Author: Santhosh Sivarajan, Microsoft MVP GitHub: https://github.com/SanthoshSivarajan/AttackPathCanvas
I started working on this as a concept and a fun project. The idea came from the data I was already collecting with DelegationCanvas and NHICanvas - I wanted to see if I could visualize the attack paths hidden in that data. What began as a quick experiment turned into something much more comprehensive than I originally planned.
I haven't decided whether to continue developing this or stop here. There are many possibilities - especially if you are a developer and can take the collected data further with better visualizations, interactive graphs, or integration with other tools. I am not a developer, so this may be where I stop, but it was a fun project and I learned a lot building it.
AttackPathCanvas discovers and visualizes identity attack paths in your Active Directory forest. It analyzes privileged group membership chains, dangerous delegation escalation paths, Kerberos delegation abuse, DCSync capabilities, trust weaknesses, and more -- then produces an interactive HTML report with SVG attack path diagrams and step-by-step attack scenario analysis.
Think of it as a lightweight, single-script an HTML output file.
- Direct and recursive membership in 9 Tier 0 groups across all domains
- Service accounts in admin groups (credential theft risk)
- Disabled accounts still in admin groups (re-enable attack)
- Nested group expansion with effective user counts
- Full recursive chain expansion up to 10 levels deep
- Discovers hidden admins buried in group nesting (e.g., User -> Group1 -> Group2 -> Group3 -> Domain Admins)
- Multi-hop SVG visualization showing the complete path
- GenericAll, WriteDACL, WriteOwner (full control / permission escalation)
- GenericWrite (broad attribute modification)
- Sensitive property writes: member, servicePrincipalName, msDS-KeyCredentialLink, msDS-AllowedToActOnBehalfOfOtherIdentity, userAccountControl, pwdLastSet
- ExtendedRight on All or Replication (DCSync via delegation)
- Tier 0 OU targeting (Domain Controllers, Admin, Privileged OUs)
- Non-admin principals with GPO edit permissions
- GPOs linked to Domain Controllers and Tier 0 OUs flagged as critical
- GPO modification = code execution on every system in scope
- Unconstrained delegation (TGT capture risk)
- Constrained delegation with/without protocol transition (S4U abuse)
- Resource-Based Constrained Delegation (RBCD)
- Delegation to DC services flagged as critical
- Non-default accounts with Replicating Directory Changes on domain root
- Full DCSync capability detection (both replication rights present)
- Entra Connect sync account identification
- SID filtering status on all trusts
- Selective authentication configuration
- TGT delegation across trust boundaries
- External vs forest trust risk differentiation
- All accounts protected by AdminSDHolder (AdminCount=1)
- Admin accounts with SPNs (Kerberoastable by any domain user)
- AS-REP Roastable accounts (pre-authentication disabled)
- SID History abuse (historical SIDs from migrations)
- Stale admin accounts (90+ days inactive, still enabled)
- KRBTGT password age (Golden Ticket persistence risk)
- Machine Account Quota (RBCD attack enablement)
Automated detection of 16 attack scenario types with step-by-step exploitation paths:
| Scenario | Severity |
|---|---|
| Service Account with Admin Privileges | Critical |
| Disabled Accounts in Privileged Groups | High |
| Non-Admin Delegation to Tier 0 Objects | Critical |
| Permission Escalation via WriteDACL/WriteOwner | Critical |
| Credential Attack Paths (Shadow Creds / RBCD / Kerberoast) | High |
| Excessive Domain Admins | High |
| Misused Built-In Groups (Account/Server/Print/Backup Operators) | Critical |
| GPO Modification on Tier 0 Systems | Critical |
| Unconstrained Kerberos Delegation | Critical |
| Non-Default DCSync-Capable Accounts | Critical |
| Trust Security Weaknesses | Critical/High |
| Kerberoastable Privileged Accounts | Critical |
| Hidden Admins via Nested Group Chains | Critical |
| AS-REP Roastable Accounts | Critical/High |
| SID History Privilege Escalation | Critical/High |
| Stale Privileged Accounts | Critical/High |
| KRBTGT Password Not Rotated | Critical/High |
| Machine Account Quota Enables RBCD Attacks | High |
- Risk Summary -- Total paths with critical/high/medium breakdown
- Per-Domain Breakdown -- Domain-specific findings with tables
- Attack Path Diagram -- SVG visualization of critical paths with domain labels
- Multi-Hop Chain Diagram -- SVG visualization of nested group chains (up to 10 levels)
- Attack Scenarios -- Step-by-step exploitation analysis with remediation
- Critical Attack Paths -- All critical-risk paths in detail
- Principal Risk Profiles -- Top 25 principals ranked by blast radius
- GPO Attack Paths -- GPO edit permissions on sensitive OUs
- Nested Group Chains -- Full chain table with depth tracking
- Kerberos Delegation -- Unconstrained, constrained, and RBCD
- DCSync Accounts -- Non-default replication rights
- Trust Weaknesses -- SID filtering, selective auth, TGT delegation
- AdminSDHolder -- Protected accounts and Kerberoastable admins
- AS-REP Roastable -- Pre-authentication disabled accounts
- SID History -- Accounts carrying historical SIDs
- Stale Admins -- Inactive admin accounts still enabled
- KRBTGT Password Age -- Golden Ticket persistence risk
- Machine Account Quota -- RBCD attack enablement
- All Attack Paths -- Complete table of every discovered path
- Charts -- Risk distribution, categories, scenario severity, principal risk
# Run from any domain-joined machine
.\AttackPathCanvas.ps1
# Custom output path
.\AttackPathCanvas.ps1 -OutputPath C:\Reports- Windows PowerShell 5.1+ or PowerShell 7+
- ActiveDirectory module (RSAT)
- GroupPolicy module (optional, for GPO attack path detection)
- Domain user account (Domain Admin recommended for full visibility)
MIT -- Free to use, modify, and distribute.
- ADCanvas -- Active Directory documentation
- EntraIDCanvas -- Entra ID documentation
- IntuneCanvas -- Intune documentation
- ZeroTrustCanvas -- Zero Trust posture assessment
- NHICanvas -- Non-Human Identity governance
- DelegationCanvas -- AD delegation and permission mapping
Developed by Santhosh Sivarajan, Microsoft MVP