because they are not interested in the front door. They are already walking around the side of the building, checking which windows were left cracked open in 2013.
Attack paths are not exploits. They are relationships. They are the natural consequence of trust, delegation, convenience, and time. Active Directory does not get breached in dramatic explosions. It gets compromised by politely following the rules you gave it years ago.
Blue teams tend to guard the obvious. High-privilege groups are monitored. Admin logons are audited. Alerts fire when someone touches the wrong object. All of that matters, but it assumes attackers will behave like administrators. They will not. Attackers behave like interns with patience.
Red teams start with what works, not what is important. They look for credentials that authenticate broadly, not necessarily powerfully. A service account that logs into many servers is more interesting than a Domain Admin that logs into none. An account with local admin on fifty machines is a ladder, not a footnote.
Delegation is a favorite hiding place. Not the clean, well-documented kind, but the quiet delegations that were created to “let the app manage itself.” Reset password rights on a user. Write access to a group. Modify permissions on an OU that contains something more important than anyone remembers. These rights don’t trigger alarms. They trigger opportunity.
Red teams also love inheritance. They know that permissions flow downward and that nobody checks the bottom. A carefully placed permission on an upper OU can grant access to objects far below it. Blue teams look at the crown jewels. Red teams look at the plumbing.
Then there are service accounts, the most overworked and underappreciated identities in the forest. Password never expires, used everywhere, owned by no one. Blue teams see them as infrastructure. Red teams see them as passports. If a service account can authenticate to multiple systems, it becomes a bridge. If it runs scheduled tasks or services, it often has more access than it needs and fewer eyes watching it.
Kerberos delegation is another quiet favorite. Configured to make life easier, rarely revisited, and almost never fully understood. When delegation is misconfigured, it allows attackers to impersonate users in ways that feel almost magical. Blue teams see delegation as a checkbox. Red teams see it as a costume closet.
Trust relationships are treated with reverence and fear, which ironically makes them perfect attack paths. No one wants to touch trusts because touching trusts breaks things. Red teams know this. They look for trust direction, transitivity, and legacy configurations that allow authentication to flow further than intended. A trust doesn’t have to be wrong to be dangerous. It just has to be forgotten.
Workstations are where the real action happens. Blue teams harden domain controllers and protect admin servers. Red teams compromise users, then watch where those users go. An admin logging into a workstation for convenience is a gift. One credential cache later, the attack path reveals itself like a trail of breadcrumbs through the forest.
Even monitoring tools can become camouflage. Alerts fire constantly, so the meaningful ones get lost. Red teams take advantage of noise. They move slowly, blending in with normal operations. A permission change here, a group membership there. Nothing dramatic. Nothing urgent. Just enough to build a path upward.
The most uncomfortable truth is that many attack paths are not mistakes. They are design decisions that made sense once. They exist because the business needed speed, flexibility, or uptime. Red teams don’t judge these decisions. They simply use them.
Understanding attack paths means thinking less like a defender of assets and more like an explorer of relationships. It means asking not who has the most power, but who can become powerful over time. It means tracing access the way an attacker would, patiently, creatively, and without respect for your org chart.
Blue teams miss attack paths because they are rarely obvious and never labeled. Red teams find them because they assume nothing is accidental and everything is connected.
Active Directory is not insecure because it is old. It is dangerous because it remembers everything you ever allowed.
And attackers are very good at reading history.