Home

Awesome

<div align="center">

AD Miner

<br> </div> <div align="center"> <a target="_blank" rel="noopener noreferrer" href="https://github.com/Mazars-Tech/AD_Miner/releases" title="Latest AD_Miner release"> <img src="https://img.shields.io/github/v/release/Mazars-Tech/AD_Miner?color=informational" alt="Latest AD_Miner version"></a> <a target="_blank" rel="noopener noreferrer" href="https://github.com/Mazars-Tech/AD_Miner/commits/main" title="Latest release"> <img src="https://img.shields.io/github/last-commit/Mazars-Tech/AD_Miner/main?label=Latest%20release" alt="Latest release"></a> <a target="_blank" rel="noopener noreferrer" href="https://github.com/Mazars-Tech/AD_Miner/commits/dev" title="Latest commit in dev"> <img src="https://img.shields.io/github/last-commit/Mazars-Tech/AD_Miner/dev?label=Latest%20commit%20in%20dev" alt="Latest commit in dev"></a> <a target="_blank" rel="noopener noreferrer" href="https://inventory.raw.pm/tools.html#ADMiner" title="Rawsec's CyberSecurity Inventory"> <img src="https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg" alt="Rawsec's CyberSecurity Inventory badge"></a> <br> <a href="https://discord.gg/invite/5Hpj4Gs5SS"> <img src="doc/img/discord.png" alt="Discord" width="15%"> </a> </div> </b>

AD Miner is an Active Directory (on-premise and Entra ID) auditing tool that:

Web-based reports features:

Quick overview of a report

Comprehensive Mitigation Paths for Active Directory Risks

A risk-based rating of Active Directory weaknesses, along with comprehensive mitigation paths.

<p align="center"> <img src="doc/img/main1.gif" alt="Main page" width="70%" /> </p>

A dynamic web interface

Search bar and controls that are carefully tailored to identify the most risky misconfigurations.

<p align="center"> <img src="doc/img/gpo2.gif" alt="Main page" width="70%" /> </p>

Progress Monitoring through an Evolving Interface

You can also observe indicators over time to help measuring mitigation efficiency.

<p align="center"> <img src="doc/img/evol.gif" alt="Main page" width="70%" /> </p>

AD Miner has been initially created by Forvis Mazars Cybersecurity team.

Prerequisites

To run AD Miner, you first need a neo4j database which contains the Active Directory objects:

  1. To extract the data from the domain, you can use tools like SharpHound, RustHound-CE or BloodHound.py and AzureHound for EntraID environments.

[!CAUTION] We strongly recommend using BloodHound Automation, as it installs the Graph Data Science Neo4j plugin, which :

</div>
  1. To set up your BloodHound environment (including the GUI and Neo4j database), BloodHound Automation is highly recommended due to its seamless integration with the Graph Data Science plugin. Though it is perfectly fine to use the default BloodHound CE installation, be aware that you will miss out on the benefits of GDS (e.g., smarter pathfinding, improved execution speed, etc.).

  2. By default, BloodHound creates a neo4j base accessible on port 7687.

Installation and setup

The easier way is to do the following command using pipx:

pipx install 'git+https://github.com/Mazars-Tech/AD_Miner.git'

ADMiner is also available on some Linux distributions:

Packaging status

Usage

Run the tool:

AD-miner [-h] [-b BOLT] [-u USERNAME] [-p PASSWORD] [-e EXTRACT_DATE] [-r RENEWAL_PASSWORD] [-a] [-c] [-l LEVEL] -cf CACHE_PREFIX [-ch NB_CHUNKS] [-co NB_CORES] [--rdp] [--evolution EVOLUTION] [--cluster CLUSTER]

Example:

AD-miner -cf My_Report -u neo4j -p mypassword

Cache files are generated at the completion of each Neo4j request. This feature allows you to pause or stop AD Miner at any point during its process without losing previously computed results. To leverage the cache, use the -c parameter. The cache files are stored in the cache_neo4j folder in your current repository. For the cache to be used, the report name must match the cache file's name prefix :

AD-miner -c -cf My_Report -u neo4j -p mypassword

To better handle large data sets, it is possible to enable multi-threading and also to use a cluster of neo4j databases, as shown in the following example (where server1 handles 32 threads and server2 handles 16) :

AD-miner -c -cf My_Report -b bolt://server1:7687 -u neo4j -p mypassword  --cluster server1:7687:32,server2:7687:16

If password renewal policy is known, you can specify it using the -r parameter to ensure that password renewal controls align with your environment's settings (default is 90 days). For example, if the password policy is set to 180 days, you can use the following:

AD-miner -c -cf My_Report -b bolt://server:7687 -u neo4j -p mypassword -r 180

[!TIP] The default password of the Bloodhound CE neo4j database is bloodhoundcommunityedition or neo5j if you use BloodHound Automation

Options:

  -h, --help            show this help message and exit
  -b BOLT, --bolt BOLT  Neo4j bolt connection (default: bolt://127.0.0.1:7687)
  -u USERNAME, --username USERNAME
                        Neo4j username (default : neo4j)
  -p PASSWORD, --password PASSWORD
                        Neo4j password (default : bloodhoundcommunityedition)
  -e EXTRACT_DATE, --extract_date EXTRACT_DATE
                        Extract date (e.g., 20220131). Default: last logon date
  -r RENEWAL_PASSWORD, --renewal_password RENEWAL_PASSWORD
                        Password renewal policy in days. Default: 90
  -c, --cache           Use local file for neo4j data
  -l LEVEL, --level LEVEL
                        Recursive level for path queries
  -cf CACHE_PREFIX, --cache_prefix CACHE_PREFIX
                        Cache file to use (in case of multiple company cache files)
  --gpo_low             Perform a faster but incomplete query for GPO (faster than the regular query)
  -ch NB_CHUNKS, --nb_chunks NB_CHUNKS
                        Number of chunks for parallel neo4j requests. Default : 20 * number of CPU
  -co NB_CORES, --nb_cores NB_CORES
                        Number of cores for parallel neo4j requests. Default : number of CPU
  --rdp                 Include the CanRDP edge in graphs
  --evolution EVOLUTION
                        Evolution over time : location of json data files. ex : '../../tests/'
  --cluster CLUSTER     Nodes of the cluster to run parallel neo4j queries. ex : host1:port1:nCore1,host2:port2:nCore2,...

In the graph pages, you can right-click on the graph nodes to cluster them or to open the cluster.

<p align="center"> <img src="doc/img/cluster.png" style="height:150px"> </p>

Evolution

If you have multiple AD-Miner reports over time, you can easily track the evolution with the --evolution argument: each AD-Miner report generates a JSON data file alongside the index.html file. You just need to gather these different JSON files into a single folder and specify the path to that folder after the --evolution argument.

A tab called 'Evolution over time' then appears on the main page.

<p align="center"> <img src="doc/img/evolution2.png" style="height:400px"> </p>

Also, views by categories 'permissions,' 'passwords,' 'kerberos' also allow you to track changes over time.

<p align="center"> <img src="doc/img/evol.gif" style="height:200px"> </p>

Smartest paths

AD Miner can compute paths based on their actual exploitability. Indeed, sometimes the shortest path is difficult to exploit (here because of the ExecuteDCOM before the HasSession).

<p align="center"> <img src="doc/img/smartest_path_1.png"> </p>

While a longer but simpler path exists (here with MemberOf and AdminTo instead of ExecuteDCOM).

<p align="center"> <img src="doc/img/smartest_path_2.png"> </p>

AD Miner automatically switches to smartest path mode when your neo4j database has the Graph Data Science plugin installed (https://neo4j.com/docs/graph-data-science/current/). The easiest way to install this plugin is to define an environment variable in your neo4j docker: NEO4J_PLUGINS=["graph-data-science"] (it is by default installed with BloodHound Automation).

Currently, 10 controls utilize full graph coverage and optimize the smartest paths for analysis.

Implemented controls

The following provides a list controls that have already been implemented in AD Miner :

Controls for On-premise

CategoryDescriptionCategoryDescription
KerberosAS-REP Roastable accountsMiscComputers with obsolete OS
KerberosKerberoastable accountsMiscDormant accounts
KerberosKerberos constrained delegationMiscFunctional level of the domain
KerberosKerberos RBCD against computersMiscGhost computers
KerberosKerberos unconstrained delegationsMiscGroups without any member
KerberosOld KRBTGT passwordMiscOUs without any member
KerberosShadow Credentials on privileged accountsMiscShadow credentials on domain controllers
KerberosShadow Credentials on regular accountsMiscUnexpected PrimaryGroupID
PasswordsAccess to LAPS passwordsMiscUsers FGPP
PasswordsComputers without LAPSPermissionsACL anomalies
PasswordsObjects can read GMSA passwords of administratorsPermissionsAttack paths choke points
PasswordsPassword requirement bypassPermissionsComputers admin of other computers
PasswordsUsers with cleartext passwordsPermissionsCross-domain paths to Domain Admin
PasswordsUsers with old passwordsPermissionsGuest accounts
PasswordsUsers without password expirationPermissionsInadequate access to DCSync privileges
PermissionsInadequate AdminCount settingsPermissionsInadequate GPO modifications privileges
PermissionsInadequate number of domain adminsPermissionsMachine accounts with inadequate privileges
PermissionsMachine accounts with inadequate privilegesPermissionsNon-tier 0 local admin privs on ADCS
PermissionsObjects with SID historyPermissionsPaths to DNS Admins
PermissionsPaths to Domain AdminsPermissionsPaths to Operators Groups
PermissionsPaths to Organizational Units (OU)PermissionsPaths to servers
PermissionsPaths to the AdminSDHolder containerPermissions"Pre-Windows 2000 Compatible Access" group
PermissionsPrivileged account outside the protected users groupPermissionsRDP access (computers)
PermissionsRDP access (users)PermissionsTier-0 violation (sessions)
PermissionsUsers that have powerful cross-domain privilegesPermissionsUsers with local admin privileges

Controls for Entra ID

CategoryDescriptionCategoryDescription
Entra ID MiscAzure dormant accountsEntra ID MS GraphDirect Controllers of MS Graph
Entra ID PasswordsEntra ID password reset privilegesEntra ID MS GraphEntra ID accounts not synced on-prem
Entra ID PasswordsIncoherent last password changeEntra ID MS GraphSynced accounts with disabled twin account
Entra ID PermissionsAccess to privileged Entra ID rolesEntra ID PermissionsPrivileged accounts on both on-prem and Azure
Entra ID PermissionsCross on-prem/Entra ID path to tier-0Entra ID PermissionsUsers possibly related to AADConnect
Entra ID PermissionsEntra ID users with path high value targets

Contributing

Check out how to contribute here.