Sauron: Fast Active Directory Tool Maps Credential Privileges and Nested Groups in Seconds
Sauron
Fast context enumeration for newly obtained Active Directory credentials.
Why Sauron?
When you obtain fresh credentials (password spraying, phishing, hash replay, etc.), the first thing you need is context: Who is this account really? What groups (direct and nested) does it belong to? Which OUs does it live in? What descriptions reveal its function or linked applications? Sauron answers that in seconds with a single execution.
Primary objective: quickly convert an isolated credential into a mental map of potential capabilities within AD and third-party software/services that reuse corporate groups or descriptions.
Key Capabilities
- Auto-detection of object type (user, computer, MSA/gMSA, FSP) by sAMAccountName, Distinguished Name, or SID
- Nested group resolution using LDAP rule
1.2.840.113556.1.4.1941+ primary group resolution by SID - Organizational hierarchy extraction from object to domain root (OUs/containers)
- Metadata extraction: descriptions, notes, titles, departments, managers, adminCount, etc.
- GPO enumeration for linked OUs with enforcement status interpretation
- Connection fallback: LDAPS → insecure LDAPS → LDAP with strongAuthRequired detection
- Debug mode with LDAP request counting and detailed logging
- Structured output of object details, group memberships, organizational units, and policy inheritance
Typical Post-Spray Workflow
- Obtain valid credentials (maybe using SpearSpray 😉)
- Run Sauron against the obtained accounts (do any belong to sensitive groups?)
- Extract implicit roles from descriptions and group names
- Decide next steps: escalate, lateral movement, pivot to applications, report finding
Understanding Sauron’s Output
| Attribute | Meaning | Security Context |
|---|---|---|
sAMAccountName |
Account login name | Primary identifier for authentication |
DisplayName |
Human-readable full name | Often reveals role/function when different from username |
DN |
Distinguished Name | Shows exact AD location and organizational structure |
Description |
Free-text description | Critical: Often contains access details, application references, or functional roles |
Notes (info) |
Additional free-text info | Key: May contain specific permissions, access scopes, or operational details |
Title |
Job title | Indicates organizational privilege level |
Department |
Business unit | Shows scope of potential access/systems |
Email |
Email address | Contact information and potential external access vector |
UPN |
User Principal Name | Alternative login format (user@domain) |
userAccountControl |
Account status flags | Critical: Shows account state (disabled, locked, password policies, delegation trust) |
Last Logon |
Most recent authentication | Indicates account activity level (stale accounts = potential targets) |
Password Last Set |
Password change timestamp | Shows password age |
Manager |
Direct supervisor DN | Potential social engineering target or escalation path |
adminCount |
Protected object flag | 1 = high-privilege account (Domain Admins, etc.) |
primaryGroupID |
Default group RID | Usually Domain Users (513), Computers (515), or Controllers (516) |
objectSid |
Security Identifier | Unique ID for access control decisions |
| Field | Meaning | Security Context |
|---|---|---|
Description |
Group purpose | Key: May reveal third-party app access (AWS, Jenkins, VMware, etc.) |
Notes (info) |
Additional details | Often contains specific permissions or access scopes |
managedBy |
Group manager DN | Administrative contact, not necessarily with edit permissions |
DN |
Group location | Shows organizational scope (domain-wide vs. OU-specific) |
| Field | Meaning | Security Context |
|---|---|---|
Name (Type) |
OU/Container display | Human-readable name with organizational type (OU/Container) |
DN |
Full distinguished name | Complete path in AD hierarchy |
Description |
OU purpose | May indicate environment (prod/dev) or function |
Managed By |
OU manager DN | Administrative contact for organizational unit |
gPOptions |
GP inheritance settings | Controls how policies flow down the hierarchy |
GPO Links |
Applied policies | Shows inherited security settings and restrictions |
| Field | Meaning | Security Context |
|---|---|---|
displayName |
Policy friendly name | Often indicates purpose (security, software deployment, etc.) |
Description |
Policy details | May reveal applied restrictions or software |
SYSVOL Path |
File system location | Shows policy storage and versioning |
versionNumber |
Policy version | Higher numbers indicate recent changes |
Created |
Policy creation date | Shows when policy was first implemented |
Last Modified |
Policy change date | Important: Recent changes may indicate active management |
DN |
Policy distinguished name | Location in AD policies container |
gPLink flags |
Link enforcement | See GPO link options below |
| Flag | Status | Enforcement | Description |
|---|---|---|---|
0 |
Enabled | Not enforced | Standard policy application, can be blocked by inheritance |
1 |
Disabled | Not enforced | Policy is disabled and won’t apply |
2 |
Enabled | Enforced | Policy is enforced, cannot be blocked by inheritance |
3 |
Disabled | Enforced | Policy is disabled but marked as enforced |
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
