{"id":13539870,"url":"https://github.com/cyberark/ACLight","last_synced_at":"2025-04-02T06:31:39.667Z","repository":{"id":41322243,"uuid":"91559008","full_name":"cyberark/ACLight","owner":"cyberark","description":"A script for advanced discovery of Privileged Accounts - includes Shadow Admins","archived":false,"fork":false,"pushed_at":"2019-09-09T06:48:45.000Z","size":115,"stargazers_count":799,"open_issues_count":1,"forks_count":146,"subscribers_count":70,"default_branch":"master","last_synced_at":"2025-03-28T15:07:58.063Z","etag":null,"topics":["account-management","acl","active-directory","powershell","shadow-admin"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-05-17T09:29:41.000Z","updated_at":"2025-03-03T18:53:55.000Z","dependencies_parsed_at":"2022-08-03T15:19:01.800Z","dependency_job_id":null,"html_url":"https://github.com/cyberark/ACLight","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FACLight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FACLight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FACLight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FACLight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/ACLight/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246768101,"owners_count":20830605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["account-management","acl","active-directory","powershell","shadow-admin"],"created_at":"2024-08-01T09:01:33.283Z","updated_at":"2025-04-02T06:31:34.647Z","avatar_url":"https://github.com/cyberark.png","language":"PowerShell","readme":"# ACLight\nA tool for advanced discovery of Privileged Accounts - including Shadow Admins.  \nACLight2 is the improved version of the tool.\n\n# Shadow Admins Research\nThe tool (version 1) was published as part of the \"Shadow Admins\" research - more details on \"Shadow Admins\" are in the blog post: https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear  \n  \nThe research was also presented at the InfoSecurity conference, London: [presentation link](https://www.slideshare.net/AsafHecht/the-presentation-on-my-shadow-admins-research)  \n\n# Overview\nACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs - Access Lists, aka DACL\\ACEs).  \nIt includes the discovery of Shadow Admins in the scanned network.\n  \nThe tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one.\nThe result is a list of most privileged accounts in the network (from the advanced ACLs perspective of the AD).\nYou can run the scan with just any regular user, it could be a non-privileged user because it only performs legitimate read-only LDAP queries to the AD.\n\nJust run it and check the result.\n\nYou should take care of all the privileged accounts that the tool discovers for you.  \nEspecially - take care of the Shadow Admins - those are accounts with direct sensitive ACLs assignments (as opposed of getting privileges as part of membership in known privileged groups).\n\nFor scanning cloud environments and discover the most privileged entities in AWS and Azure, check the new open source tool - SkyArk:  \nhttps://github.com/cyberark/SkyArk  \n\n# ACLight2\n\nThis is ACLight2 - the new version of ACLight scan. It’s much quicker, has a new scan architecture and better results.  \nIt solves scalability and performance issues from the previous version.  \n  \nIn addition, ACLight2 is built on a recursive scan and provides multi-layered privileged accounts analysis.  \nAs a first step, the scan starts by building the first layer of privileged accounts. Those are the accounts who have direct privileges over the domain’s sensitive objects. Then, as a second step, the tool continues and scans the ACLs over those newly discovered privileged accounts from layer 1 and builds an optional second layer of new privileged accounts who have privileges over the accounts from the first layer. This second step is recursive, the tool keeps scanning for more optional layers of privileged accounts until all the privileged accounts chains are being enumerated.\n\n# Usage:\nOption 1:\n-\tDouble click on \"Execute-ACLight.bat\".\n\nOption 2:\n-\tOpen PowerShell (with -ExecutionPolicy Bypass)\n-\tGo to \"ACLight2\" main folder\n-\t“Import-Module '.\\ACLight2.psm1'”\n-\t“Start-ACLsAnalysis”\n\nChoose the target domain:  \nBy default, ACLight automatically scans all the domains of the scanned network forest. You can use the “Domain” parameter if you are interested in scanning only one specific domain:\n- Start-ACLsAnalysis -domain \"DomainName.com\"\n  \n**ACLight2 DEMO:**  \n![Demo](https://github.com/Hechtov/Photos/blob/master/ACLight/ACLight-v2.gif) \n\n# Reading the results files:\n1) First, check the scan’s executive summary \"Privileged Accounts - Layers Analysis.txt\" - It's an important and straight-forward list of the most privileged accounts that were discovered in the scanned network.  \n2) \"Privileged Accounts Permissions - Final Report.csv\" - This is the final summary report, in this file you will find what are the exact sensitive permissions each account has.  \n4) \"Privileged Accounts Permissions - Irregular Accounts.csv\", similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership).\n\n# References:\nThe tool uses functions from the open source project PowerView by Will Schroeder ([@harmj0y](https://twitter.com/harmj0y)) - a great project.\n\nFor more comments and questions, you can contact Asaf Hecht ([@Hechtov](https://twitter.com/Hechtov)) and CyberArk Labs.\n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具","PowerShell","PowerShell (153)","Network Tools","Tools","Network"],"sub_categories":["\u003ca id=\"a9494547a9359c60f09aea89f96a2c83\"\u003e\u003c/a\u003e后渗透","\u003ca id=\"4c2095e7e192ac56f6ae17c8fc045c51\"\u003e\u003c/a\u003e提权\u0026\u0026PrivilegeEscalation","Network Reconnaissance Tools","Network Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FACLight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2FACLight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FACLight/lists"}