¶ ACLight
https://github.com/cyberark/ACLight
¶ Overview
ACLight is a tool for discovering privileged accounts through advanced ACLs analysis (objects’ ACLs - Access Lists, aka DACL\ACEs).
It includes the discovery of Shadow Admins in the scanned network.
The tool queries the Active Directory (AD) for its objects' ACLs and then filters and analyzes the sensitive permissions of each one. The result is a list of most privileged accounts in the network (from the advanced ACLs perspective of the AD). You can run the scan with just any regular user, it could be a non-privileged user because it only performs legitimate read-only LDAP queries to the AD.
Just run it and check the result.
You should take care of all the privileged accounts that the tool discovers for you.
Especially - take care of the Shadow Admins - those are accounts with direct sensitive ACLs assignments (as opposed of getting privileges as part of membership in known privileged groups).
For scanning cloud environments and discover the most privileged entities in AWS and Azure, check the new open source tool - SkyArk:
https://github.com/cyberark/SkyArk
¶ CMD
Start-ACLsAnalysis
¶ Screenshots of results
¶ How to start?
You can find this here.