Published on October 16th, 2017 📆 | 8391 Views ⚑
0ACLight – PowerShell Script for Advanced Discovery of Privileged Accounts (includes Shadow Admins)
Usage:
Option 1:
- Double click on "Execute-ACLight.bat".
Option 2:
- Open PowerShell (with -ExecutionPolicy Bypass)
- Go to "ACLight" main folder
- “Import-Module '.\ACLight.psm1'”
- “Start-ACLsAnalysis”
Reading the results files:
- First check the - "Accounts with extra permissions.txt" file - It's straight-forward & important list of the privileged accounts that were discovered in the scanned network.
- "All entities with extra permissions.txt" - The file lists all the privileged entities that were discovered, it will include not only the user accounts but also other “empty” entities like empty groups or old accounts.
- "Privileged Accounts Permissions - Final Report.csv" - This is the final summary report - in this file you will find what are the exact sensitive permissions each account has.
- "Privileged Accounts Permissions - Irregular Accounts.csv" - Similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership).
- "[Domain name] - Full Output.csv" - Raw ACLs output for each scanned domain.
[adsense size='1' ]
Scalability - scanning very large networks or networks with multiple trusted domains:
The tool by default will scan automatically all the domains in the target scanned AD forest.
If you want to scan a specific domain and not the others - you can just close those domains’ pop-up windows when they show up and continue regularly.
If you are scanning very large network (e.g. 50,000+ users in one domain) and encounter memory limitations during the scan - there are some tips you can check in the “issue” page.
References:
The tool uses functions from the open source project PowerView by Will Schroeder (@harmj0y) - a great project.
For more comments and questions, you can contact Asaf Hecht (@Hechtov) and CyberArk Labs.
Gloss