AD_Miner v1.1 releases: Active Directory audit tool

by do son · Published October 2, 2023 · Updated February 17, 2024

ADMiner

ADMiner is an Active Directory audit tool that leverages cypher queries to crunch data from the BloodHound graph database (neo4j) and gives you a global overview of existing weaknesses through a web-based static report, including detailed listing, dynamic graphs, key indicators history, along with risk ratings.

You can also observe indicators over time to help measure mitigation efficiency.

Implemented controls

The following provides a list controls that have already been implemented in AD Miner :


Dormant accounts	Tier 0 sessions violation	Control path cross domain from DA to DA
Ghost computers	Machine accounts with admin privs	Control paths to GPOs
Accounts without password expiration	Obsolete OS	Control paths to servers
Accounts with old passwords	Inadequate number of domain admins	Control paths to OU
Accounts with clear-text passwords	RDP access	Control paths to GMSA passwords
Kerberoastable accounts	Domain functional level	Control path to AdminSDHolder container
AS-REP Roastable accounts	Users with admin privs	Users with path to DNS Admins
Accounts with SID history	Machine accounts with high privs	ACL anomalies on group objects
LAPS status	Non tier 0 with DCSync capabilities	Objects with path to an Operator Member
LAPS access	Unconstrained delegations	ADCS local admin privs
KRBTGT password age	Constrained delegations	Empty groups/OU
DC Shadow to DA	Role-based constrained delegations
DC Shadow to all	Control paths to domain admins

Changelog v1.1

Bug Fixes

better request for low privilege impersonation (#121) (71ceb57)
bug with u.name (#123) (26cb9d8)
bugs with charts and azure data (#114) (7523229)
correct spelling of GPLink to take it into account when computing paths (337320d)
fix typo in request leading to missing DCs (#118) (3867f20)

Features

adding fgpp control (#113) (6431abf)
smartest path (#119) (2d59408)

Performance Improvements

parallelization of the rdp request (#122) (5d18ab0)

Install

git clone https://github.com/Mazars-Tech/AD_Miner.git
pip install -r requirements.txt

Use

-h, --help              Show this help message and exit
-b, --bolt              Neo4j bolt connection (default: bolt://127.0.0.1:7687)
-u, --username          Neo4j username (default : neo4j)
-p, --password          Neo4j password (default : neo5j)
-e, --extract_date      Extract date (e.g., 20220131). Default: last logon date
-r, --renewal_password  Password renewal policy in days. Default: 90
-a, --azure             Use Azure relations
-c, --cache             Use local file for neo4j data
-l, --level             Recursive level for path queries
-cf, --cache_prefix     Cache file to use (in case of multiple company cache files)
-ch, --nb_chunks        Number of chunks for parallel neo4j requests. Default : number of CPU
-co, --nb_cores         Number of cores for parallel neo4j requests. Default : number of CPU
--rdp                   Include the CanRDP edge in graphs
--evolution             Evolution over time : location of json data files. ex : '../../tests/'
--cluster               Nodes of the cluster to run parallel neo4j queries. ex : host1:port1:nCore1,host2:port2:nCore2,...

Source: https://github.com/Mazars-Tech/

AD_Miner v1.1 releases: Active Directory audit tool

Search

Brilliantly

Content & Links