Hackers Abuse Active Directory Sites For Domain Compromise

Designed to optimize network performance in large organizations, have emerged as a overlooked vector for domain compromise.

Security researchers at Synacktiv recently highlighted how attackers can exploit access control lists (ACLs) on site objects to escalate privileges and infiltrate entire domains.

This technique, detailed in a November 2025 report, reveals that sites logical groupings of subnets for efficient replication and authentication can be weaponized through Group Policy Object (GPO) manipulations, potentially granting hackers control over domain controllers.

While AD sites are typically viewed as infrastructural features rather than security risks, their integration with GPOs creates exploitable pathways.

Sites reside in the forest-wide configuration naming context, replicated across all domain controllers, making them prime targets for lateral movement.

Hackers with low-level access can abuse permissions like GenericAll, GenericWrite, or WriteGPLink to alter the gPLink attribute, linking malicious GPOs to sites and compromising associated systems.

In geographically dispersed environments, this could affect multiple subnets, including critical servers, without triggering common defenses.

Exploitation Paths and Tools

Attackers begin by enumerating site ACLs, a gap now addressed in a proposed BloodHound pull request that visualizes high-value targets like sites and their linked GPOs.

Once identified, exploitation often involves injecting malicious configurations via tools like GroupPolicyBackdoor.py, which modifies GPOs to execute commands on site servers.

For instance, a compromised user with WriteGPLink rights can spoof gPLink to point to an attacker-controlled server, delivering payloads such as scheduled tasks that elevate privileges on domain controllers.

A more advanced tactic bypasses SID filtering for intra-forest lateral movement.

By leveraging the writable configuration partition from a compromised child domain, hackers link malicious GPOs to sites hosting root domain controllers, achieving full forest dominance.

Demonstrations show this unfolding in under 15 minutes via replication cycles, underscoring the stealth and speed of these attacks. Tools like OUned.py automate such spoofing, simulating valid GPO delivery over LDAP and SMB.

Defensive Measures and Implications

Organizations must prioritize auditing site ACLs, especially delegated permissions for GPO management, to prevent abuse.

Implementing least-privilege principles and monitoring gPLink changes can detect anomalies early. Integrating site data into tools like BloodHound enhances visibility of these paths.

This vulnerability highlights the need to treat AD sites as Tier-0 assets, akin to domain controllers.

As enterprises expand globally, neglecting site security risks cascading compromises, emphasizing proactive hardening in AD environments.

With BloodHound’s upcoming updates, defenders gain better tools to counter these evolving threats.