Tier 0 Attack Path Analysis

Identify and Close Paths to Tier 0 Active Directory Assets

Discover and manage pathways threat actors use to gain control of your critical Active Directory infrastructure.

Save time in AD attack path reduction

Few attackers gain control of Active Directory immediately. Instead, they start with compromised non-privileged user credentials for initial access. Then they move from system to system, using misconfigurations and vulnerabilities, until they can escalate their privileges to control Active Directory. By focusing on the assets that are closest to your Tier 0 assets, you can save time in identifying and reducing the paths attackers take to gain control your Active Directory.

Enterprise Management Associates reports pen testers succeed in
of their attempts to exploit Active Directory
Microsoft Digital Defense Report:
3.47 billion
identity threats were blocked in the Microsoft ecosystem from July 2021 through June 2022
Enterprise Management Associates:
of organizations that experienced an AD attack reported the attack was successful

Tier 0 attack path reduction—from the inside out

Discover your Tier 0 Active Directory assets (the keys to the kingdom), who can gain access to them, and how to minimize those access paths.


Use free tools such as Forest Druid to understand your real Tier 0 boundary and the paths leading to it.


Use Purple Knight results and Microsoft AD security best practices to eliminate unexpected paths to Tier 0.

eyeball icon

Continually monitor for “configuration drift” that may introduce new attack paths with Directory Services Protector

Discover your true Tier 0 boundary

It’s more than just your domain controllers

The UK’s National Cybersecurity Center defines Tier 0 as “the root of trust all other administration relies upon.” For Active Directory, this includes privileged accounts (such as Domain Admins) and domain controllers (DCs). A medieval Tier 0 analogy is that of a kingdom’s castle keep, where the king and his trusted advisors safely reside. If a threat actor gains control of a Tier 0 asset, they have control of Active Directory (or potentially the kingdom). But Tier 0 in AD encompasses more than just domain admins and DCs. What about the ability to change permissions on the AD containers that hold privileged accounts or DCs? What about control of Group Policy objects (GPOs) that are linked, or can be linked, to a privileged object or container? What about the Azure AD Connect server and service account that syncs users to Azure AD? These are all potential AD attack paths—and there are more.

Learn More
Focus on the attack paths that matter

Conventional AD attack path analysis tools take an “outside in” approach and analyze the entire environment to discover the small subset of paths to Tier 0. Forest Druid, a free tool built by Semperis identity security experts, approaches Tier 0 attack path analysis from the other direction. Why bother to analyze every street and path in the kingdom when you only care about protecting the keep? That’s the approach Forest Druid takes. First, Forest Druid presents a default Tier 0 analysis. You then analyze all objects that have paths to Tier 0, and:

  • Add them to Tier 0 (for example, the built-in container which holds the privileged groups)
  • Note them as necessary but monitor the path carefully (for example, a legacy line-of-business application)
  • Or close the path (an unnecessary or unauthorized potential attack path)
Download Forest Druid

Today is the first day I’ve used Forest Druid and I’m very impressed. I’ve never found time to learn Bloodhound, so I really appreciate that I just had to run the tool and then click around the GUI to start finding issues.

SOC Engineer Retail & Packaged Goods Company

Advanced actors are attacking on-premises identity deployments to effect systemic breach and bridge to cloud admin access. Organizations in hybrid Active Directory environments need identity-first security to protect their AD and Azure AD systems from attack. This requires continuous monitoring and assessment of AD and Azure AD security posture to defend against identity-based attacks in partnership with traditional security teams.

Alex Weinert VP of Identity Security, Microsoft

The best AD recovery tool in the event of a ransomware attack!

Read review Director of Directories & IAM Solutions, IT Security & Risk Management Enterprise Banking Organization

Frequently asked questions about Tier 0 attack path analysis

What are Tier 0 assets?

Tier 0 assets are the accounts, groups, and other assets that have direct or indirect administrative control of an Active Directory forest, domains, and domain controllers. With access to these Tier 0 assets, attackers can seize control of the entire network.

What are administrative tiers?

Microsoft developed the tiered administration model for Active Directory to increase the difficulty of threat actors performing privilege escalation – that is, jumping from workstation to servers to AD domain dominance. This model has three tiers:

  • Tier 2 is composed of domain joined clients, printers, mobile devices, and those accounts that administer them.
  • Tier 1 contains the servers and applications, and their administrative accounts.
  • Tier 0 contains the servers (for example, domain controllers), AD structures (such as the Default Domain Policy GPO), and privileged accounts that support the Active Directory service itself.

This hierarchy is enforced such that credentials of higher tiers cannot be accessed from lower tiers (for example, a domain admin account logging into a client PC, where those privileged credentials could subsequently be harvested by malware such as mimikatz). For hybrid environments this model has been expanded to take their added complexity into account and is called the enterprise access model.



Why is protecting Tier 0 assets important to identity security?

Tier 0 assets have administrative control of Active Directory. If one of these assets is compromised, a threat actor can gain control of Active Directory and thus every asset—servers, applications, databases, clients, other Active Directory accounts—inside Active Directory to achieve their goals.


Why is defining the Tier 0 perimeter important?

Because of misconfigurations that accumulate over time, many organizations have accounts and groups that have privileged access—i.e., they are Tier 0 assets—but these excessive privileges are either overlooked or the IT and security teams haven’t had the resources to review them. Uncovering those assets can be challenging. Forest Druid, a free community tool from Semperis, shines a light on sensitive accounts so that the IT/security teams can mark them as “Tier 0” and apply appropriate protective measures, including locking down privileges or deleting unnecessary accounts altogether.

What are attack paths?

Attack paths are routes a threat actor may take from initial access into the environment (such as a client PC), across intermediate steps, to Tier 0 domain dominance.

Are there tools to make Active Directory attack path reduction easier?

Semperis provides a free Tier 0 attack path discovery tool called Forest Druid that helps you uncover vulnerable Tier 0 assets, lock down excessive privileges, and quickly discover and remediate the most dangerous paths—not just the most common ones. (Click here to learn more about Forest Druid.)

Reduce Tier 0 attack paths

Ready to save time closing attack paths to Tier 0 Active Directory assets?

Download Forest Druid