ACLight is a tool which is used for discovering privileged accounts through advanced ACLs analysis. It also includes the Shadow Admins in the scanned networks.
What is ACLight?
ACLight is an open source PowerShell script that helps you discover privileged accounts – including Shadow accounts; through advanced ACLs (Access Lists) analysis by querying the Active Directory (AD). You may ask – whats so special about “shadow accounts?” Well, first of all these accounts have sensitive privileges and are normally ignored by administrators because they are not members of a privileged AD group. Secondly, they provide the necessary administrative privileges that you can use to spread laterally or persist. They are ignored because I think administrators concentrate on securing Domain Admin accounts more than looking elsewhere for weakness. Briefly, these types of accounts exist in a network:
- Domain administrative accounts, such as DHCP admin users, etc.
- Local administrative accounts, such as those on endpoints and servers, and “root” on *nix boxes.
- Application/services administrative accounts, such as DB admins or SharePoint admins.
- Double click on “Execute-ACLight.bat“.
- Open PowerShell (with -ExecutionPolicy Bypass)
- Go to “ACLight” main folder
- “Import-Module ‘.\ACLight.psm1’”
Reading the results files:
- First check the – “Accounts with extra permissions.txt” file – It’s straight-forward & important list of the privileged accounts that were discovered in the scanned network.
- “All entities with extra permissions.txt” – The file lists all the privileged entities that were discovered, it will include not only the user accounts but also other “empty” entities like empty groups or old accounts.
- “Privileged Accounts Permissions – Final Report.csv” – This is the final summary report – in this file you will find what are the exact sensitive permissions each account has.
- “Privileged Accounts Permissions – Irregular Accounts.csv” – Similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership).
- “[Domain name] – Full Output.csv” – Raw ACLs output for each scanned domain.
Finding Privileged Accounts Using ACLight:
The procedure is simple. Check out the GIT repository of the tool. Now, execute:
powershell -noprofile -ExecutionPolicy Bypass Import-Module .\ACLight.psm1 -force ; Start-ACLsAnalysis
The tool creates a directory – Results with what it has found.