ACLight – Advanced Privileged Accounts Discovery

ACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs – Access Lists, aka DACL\ACEs). It includes the discovery of Shadow Admins in the scanned network.

ACLight - Advanced Privileged Accounts Discovery
ACLight – Advanced Privileged Accounts Discovery

The tool queries the Active Directory (AD) for its objects’ ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of most privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user, it could be a non-privileged user because it only performs legitimate read-only LDAP queries to the AD.

You should take care of all the privileged accounts that the tool discovers for you. Especially – take care of the Shadow Admins – those are accounts with direct sensitive ACLs assignments (as opposed of getting privileges as part of membership in known privileged groups).

ACLight2 – the new version of ACLight scan. It’s much quicker, has a new scan architecture and better results. It solves scalability and performance issues from the previous version.

In addition, ACLight2 is built on a recursive scan and provides multi-layered privileged accounts analysis. As a first step, the scan starts by building the first layer of privileged accounts. Those are the accounts who have direct privileges over the domain’s sensitive objects.

Then, as a second step, the tool continues and scans the ACLs over those newly discovered privileged accounts from layer 1 and builds an optional second layer of new privileged accounts who have privileges over the accounts from the first layer.

You can read more and download the scripts over here:

Notify of
Inline Feedbacks
View all comments