AD_Miner: Active Directory audit tool
ADMiner
ADMiner is an Active Directory audit tool that leverages cypher queries to crunch data from the BloodHound graph database (neo4j) and gives you a global overview of existing weaknesses through a web-based static report, including detailed listing, dynamic graphs, key indicators history, along with risk ratings.
You can also observe indicators over time to help measure mitigation efficiency.
Implemented controls
The following provides a list controls that have already been implemented in AD Miner:
Controls for On-premise
| Category | Description | Category | Description | |
|---|---|---|---|---|
| Kerberos | AS-REP Roastable accounts | Misc | Computers with obsolete OS | |
| Kerberos | Kerberoastable accounts | Misc | Dormant accounts | |
| Kerberos | Kerberos constrained delegation | Misc | Functional level of the domain | |
| Kerberos | Kerberos RBCD against computers | Misc | Ghost computers | |
| Kerberos | Kerberos unconstrained delegations | Misc | Groups without any member | |
| Kerberos | Old KRBTGT password | Misc | OUs without any member | |
| Kerberos | Shadow Credentials on privileged accounts | Misc | Shadow credentials on domain controllers | |
| Kerberos | Shadow Credentials on regular accounts | Misc | Unexpected PrimaryGroupID | |
| Passwords | Access to LAPS passwords | Misc | Users FGPP | |
| Passwords | Computers without LAPS | Permissions | ACL anomalies | |
| Passwords | Objects can read GMSA passwords of administrators | Permissions | Attack paths choke points | |
| Passwords | Password requirement bypass | Permissions | Computers admin of other computers | |
| Passwords | Users with cleartext passwords | Permissions | Cross-domain paths to Domain Admin | |
| Passwords | Users with old passwords | Permissions | Guest accounts | |
| Passwords | Users without password expiration | Permissions | Inadequate access to DCSync privileges | |
| Permissions | Inadequate AdminCount settings | Permissions | Inadequate GPO modifications privileges | |
| Permissions | Inadequate number of domain admins | Permissions | Machine accounts with inadequate privileges | |
| Permissions | Machine accounts with inadequate privileges | Permissions | Non-tier 0 local admin privs on ADCS | |
| Permissions | Objects with SID history | Permissions | Paths to DNS Admins | |
| Permissions | Paths to Domain Admins | Permissions | Paths to Operators Groups | |
| Permissions | Paths to Organizational Units (OU) | Permissions | Paths to servers | |
| Permissions | Paths to the AdminSDHolder container | Permissions | “Pre-Windows 2000 Compatible Access” group | |
| Permissions | Privileged account outside the protected users group | Permissions | RDP access (computers) | |
| Permissions | RDP access (users) | Permissions | Tier-0 violation (sessions) | |
| Permissions | Users that have powerful cross-domain privileges | Permissions | Users with local admin privileges |
Controls for Entra ID
| Category | Description | Category | Description | |
|---|---|---|---|---|
| Entra ID Misc | Azure dormant accounts | Entra ID MS Graph | Direct Controllers of MS Graph | |
| Entra ID Passwords | Entra ID password reset privileges | Entra ID MS Graph | Entra ID accounts not synced on-prem | |
| Entra ID Passwords | Incoherent last password change | Entra ID MS Graph | Synced accounts with disabled twin account | |
| Entra ID Permissions | Access to privileged Entra ID roles | Entra ID Permissions | Privileged accounts on both on-prem and Azure | |
| Entra ID Permissions | Cross on-prem/Entra ID path to tier-0 | Entra ID Permissions | Users possibly related to AADConnect | |
| Entra ID Permissions | Entra ID users with path high value targets |
Install
git clone https://github.com/Mazars-Tech/AD_Miner.git
pip install -r requirements.txt
Use
[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”-h%2C%20–help%20%20%20%20%20%20%20%20%20%20%20%20%20%20Show%20this%20help%20message%20and%20exit%0A-b%2C%20–bolt%20%20%20%20%20%20%20%20%20%20%20%20%20%20Neo4j%20bolt%20connection%20(default%3A%20bolt%3A%2F%2F127.0.0.1%3A7687)%0A-u%2C%20–username%20%20%20%20%20%20%20%20%20%20Neo4j%20username%20(default%20%3A%20neo4j)%0A-p%2C%20–password%20%20%20%20%20%20%20%20%20%20Neo4j%20password%20(default%20%3A%20neo5j)%0A-e%2C%20–extract_date%20%20%20%20%20%20Extract%20date%20(e.g.%2C%2020220131).%20Default%3A%20last%20logon%20date%0A-r%2C%20–renewal_password%20%20Password%20renewal%20policy%20in%20days.%20Default%3A%2090%0A-a%2C%20–azure%20%20%20%20%20%20%20%20%20%20%20%20%20Use%20Azure%20relations%0A-c%2C%20–cache%20%20%20%20%20%20%20%20%20%20%20%20%20Use%20local%20file%20for%20neo4j%20data%0A-l%2C%20–level%20%20%20%20%20%20%20%20%20%20%20%20%20Recursive%20level%20for%20path%20queries%0A-cf%2C%20–cache_prefix%20%20%20%20%20Cache%20file%20to%20use%20(in%20case%20of%20multiple%20company%20cache%20files)%0A-ch%2C%20–nb_chunks%20%20%20%20%20%20%20%20Number%20of%20chunks%20for%20parallel%20neo4j%20requests.%20Default%20%3A%20number%20of%20CPU%0A-co%2C%20–nb_cores%20%20%20%20%20%20%20%20%20Number%20of%20cores%20for%20parallel%20neo4j%20requests.%20Default%20%3A%20number%20of%20CPU%0A–rdp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Include%20the%20CanRDP%20edge%20in%20graphs%0A–evolution%20%20%20%20%20%20%20%20%20%20%20%20%20Evolution%20over%20time%20%3A%20location%20of%20json%20data%20files.%20ex%20%3A%20′..%2F..%2Ftests%2F’%0A–cluster%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Nodes%20of%20the%20cluster%20to%20run%20parallel%20neo4j%20queries.%20ex%20%3A%20host1%3Aport1%3AnCore1%2Chost2%3Aport2%3AnCore2%2C…”/]
Copyright (C) 2023 Mazars Cybersecurity Audit & Advisory team
Source: https://github.com/Mazars-Tech/
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
