• Stars
    star
    282
  • Rank 146,549 (Top 3 %)
  • Language
    Rust
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Active Directory delegation management tool

ADeleg

Build Release Issues

Is an Active Directory delegation management tool. It allows you to make a detailed inventory of delegations set up so far in a forest, along with their potential issues:

  • Objects owned by users
  • Objects with ACEs for users
  • Non canonical ACL
  • Disabled ACL inheritance
  • Default ACL modified in schema
  • Deleted delegation trustees

It also allows you to document your delegation model in JSON files, to obtain a more readable view:

Usage

Download the latest release here and double click on it for a graphical interface:

Screenshot of GUI

You can also use the tool from a terminal by passing any option to it (if you don't want to pass any particular option, just use --text):

Screenshot of CLI

If you want to export results, you can choose a CSV output using --csv my.csv This is also suitable if you are interested in differences introduced since a previous dump (e.g. in PowerShell, diff (cat export_new.csv) (cat export_old.csv) )

Results should be concise in forests without previous work in delegation management. If results are too verbose to be used, open an issue describing the type of results obscuring interesting ones, ideally with CSV exports or screenshots.

You can start using this inventory right away, in two ways:

  1. look for highly privileged resources which have no reason to have any delegation set up on them, since they are only supposed to be managed by forest-wide administrators

View by resource

  1. you can also start the other way around, and look for trustees which have no reason to have any right delegated to them (e.g. day-to-day end user accounts)

View by trustee

FAQ

How do I know if one result is important? Should I consider everything a problem? You should start reviewing delegations on your critical assets (domain controllers, domain admins, their admin workstations, servers with sensitive business data, etc.): are these delegations needed for a user or service to do their work? could they not work with fewer access rights, or on fewer objects?

My forest has years of delegations built up, how am I supposed to handle that many warnings? You may want to run the analysis periodically and only focus on differences, so that you can start from a baseline and clean up delegations little by little over time.

Can I import results from this tool into product ? Yes, if your tool knows how to parse CSV: .\adeleg.exe --csv dump.csv

How does it work?

This tool enumerates security descriptors of all objects, then filters out "expected" ACEs:

  • Inherited ACEs, since we are only interested in the original ACE upper in the tree;
  • ACEs in the defaultSecurityDescriptor of the object class in the schema;
  • Some special cases which need to be handled manually.

Special cases currently include:

  • object owners under a container with a CREATE_CHILD delegation
  • ACEs for CREATOR_OWNER which are replaced and split in two in some cases during inheritance
  • AdminSDHolder ACEs, for principals with adminCount set to 1
  • KDS Root Keys, RODCs, ADCS, ADFS, Exchange, etc. are work in progress

Copyright

All icons packaged with this project are the property of Microsoft Corporation. For source code licensing, see LICENSE.md.

More Repositories

1

ntsec

Standalone tool to explore the security model of Windows and its NT kernel. Use it to introspect privilege assignments and access right assignments, enumerate attack surfaces from the point of view of a sandboxed process, etc.
C
29
star
2

evtq

Windows eventlog formatting, live fetching and querying utility in C
Rust
17
star
3

lsobj

Lists all visible objects in the Windows kernel object namespace, a command-line WinObj
C
11
star
4

libiris

libiris is a (work in progress) cross-platform sandboxing library
Rust
11
star
5

win32k-mitigation

A test project to try the new win32k.sys system call filtering mitigation in Windows 10
C
10
star
6

muslkl

A unikernel builder based on MUSL + LKL, designed to run any vanilla application inside an SGX enclave
C
10
star
7

winsddl

Windows Security Descriptor Definition Language (SDDL) parser and formatter
Python
10
star
8

captrace

Lists capabilities used by processes on your system as they are requested, to assist in the task of creating custom hardened profiles for containers and sandboxes.
C
7
star
9

dracut-dropbear-unlock

A minimalist dracut module that allows you to remotely unlock an encrypted root partition during boot.
Shell
5
star
10

windows-service

Minimal Windows service boilerplate
C
4
star
11

nt-object-types

Toy project to explore the NT kernel's object types and their security access rights
C
4
star
12

tristitude

A simple process security policy enumerator. This project has been superseded by https://github.com/mtth-bfft/ntsec , which now has the same functionalities and many more :)
C
4
star
13

windows-service-dll

Minimal Windows service boilerplate packaged as DLL
C
3
star
14

seccomp-dump

A small utility to fetch the seccomp BPF filter used by a thread from the kernel, and disassemble/study it
C
3
star
15

kblist

Windows Update website crawler to list security updates by version and type (cumulative/non-cumulative)
Python
3
star
16

tpm-otp

A minimal tool that communicates with your TPM during boot, to display a one-time password and prove bootchain integrity.
C
2
star
17

simplvpn

A standalone script to manage OpenVPN server and client configurations.
Shell
2
star
18

seccomp-analyze

A seccomp BPF filter verifier written in Prolog, to parse, analyze and list system calls and arguments allowed by a given filter.
Prolog
2
star
19

ipc-benchmarks

Benchmarks for various IPC mechanisms on various OSes
C
1
star
20

repadmin-parser

Minimal Python parser for Microsoft's repadmin replication metadata listings
Python
1
star
21

sandboxing-pocs

Various not-for-production proofs of concept around sandboxing
Rust
1
star
22

dyndnsmon

Live monitor for failed dynamic DNS updates on Windows Server
C++
1
star