DFIR Tools

License Type
Incident Response
ACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs - Access Lists, aka DACL\ACEs).
 It includes the discovery of Shadow Admins in the scanned network.

The tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of most privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user, it could be a non-privileged user because it only performs legitimate read-only LDAP queries to the AD.

Just run it and check the result.

You should take care of all the privileged accounts that the tool discovers for you.
 Especially - take care of the Shadow Admins - those are accounts with direct sensitive ACLs assignments (as opposed of getting privileges as part of membership in known privileged groups).

For scanning cloud environments and discover the most privileged entities in AWS and Azure, check the new open source tool - SkyArk:

User comments

There are no user comments for this listing.
Already have an account? or Create an account