Active Directory Control Paths is a tool that offers a visual representation of "control relations" between various entities within an Active Directory domain. These entities can include users, computers, groups, Group Policy Objects (GPOs), containers, and more. By mapping out these control paths, this tool can answer questions such as "Who has the potential to gain 'Domain Admins' privileges?" or "Who can access and read the CEO's emails?". It provides valuable insights into permissions, access control, and potential security risks within an Active Directory environment.
Installation
Download:
- Download the latest binary release from the GitHub Releases tab.
- Extract the downloaded files.
Prerequisites:
- Follow the instructions in BUILDING.md for building if needed.
- Download Zulu JDK 8 and place it in Dump/ADCP.
- Download Neo4j 3.4.1 and place it in Dump/ADCP.
- Install EWS Managed API if you need Exchange permissions.
How to Use
Dump Data into CSV Files:
Use PowerShell:
Prepare Run Analyzers to Form Control Relationships:
Use PowerShell:
Import CSV Files into a Graph Database:
Use PowerShell:
Use the Query/Query.ps1 script to query the Neo4j database.Example:
Visualize Graphs:
ADCP uses the OVALI frontend to display JSON data files as graphs.
Open Visualize/index.html with a web browser and open one of the generated JSON files.
Additional Information
Usage Context:
- None of these tools need to run on a domain controller.
- Generating control paths graphs involves four steps: Dump, Prepare, Import, and Query.
- Live access to the domain or offline using a copy of ntds.dit and a robocopy of SYSVOL.
Other Querying Examples:
- Basic query to get a graph and paths of all nodes able to take control of the "Domain Admins" group.
- Search for a node from its DN or an email address and get a graph to it.
- Progressively increase the ShortestPath algorithm Depth parameter as you visualize and adjust the graph.
