Active Directory Control Paths auditing and graphing tools
Control paths in Active Directory are an aggregation of "control relations" between entities of the domain (users, computers, groups, GPO, containers, etc.) which can be visualized as graphs (such as above) and whose purpose is to answer questions like "Who can get 'Domain Admins' privileges ?" or "What resources can a user control ?" and even "Who can read the CEO's emails ?".
New workflow for all steps, automating neo4j setup and import.
Basic Cypher querying through Neo4j REST API, increasing performance
New control paths are added : Kerberos delegation, SCCM dumping utilities for local admins and sessions control paths
Adding EXCHANGE permissions in v1.3 "Who Can Read the CEO's Emails Edition". Permissions extracted from AD Users, Mailbox/DB descriptors, RBAC and MAPI folders.
Better resume features, nodes clustering (through OVALI) in v1.2.3.
New control paths are added in v1.2.2: RoDC and LAPS.
Major code changes take place in v1.2, as it is now able to dump and analyze very large Active Directories without hogging too much RAM. Some very large ADs with over 1M objects and 150M ACEs have been processed in a reasonable amount of time (a few hours on a laptop, consuming less than 1GB RAM).
A few false positives were fixed and new control paths were added, so running it again on already tested ADs might be a good idea.
Download Zulu JDK 8 (https://cdn.azul.com/zulu/bin/zulu22.214.171.124-ca-jdk8.0.202-win_x64.zip) and put the zip in
Download Neo4j 3.4.1 (https://neo4j.com/artifact.php?name=neo4j-community-3.5.3-windows.zip) and put the zip in
Install EWS Managed API (if dumping Exchange permissions) from https://go.microsoft.com/fwlink/?LinkId=255472
Note: None of these tools need to run on a domain controller.
Generating control paths graphs for your domain takes the 4 following steps:
The 3 last steps are always performed in the same way, but the first step (data dumping) can be carried out in different contexts:
ntds.ditfile and a robocopy of the SYSVOL preserving security attributes.
A simple domain user account is enough to dump a large majority of the control relations, but access to a few LDAP containers and GPO folders on the SYSVOL can be denied. If one is available, an administrator account can thus be used to ensure that no element is inaccessible.
If no access to the domain is given, control graphs can be realized from offline copies of the
ntds.ditfile can be re-mounted to expose its directory through LDAP with the
dsamainutility (available on a Windows server machine having the AD-DS or AD-LDS role, or with the "Active Directory Domain Services Tools" installed):
dsamain.exe -allowNonAdminAccess -dbpath -ldapPort 1234
A robocopy of the SYSVOL share preserving security attributes can be done with the
robocopyutility (the destination folder must be on an NTFS volume):
robocopy.exe \\\sysvol\\Policies /W:1 /R:1 /COPY:DATSO /E /TEE /LOG:
Note: to preserve security attributes on the copied files you need the
SeRestorePrivilegeon the local computer you're running the robocopy on (that is, you need to run these commands as local administrator). You then need to use the
SeBackupPrivilegeto process this local robocopy (dumping tools have a
use backup privilegeoption that you must use).
Use the powershell module in
Dump. You must be in the
Dumpfolder (important). The simplest example is:
Import-Module .\ADCP Get-ADCPDump -outputDir -domainController -domainDnsName
Or with Exchange-related data:
Import-Module .\ADCP $creds = Get-Credential Get-ADCPDump -outputDir -domainController -domainDnsName -exchangeServer -exchangeCredential $creds
-domainControllercan be an real domain controller, or a machine exposing the LDAP directory from a re-mounted
This produces some
.logfiles as follow:
|- yyyymmdd_domainfqdn\Logs\*.log # Log files |- yyyymmdd_domainfqdn\Ldap\*.csv # Unfiltered dumped information \- yyyymmdd_domainfqdn\Relations\*.csv # "Control relations" files, which will be imported into the graph database
-Credential: use explicit authentication (by default implicit authentication is used).
Credentialis a Powershell credential object, use
Get-Credentialto built it . If you don't want your password to appear in the command line but still use explicit authentication use the following
runascommand, then use the module without
C:\> runas /netonly /user:DOM\username powershell.exe
-sysvolPathcan be a network path (example
\\192.168.25.123\sysvol\domain.local\Policies) or a path to a local robocopy of this folder. Defaults to
-ExchangeCredential: explicit authentication for EWS on a CAS Exchange server. Use an Exchange Trusted Subsystem member account with an active mailbox, but NOT DA/EA/Org Mgmgt because of some Deny ACEs.
-logLevel: change log and output verbosity (possible values are
-sysvolOnly: dump only data from the LDAP directory (respectively from the SYSVOL).
-ldapPort: change ldap port (default is
389). This can be useful for a copied
dsamainsince it allows you to use a non standard ldap port.
-useBackupPriv: use backup privilege to access
-sysvolPath, which is needed when using a robocopy. You must use an administrator account to use this option.
-forceOverwrite: overwrite any previous dump files from the same-day, same-target folder
Warning: Accessing the Sysvol share from a non-domain machine can be blocked by UNC Paths hardening, which is a client-side parameter enabled by default since Windows 10. Disable it like this: Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -Name "\*\SYSVOL" -Value "RequireMutualAuthentication=0"
** Note:** The only binary needed in this step is
This action can be performed offline.
To computer relations, use the ADCP module (like in 3.)
Import-Module .\ADCP Prepare-ADCPDump -inputDir -domainDnsName
You can now import the Relations CSV files along with the AD objects into your Neo4j graph database. This step can be done fully offline. Use the ADCP module:
Import-Module .\ADCP $instance = Import-ADCPDump -inputDir -domainDnsName # Launch Neo4J $instance | Start-ADCPInstance
To perform these step manually (or in Linux): 0. Stop the Neo4j server if it is started:
.\bin\neo4j stop0. Import CSV files in a new graph database adcp.db:
$env:DUMP = "PATH_TO\yyyymmdd_domainfqdn\"
.\bin\neo4j-import --into data/databases/adcp.db --id-type string ` --nodes $env:DUMP\Ldap\all_nodes.csv ` --relationships $((dir $env:DUMP\relations\*.csv -exclude *.deny.csv) -join ',') ` --input-encoding UTF-16LE --multiline-fields=true --legacy-style-quoting=false
Headers-related errors will be raised and can be ignored. It is still a good idea to have a look at the bad.log file.
Note: All the previous steps (2, 3, 4) can be piped in Powershell:
Import-Module .\ADCP Get-ADCPDump -outputDir -domainController -domainDnsName | Prepare-ADCPDump | Import-ADCPDump | Start-ADCPInstance
Query/Query.ps1script is used to query the created Neo4j database. Use the -neo4jPort parameter if Start-ADCPInstance binded to something else than the default 7474/TCP (see console).
.\Query.ps1 -search "cn=administrateurs,"
.\Query.ps1 -search "[email protected]"
(This will return a node id number)
.\Query.ps1 -graph -outFile
.\Query.ps1 -graph -maxDepth 15 -outFile
ADCP uses the OVALI frontend to display JSON data files as graphs.
For better visibility, you might want to: - right click -> cluster some similar nodes - setup hierarchical viewing with the menu on the left, especially for email nodes as this will flatten Exchange RBAC nodes - disable physics if the graph does not stabilize - remove unwanted relationships or nodes with right click -> "Cypher delete to clipboard" and paste into http://localhost:7474 then relaunch the query.
Jean-Baptiste Galet - ANSSI - 2017-2018
Geraud de Drouas - ANSSI - 2015-2018
Lucas Bouillot, Emmanuel Gras - ANSSI - 2014 Presented at the French conference SSTIC-2014. Slides and paper can be found here: https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/.