AD_Miner v0.6 releases: Active Directory audit tool

by do son · Published · Updated

ADMiner

ADMiner is an Active Directory audit tool that leverages cypher queries to crunch data from the BloodHound graph database (neo4j) and gives you a global overview of existing weaknesses through a web-based static report, including detailed listing, dynamic graphs, key indicators history, along with risk ratings.

You can also observe indicators over time to help measure mitigation efficiency.

Implemented controls

The following provides a list controls that have already been implemented in AD Miner :
Dormant accounts Tier 0 sessions violation Control path cross domain from DA to DA
Ghost computers Machine accounts with admin privs Control paths to GPOs
Accounts without password expiration Obsolete OS Control paths to servers
Accounts with old passwords Inadequate number of domain admins Control paths to OU
Accounts with clear-text passwords RDP access Control paths to GMSA passwords
Kerberoastable accounts Domain functional level Control path to AdminSDHolder container
AS-REP Roastable accounts Users with admin privs Users with path to DNS Admins
Accounts with SID history Machine accounts with high privs ACL anomalies on group objects
LAPS status Non tier 0 with DCSync capabilities Objects with path to an Operator Member
LAPS access Unconstrained delegations ADCS local admin privs
KRBTGT password age Constrained delegations Empty groups/OU
DC Shadow to DA Role-based constrained delegations
DC Shadow to all Control paths to domain admins

Changelog v0.6

Bug Fixes

  • add label in neo4j request (2dfbf4e)
  • bug with if condition admin of computer (4b5ac15)
  • bug with split name and label (d3475e0)
  • bug with upper (733f0d0)
  • change value on tooltip (dc960a6)
  • decimal bug (209a7bb)
  • dont add only protected users to da (12618f3)
  • fix infinite bug (eb0168d)
  • fix non display for zero values on log scale (957779e)
  • putting back rbcd in config (d78cd47)
  • rating now take into account the oldest krbtgt password change (070c58b)
  • remove new pre request (608e8e2)
  • remove print (919da6a)
  • remove trailing spaces (cba881a)
  • rename group anomaly ACL to anomaly ACL (c39ef0b)
  • repair broken config.json file (e13e5dd)

Features

  • Add 5 new controls from “primaryGroupID_lower_than_1000” to “up_to_date_admincount” (795a5a9)
  • add a pre request (1b74e17)
  • add admincount control page (265b0af)
  • add error message (90e39f1)
  • add get_label_icon_dictionary (5a2a4d9)
  • add guest account enabled control (2dfeff6)
  • add log scale button for evolution graph (a7cdce4)
  • Add Louis in the list of contributors (c334c40)
  • add misc category (9af600f)
  • Add preWin2000 control (575391e)
  • add Protected Users control (a0bf823)
  • add SID control (d74c301)
  • add small evolution percentage (4ae7982)
  • better background (43bcf9c)
  • better opacity (a739fad)
  • better svg main_circle (6cdf4bc)
  • evolution data for admincount with sum of indicators (44ff6a2)
  • ghost DC displayed first in DC list, add lastlogon column (7f0af53)
  • improve description for ACL anomaly (0c1da89)
  • improve search bar highlighting hovered controls and closing the menu when clicking outside (7d2da03)
  • minimize neo4j requests used by new controles (916cbf1)
  • new neo4j requests (a902de9)
  • split schema and key admin + add protected users on DA page (6c6e5af)

Performance Improvements

Install

git clone https://github.com/Mazars-Tech/AD_Miner.git
pip install -r requirements.txt

Use

-h, --help              Show this help message and exit

-b, --bolt              Neo4j bolt connection (default: bolt://127.0.0.1:7687)

-u, --username          Neo4j username (default : neo4j)

-p, --password          Neo4j password (default : neo5j)

-e, --extract_date      Extract date (e.g., 20220131). Default: last logon date

-r, --renewal_password  Password renewal policy in days. Default: 90

-a, --azure             Use Azure relations

-c, --cache             Use local file for neo4j data

-l, --level             Recursive level for path queries

-cf, --cache_prefix     Cache file to use (in case of multiple company cache files)

-ch, --nb_chunks        Number of chunks for parallel neo4j requests. Default : number of CPU

-co, --nb_cores         Number of cores for parallel neo4j requests. Default : number of CPU

--rdp                   Include the CanRDP edge in graphs

--evolution             Evolution over time : location of json data files. ex : '../../tests/'

--cluster               Nodes of the cluster to run parallel neo4j queries. ex : host1:port1:nCore1,host2:port2:nCore2,...

Copyright (C) 2023 Mazars Cybersecurity Audit & Advisory team

Source: https://github.com/Mazars-Tech/

Tags: Active Directory audit toolADMiner