Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 
Knowledge Base
Active Directory Management » Knowledge Base

Active Directory attack path management: How to visualize, detect, and remediate attack paths

Objective

A help desk technician's account has been exposed in a phishing attempt. While this account does not have direct privileged access, the security team needs to assess whether an attacker could use it as an entry point to reach domain-level privileges.

Challenge

Manual investigation into nested group memberships, access control list permissions, and delegation settings is time-consuming and error-prone. The organization needs to quickly determine if the compromised help desk account is part of any attack path that leads to high-value targets like the Domain Admins or Enterprise Admins groups.

What is attack path management and how ADManager Plus can help

Attack path management is the process of identifying, visualizing, and mitigating the potential routes an attacker could use to move laterally through an AD environment to escalate privileges and gain access to sensitive resources. It involves analyzing group memberships, object relationships, and inheritance permissions to uncover hidden or risky links between AD objects and taking targeted actions to manage or eliminate these exposure paths.

Access Graph, a component of the risk exposure management feature in ADManager Plus, helps analyze attack paths, understand privilege relationships, and manage risky links. The security team can visualize the Access Graph of the compromised help desk account and take remediation measures from ADManager Plus.

How to visualize and analyze attack paths in ADManager Plus using Access Graph?

  1. Log in to ADManager Plus.
  2. In the top-right corner, click AD Explorer.
  3. Expand the OU where the compromised help desk account is present.
  4. Click the help desk account and navigate to Entitlements > Access Graph.
  5. Select the privileged entity whose exposure you want to analyze.
  6. An Access Graph will then be displayed.
  7. Click an object to view details like permissions, scope, and more.
  8. Click on the lines connecting objects to understand:
    • The nature of their relationship
    • The likelihood of exploitation
    • Recommended remediation steps

In this case, the Access Graph shows:

  • The help desk person is a member of a group called Support Group.
  • Support Group has write access to a server called SUPPORT-SRV1.
  • SUPPORT-SRV1 has an unconstrained delegation setting configured.
  • A privileged user called Backup Admin often logs in to SUPPORT-SRV1.
  • Backup Admins is a member of Backup Operators, which has custom delegated permissions on domain objects.

This chain of relationships results in a potential escalation to Domain Admins.

Remediating attack paths using ADManager Plus

After identifying risky links, the security team can take these remediation actions:

  • Entry point isolation: Review group memberships of the help desk account and remove it from any non-essential groups, especially those with access to infrastructure, in this case, Support Group.

    To accomplish this:

    1. Go to AD Explorer and locate the user.
    2. Navigate to Entitlements > Group Membership.
    3. View all direct and nested memberships of the user.
    4. Click Modify User to remove the user from critical and non-essential groups.

    Alternatively, you can also use ADManager Plus' predefined AD user reports to identify the group a user belongs to. Here's how:

    1. Navigate to Reports > User Reports.
    2. Under Nested Reports, click Groups for Users.
    3. Select the domain and the help desk account.
    4. Click Generate to view all group memberships.
    5. Remove the user from high-risk groups as needed.
  • Harden the intermediate asset:
    • Remove unconstrained delegation from SUPPORT-SRV1 and replace it with constrained delegation if necessary.
    • Audit and restrict local admin access on SUPPORT-SRV1 to prevent privileged users from logging in.

    Using ADManager Plus' predefined AD computer reports, understand the delegation settings of the server and take necessary actions.

    1. Navigate to Reports > Computer Reports.
    2. Under General Reports, click All Computers.
    3. Select the desired domains and click Generate.
    4. Search and locate the server to learn about its delegation settings.
  • Redesign group delegations:
    • Review and manage group membership details of the Backup Operators group using group membership reports in ADManager Plus.
    • Review permissions granted to this group and remove unnecessary permissions.

    To view and modify group memberships:

    1. Navigate to Reports > Group Reports.
    2. Under Member-based Reports, Click Group Members.
    3. Select the desired domain and group.
    4. Click Generate to view group members.
    5. Select the members that you would like to remove and click Remove from group to manage them instantly.

Outcome

The Access Graph in ADManager Plus simplifies complex privilege relationships and enables fast, accurate remediation, significantly reducing risk exposure to critical infrastructure. This approach reduces the exposure of the help desk account and helps break a lateral movement chain before it can be exploited.

 

Select a language to translate the contents of this web page:

Need further assistance?

Fill this form, and we'll contact you rightaway.

Request Support

  •  
  • *
     
  • *
     
  • *
     
  • By submitting you agree to processing of personal data according to the Privacy Policy.

"Thank you for submitting your request.

Our technical support team will get in touch with you at the earliest."

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link email-download-top