Angriffstechniken Glossary
Attack Path - Angriffspfad
An attack path is the sequence of vulnerabilities, misconfigurations, and permissions that an attacker exploits to move from an initial access point to a target (e.g., domain admin, database). Attack path analysis using tools such as BloodHound, Microsoft Security Exposure Management, and XM Cyber identifies and prioritizes these paths for remediation.
Attack paths are the difference between "we have 5,000 CVEs" and "which 3 vulnerabilities do we need to patch today to protect domain admin accounts." A single compromised endpoint is often harmless—but as the starting point of an attack path to critical systems, it becomes the primary threat. Attack path analysis makes invisible risk chains visible.
Attack Path Concept
Attack Path – from Initial Access to Critical Asset:
Typical Ransomware Attack Path:
Phishing email
↓ (T1566.001: Spearphishing Attachment)
Malware on marketing laptop (Initial Access)
↓ (T1059.001: PowerShell)
Credential Dumping (LSASS)
↓ (T1003.001: OS Credential Dumping)
Local Admin Password (reused!)
↓ (T1021.002: SMB)
Lateral Movement to Dev Server
↓ (T1078: Valid Accounts)
Service account with AD group permissions
↓ (T1558.003: Kerberoasting)
Domain Admin (Kerberoasting of the service account)
↓
DCSync → all hashes → Ransomware Deployment
Attack path length:
Short paths (2-3 steps): most critical risks
→ "Compromised user → Local admin → DA in 2 steps"
→ Fix immediately!
Long paths (8–12 steps): Long-term risks
→ More difficult for attackers (more effort, more noise)
→ Lower priority
APT-typical paths: long paths, slow, stealthy
→ Months between initial access and DA
→ Detection is the goal (not prevention alone)
Attack path elements:
Nodes: Assets, users, groups, systems, services
Edges: Relationships and opportunities between nodes
→ "MemberOf" (user is a member of a group)
→ "HasSession" (User has an active session on the server)
→ "CanRDP" (can RDP to this system)
→ "WriteDacl" (can modify the object’s ACLs!)
→ "GenericAll" (full control over the object)
→ "AllExtendedRights" (can perform a password reset!)BloodHound - Attack Path Analysis Tool
BloodHound (Open Source, SpecterOps):
→ Graph-based representation of AD attack paths
→ SharpHound collects AD data → BloodHound visualizes it
→ Cypher query language for complex queries
SharpHound data collection:
# Only for your own AD with permission!
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain firma.de
# Creates a ZIP file with JSON files → import into BloodHound
# Alternatives (agenter, less noise):
.\SharpHound.exe --CollectionMethod DCOnly --Domain firma.de
# DCOnly: query only domain controllers (less network traffic)
BloodHound Community Edition (CE):
docker run -d -p 7474:7474 -p 7687:7687 \
--name bloodhound \
specterops/bloodhound-ce
# UI: http://localhost:7474
BloodHound Cypher Queries (most important):
# All paths to Domain Admins:
MATCH (n:User),(m:Group {name:"DOMAIN ADMINS@FIRMA.DE"})
MATCH p=shortestPath((n)-[*1..]->(m))
RETURN p
# Kerberos-authenticatable accounts with a path to DA:
MATCH (u:User {hasspn:true}),(da:Group {name:"DOMAIN ADMINS@FIRMA.DE"})
MATCH p=shortestPath((u)-[*1..]->(da))
RETURN u.name, length(p) as hops
ORDER BY hops
# Non-admin users with local admin rights (lateral movement!):
MATCH (u:User)-[:AdminTo]->(c:Computer)
WHERE NOT u.admincount
RETURN u.name, c.name
# Uncontrolled GenericAll relationships:
MATCH (g:Group)-[:GenericAll]->(c:Computer)
WHERE g.name <> "DOMAIN ADMINS@FIRMA.DE"
RETURN g.name, c.name
# Paths with fewer than 3 hops to DA:
MATCH (n:User),(da:Group {name:"DOMAIN ADMINS@FIRMA.DE"})
MATCH p=shortestPath((n)-[*1..3]->(da))
RETURN n.name, length(p) as hops, p
ORDER BY hops
BloodHound Pre-built Analyses:
→ "Shortest Paths to Domain Admins": most dangerous paths
→ "Shortest Paths from Kerberoastable Users": Kerberoasting risk
→ "Shortest Paths to Unconstrained Delegation": Kerberos attack
→ "Find Principals with DCSync Rights": who can exfiltrate hashes?Commercial Attack Path Tools
Microsoft Security Exposure Management (MSEM):
→ Part of Microsoft Defender (since 2024)
→ Native Integration: Entra ID, Defender for Endpoint, Sentinel
→ Attack Path Types: On-Prem AD, Azure, M365
→ KQL-based queries on attack paths
→ Choke Points: Nodes that bundle many paths → high remediation priority
# Microsoft Graph API:
GET https://graph.microsoft.com/beta/security/attackSimulation/...
XM Cyber:
→ Continuous Attack Path Simulation
→ Simulates thousands of attack paths daily
→ Prioritization: Which assets (choke points) eliminate the most paths?
→ Integration: Tenable, Qualys, ServiceNow
Pentera:
→ Automated penetration testing with a focus on attack paths
→ Performs actual exploitation (not just simulated)
→ Validates whether a path is actually exploitable (no false positives)
→ Difference from BAS: actual exploitation (not just simulation)
Tenable Attack Path Analysis:
→ Integrated into Tenable.io / Tenable One
→ Combines vulnerability data + AD structure + asset context
→ "Blast Radius": What could an attacker reach from this asset?
Decision Matrix for Attack Path Tools:
BloodHound CE: Free, AD-specific, manual analysis
XM Cyber: Enterprise, continuous, cloud + on-prem
Pentera: Validated exploitation, expensive
MSEM: Microsoft ecosystem, integrated into DefenderAttack Path Remediation
Prioritization: Eliminate choke points:
Choke point = Node through which many attack paths pass
→ Remediating a single point blocks many paths simultaneously!
Typical Choke Points:
1. Service accounts with high privileges and weak passwords
→ Fix: Rotate passwords + gMSA (Group Managed Service Account)
2. Systems with AdminTo edges to all other systems
→ Common: IT help desk account is a local admin everywhere
→ Fix: Least privilege, LAPS for local admin passwords
3. Groups with GenericAll permissions on other critical groups
→ Sometimes: "IT Team" can modify the AD group "Domain Admins"!
→ Fix: Clean up ACLs (rare problem, but critical!)
4. Systems with uncontrolled delegation
→ Unconstrained delegation: Computer can act on behalf of any user
→ Fix: Configure Constrained Delegation or RBCD
5. Reused local admin passwords
→ Without LAPS: all 200 computers have the same local admin password!
→ One compromised system → lateral movement to all
→ Fix: Enable LAPS (Local Administrator Password Solution)
Remediation workflow:
1. BloodHound/MSEM: Identify shortest paths to DA
2. Prioritize top 5 shortest paths
3. Identify choke points on each path
4. Remediation for each choke point
5. BloodHound re-scan: Is the path still present?
6. Iterate until no paths under 5 hops to DA!
KPIs for Attack Path Management:
→ Number of paths to Domain Admin (Target: decreasing)
→ Shortest path to DA (Target: > 5 hops)
→ Number of choke points (Target: none with >100 continuous paths)
→ Time to remediate critical choke points: < 30 days
