AD-Security/AD_Miner

GitHub: AD-Security/AD_Miner

Stars: 1533 | Forks: 161

## Quick overview of a report ### Comprehensive Mitigation Paths for Active Directory Risks A risk-based rating of Active Directory weaknesses, along with comprehensive mitigation paths.

Main page

### A dynamic web interface Search bar and controls that are carefully tailored to identify the most risky misconfigurations.

Main page

### Progress Monitoring through an Evolving Interface You can also observe indicators over time to help measuring mitigation efficiency.

Main page

## Prerequisites 1. To extract the data from the domain, you can use tools like [SharpHound](https://github.com/BloodHoundAD/SharpHound), [RustHound-CE](https://github.com/g0h4n/RustHound-CE) or [BloodHound.py](https://github.com/dirkjanm/BloodHound.py) and [AzureHound](https://github.com/BloodHoundAD/AzureHound) for EntraID environments.

2. To set up your BloodHound environment (including the GUI and Neo4j database), [BloodHound Automation](https://github.com/Tanguy-Boisset/bloodhound-automation) is **highly recommended due to its seamless integration with the Graph Data Science plugin**. Though it is perfectly fine to use the default [BloodHound CE](https://github.com/SpecterOps/BloodHound) installation, be aware that you will miss out on the benefits of GDS (e.g., smarter pathfinding, improved execution speed, etc.). 3. By default, BloodHound creates a neo4j base accessible on port 7687. ## Installation and setup The easier way is to do the following command using `pipx`: ADMiner is also available on some Linux distributions: [![Packaging status](https://repology.org/badge/vertical-allrepos/ad-miner.svg)](https://repology.org/project/ad-miner/versions) A Docker image is available to build. Build the image with the following commmand: Note that mounting the volume with `-v` is critical to get the output of the data. This assumes that the BHCE server is running on the Docker host with default settings. ## Usage Run the tool: Example: If password renewal policy is known, you can specify it using the `-r` parameter to ensure that password renewal controls align with your environment's settings (default is 90 days). For example, if the password policy is set to 180 days, you can use the following: Options: -h, --help show this help message and exit -b BOLT, --bolt BOLT Neo4j bolt connection (default: bolt://127.0.0.1:7687) -u USERNAME, --username USERNAME Neo4j username (default : neo4j) -p PASSWORD, --password PASSWORD Neo4j password (default : bloodhoundcommunityedition) -e EXTRACT_DATE, --extract_date EXTRACT_DATE Extract date (e.g., 20220131). Default: last logon date -r RENEWAL_PASSWORD, --renewal_password RENEWAL_PASSWORD Password renewal policy in days. Default: 90 -c, --cache Use local file for neo4j data -l LEVEL, --level LEVEL Recursive level for path queries -cf CACHE_PREFIX, --cache_prefix CACHE_PREFIX Cache file to use (in case of multiple company cache files) --gpo_low Perform a faster but incomplete query for GPO (faster than the regular query) -ch NB_CHUNKS, --nb_chunks NB_CHUNKS Number of chunks for parallel neo4j requests. Default : 20 * number of CPU -co NB_CORES, --nb_cores NB_CORES Number of cores for parallel neo4j requests. Default : number of CPU --rdp Include the CanRDP edge in graphs --evolution EVOLUTION Evolution over time : location of json data files. ex : '../../tests/' --cluster CLUSTER Nodes of the cluster to run parallel neo4j queries. ex : host1:port1:nCore1,host2:port2:nCore2,... In the graph pages, you can right-click on the graph nodes to cluster them or to open the cluster.

## Evolution An 'Evolution over time' tab appears on the main page, providing evolution graphs for each category (Permissions, Passwords, Kerberos, and Misc).

Detailed evolution for each control is also available and can be accessed via the “Show evolution” button for each category. A logarithmic scale is available to better highlight subtle variations over time.

## Smartest paths

While a longer but simpler path exists (here with `MemberOf` and `AdminTo` instead of `ExecuteDCOM`).

Currently, 10 controls utilize full graph coverage and optimize the smartest paths for analysis. ## Implemented controls The following provides a list controls that have already been implemented in AD Miner : ### Controls for On-premise | **Category** | **Description** | | **Category** | **Description** | |-----------------|----------------------------------------------------|----------------|-----------------|----------------------------------------------------| | **Kerberos** | AS-REP Roastable accounts | | **Misc** | Computers with obsolete OS | | **Kerberos** | Kerberoastable accounts | | **Misc** | Dormant accounts | | **Kerberos** | Kerberos constrained delegation | | **Misc** | Functional level of the domain | | **Kerberos** | Kerberos RBCD against computers | | **Misc** | Ghost computers | | **Kerberos** | Kerberos unconstrained delegations | | **Misc** | Groups without any member | | **Kerberos** | Old KRBTGT password | | **Misc** | OUs without any member | | **Kerberos** | Shadow Credentials on privileged accounts | | **Misc** | Shadow credentials on domain controllers | | **Kerberos** | Shadow Credentials on regular accounts | | **Misc** | Unexpected PrimaryGroupID | | **Passwords** | Access to LAPS passwords | | **Misc** | Users FGPP | | **Passwords** | Computers without LAPS | | **Permissions** | ACL anomalies | | **Passwords** | Objects can read GMSA passwords of administrators | | **Permissions** | Attack paths choke points | | **Passwords** | Password requirement bypass | | **Permissions** | Computers admin of other computers | | **Passwords** | Users with cleartext passwords | | **Permissions** | Cross-domain paths to Domain Admin | | **Passwords** | Users with old passwords | | **Permissions** | Guest accounts | | **Passwords** | Users without password expiration | | **Permissions** | Inadequate access to DCSync privileges | | **Permissions** | Inadequate AdminCount settings | | **Permissions** | Inadequate GPO modifications privileges | | **Permissions** | Inadequate number of domain admins | | **Permissions** | Machine accounts with inadequate privileges | | **Permissions** | Machine accounts with inadequate privileges | | **Permissions** | Non-tier 0 local admin privs on ADCS | | **Permissions** | Objects with SID history | | **Permissions** | Paths to DNS Admins | | **Permissions** | Paths to Domain Admins | | **Permissions** | Paths to Operators Groups | | **Permissions** | Paths to Organizational Units (OU) | | **Permissions** | Paths to servers | | **Permissions** | Paths to the AdminSDHolder container | | **Permissions** | "Pre-Windows 2000 Compatible Access" group | | **Permissions** | Privileged account outside the protected users group | | **Permissions** | RDP access (computers) | | **Permissions** | RDP access (users) | | **Permissions** | Tier-0 violation (sessions) | | **Permissions** | Users that have powerful cross-domain privileges | | **Permissions** | Users with local admin privileges | ### Controls for Entra ID | **Category** | **Description** | | **Category** | **Description** | |-------------------|--------------------------------------------------------|----------------|-------------------|------------------------------------------------------| | **Entra ID Misc** | Azure dormant accounts | | **Entra ID MS Graph** | Direct Controllers of MS Graph | | **Entra ID Passwords** | Entra ID password reset privileges | | **Entra ID MS Graph** | Entra ID accounts not synced on-prem | | **Entra ID Passwords** | Incoherent last password change | | **Entra ID MS Graph** | Synced accounts with disabled twin account | | **Entra ID Permissions** | Access to privileged Entra ID roles | | **Entra ID Permissions** | Privileged accounts on both on-prem and Azure | | **Entra ID Permissions** | Cross on-prem/Entra ID path to tier-0 | | **Entra ID Permissions** | Users possibly related to AADConnect | | **Entra ID Permissions** | Entra ID users with path high value targets | | | |