Visualize

This page contains the definition and capabilities of the Visualize module.

Visualize module is a playground that allows users to analyze every granular edge between entities in your active directory environment.

Graph visualization allows users to track and reveal every hidden attack path that caused by the relationships and access control entries between thee entities.

Initial Foothold

In the opening, visualize module automatically draws the Domain Admins group object as the starting node.

Each entity can be opened as the starting node form both the entity detail page on the Attack Surface or the Searchbox on the mainframe. (See entity detail page and Searchbox routings)

Hovering the cursor on to the starting node helps users to identify the entity type of the relevant node.

In addition, following table describes Entity Type - Icon mapping;

Icon	Entity Type
	Forest
	Domain
	DomainController Computers
	Client Computers
	Server Computers
	User
	Group
	Group Policy Object
	Organizational Unit
	Managed Service Account
	Group Managed Service Account
	Local User
	Local Group
	Certificate Authority
	Certificate Template
	CA Certificate
	Fine Grained Password Policy
	SMB Share
	Service Principal Name
	GPO Owned Scripts
	Vulnerability
	Scan

Icon

Entity Type

Forest

Domain

DomainController Computers

Client Computers

Server Computers

User

Group

Group Policy Object

Organizational Unit

Managed Service Account

Group Managed Service Account

Local User

Local Group

Certificate Authority

Certificate Template

CA Certificate

Fine Grained Password Policy

SMB Share

Service Principal Name

GPO Owned Scripts

Vulnerability

Scan

Built-in Graph Features

Left-click on a single node opens the predefined operation pane on the right side of the graph.

The built-in graph feature set consists of three modules that are separated as tabs and have different capabilities and purposes;

Info (The queries varies according to the selected entity type)
Queries (Fixed)
PathFinder (Fixed)

Info Tab

The Info tab starts with the identifier information about the selected node such as Entity Type, ID, FSName and Guid.
The Info tab contains built-in graph queries that vary according to the selected entity type. These built-in queries help users to find both incoming and outgoing most common attack paths.

Node Specific Built-in Queries

Last four items in the node-specific query list are common for the each entity type;

Get Shortest Path to Admin Objects: Finds the shortest path from the selected node to administrative objects.
Get All Shortest Path to Here: Finds the shortest path from any node to the selected node.
Get Shortest Path to Here from Cross Domain/Forest: Finds the shortest path from any node that are belong to a cross-domain or сross-forest to the selected node.
Get Shortest Path to Cross Domain/Forest: Finds the shortest path from the selected node to any node that are belong to a cross-domain or сross-forest.

Calculation of the shortest paths is according to the hop numbers between edges.

As an example, find the shortest path to the Domain Admins object of the hq.rd.forestall.labs domain, which is one of the crown jewels of the Active Directory environment,

Users can use the mouse wheel for zoom-in/zoom-out and drag the mouse to navigate over the graph plane.

The slide bar on the lower left corner limits the query to prevent overheads in the big result sets. Users can set the limit according to their needs. (In huge environments, common objects may have more than thousands and tens of thousands of relation paths)

Download: The download button can be used for saving the current paths on the graph pane as an image file for offline analysis.

Center : Centeralize the graph.

Domain - Node Specific Built-in Queries

Dangerous access control entries on this domain: Directly incoming access control entries from non-privileged objects to this domain node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)
Get Trust Relations: Trust relations between this domain node and other domains/forests.

Computer - Node Specific Built-in Queries

Includes all the domain controllers, servers and clients.

Who can read this computer password: The attack paths that allow other entities to read the selected computer's password.
Who can rdp into this computer: The attack paths that allow other entities to connect with Remote Desktop Protocol to the selected computer.
Who can exec command on this computer: The attack paths that allow other entities to execute command with DCOM, Powershell, and etc. on the selected computer.
Find nested group memberships: Reveals the nested parent group membership paths of the selected computer.
Explicit local admin rights: The attack paths that grants other entities to the Local Administrator rights on the selected computer. These attack paths are caused by direct/explicit membership in the Local Adminisitrators group.
Group delegated local admin rights: The attack paths that grants other entities to the Local Administrator rights on the selected computer.These attack paths are caused by the nested membership in the Local Administrators group.
Derivative local admin rights: The attack paths that grants other entities to the Local Administrator rights on the selected computer. It is very similar to the Group delegated local admin rights query. The only difference is, Derivative local admin rights takes the existing sessions into consideration which can be abused by impersonation or credential harvesting.
- Example path for the Derivative local admin rights on the DC02@rd.forestall.labs;

In the figure above, the Administrator@rd.forestall.labs has explicit local admin rights on the DC02@rd.forestall.labs computer account.

Since the Administrator@rd.forestall.labs user has a SESSION on the SRV06@rd.forestall.labs computer account, the Authenticated Users@rd.forestall.labs which has explicit local admin rights on the SRV06@rd.forestall.labs can carve the credentials/hashes/tickets that belong to the Administrator@rd.forestall.labs user or impersonate the processes that run with the Administrator@rd.forestall.labs rights and access to the DC02@rd.forestall.labs as a local administrator.

Dangerous access control entries on this computer: Directly incoming access control entries from non-privileged objects to this computer node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

User - Node Specific Built-in Queries

Who can reset this users password: The attack paths that allow other entities to reset the selected user's password.
Find nested group memberships: Reveals the nested parent group membership paths of the selected user.
Explicit local admin rights: The attack paths that grants the selected user node to the Local Administrator rights on the computer entities. These attack paths are caused by direct/explicit membership in the Local Adminisitrators group in any computer.
Group delegated local admin rights: The attack paths that grants the selected user node to the Local Administrator rights on the computer entities.These attack paths are caused by the nested membership in the Local Administrators group in any computer.
Derivative local admin rights: The attack paths that grants the selected user node to the Local Administrator rights on the computer entities. It is very similar to the Group delegated local admin rights query. The only difference is, Derivative local admin rights takes the existing sessions into consideration which can be abused by impersonation or credential harvesting.
Dangerous access control entries on this user: Directly incoming access control entries from non-privileged objects to this user node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Group - Node Specific Built-in Queries

Who Can Add Members to This Group: Find the entities that can add members to the selected group node.
Find nested group memberships: Reveals the nested parent group membership paths of the selected group.
Find Nested Child Groups: Reveals the nested child group membership paths of the selected group.
Explicit local admin rights: The attack paths that grants the selected group node to the Local Administrator rights on the computer entities. These attack paths are caused by direct/explicit membership in the Local Adminisitrators group in any computer.
Group delegated local admin rights: The attack paths that grants the selected group node to the Local Administrator rights on the computer entities.These attack paths are caused by the nested membership in the Local Administrators group in any computer.
Dangerous access control entries on this group: Directly incoming access control entries from non-privileged objects to this group node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Group Policy Object - Node Specific Built-in Queries

Who can edit this Group Policy: Reveals the entities that can directly edit this group policy objects.
Dangerous access control entries on this group: Directly incoming access control entries from non-privileged objects to this group policy object node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Organizational Unit - Node Specific Built-in Queries

Dangerous access control entries on this OU: Directly incoming access control entries from non-privileged objects to this organizational unit node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Managed Service Account - Node Specific Built-in Queries

Who can read this user password: The attack paths that allow other entities to read the selected managed service account's password.
Find nested group memberships: Reveals the nested parent group membership paths of the selected managed service account.
Explicit local admin rights: The attack paths that grants the selected managed service account node to the Local Administrator rights on the computer entities. These attack paths are caused by direct/explicit membership in the Local Adminisitrators group in any computer.
Group delegated local admin rights: The attack paths that grants the selected managed service account node to the Local Administrator rights on the computer entities.These attack paths are caused by the nested membership in the Local Administrators group in any computer.
Dangerous access control entries on this account: Directly incoming access control entries from non-privileged objects to this managed service account node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Group Managed Service Account - Node Specific Built-in Queries

Who can read this user password: The attack paths that allow other entities to read the selected group managed service account's password.
Find nested group memberships: Reveals the nested parent group membership paths of the selected group managed service account.
Explicit local admin rights: The attack paths that grants the selected group managed service account node to the Local Administrator rights on the computer entities. These attack paths are caused by direct/explicit membership in the Local Adminisitrators group in any computer.
Group delegated local admin rights: The attack paths that grants the selected group managed service account node to the Local Administrator rights on the computer entities.These attack paths are caused by the nested membership in the Local Administrators group in any computer.
Dangerous access control entries on this account: Directly incoming access control entries from non-privileged objects to this group managed service account node. Owners of the access control entries have permission to perform critical operations on this node. (See Relations)

Local Group - Node Specific Built-in Queries

Get Domain Members of Local Group: Find the members of the selected local group that belong to the domain. Reveals the membership paths between domain environment to local environment.

Certificate Authority - Node Specific Built-in Queries

Who can Request a Certificate from the Certificate Authority: Reveals the entities that have permission to enroll any certificate template published by the selected certificate authority node.
Published Certificate Templates from this CA that Enables Domain Authentication & Arbitrary SAN: Finds the certificate templates published by the selected certificate authority node, that allow enrolled users to authenticate to the domain environment and specify arbitrary Subject Alternative Name.

Certificate Template - Node Specific Built-in Queries

Who Have Enrollment Rights on the Certificate Template: Finds the entities that have permissions to enroll this certificate template node.

Queries Tab

The Queries tab contains built-in graph queries that affect the entire environment from a holistic perspective.

These queries help users to find and reveal the general overview and insights about the operation and management behavior of the active directory.

Queries

Find objects with DCSync Rights: DCSync is a special right that allows entities to obtain the password hash database from the domain controllers. This query allows users to reveal all the objects that have DCSync rights on the domain objects.

Find Non Builtin Admin Objects with WriteDACL Rights: WriteDACL is a special right that allows right holders to change the access control entries on a target. In general, the administrator groups (Domain Admins,Enterprise Admins,Administrators) or their members own this right over the entities. This query allows users to reveal the objects, that have WriteDACL rights on any entity and neither an administrator group nor its member.

Find Top Ten Users with Most Sessions: Finds the top ten users that have the most number of sessions over the computers in the environment.

Find Top Ten Computers with Most Sessions: Finds the top ten computers that have the most number of incoming sessions from the entities in the environment.

Find Top Ten Computers with Most Admins: Finds the top ten computers that have the most local administrative entities.

Find All Users that have Local Admin Rights: Finds all users/local users that have local administrator rights on any computer in the environment.

Find All Computers that have Local Admin Rights: Finds all computer accounts that have local administrator rights on any other computer in the environment.

Find Domain Members of Local Groups:Find the members of the local group objects that belong to the domain. Reveals the membership paths between domain environment to local environment.

Find Computers where Domain Users are Local Administrator: Finds the computer objects where the Domain Users group has explicit local admin rights.

Find Computers where Domain Users can RDP to: Finds the computer objects where the Domain Users group has been allowed to connect with Remote Desktop Protocol.

Find Other Rights which Domain Users Shouldn't Have: Finds the too-permissive rights that cause attack paths from the Domain Users to any entity. Since these rights allow critical operations, broad groups like Domain Users should not have such rights.

Find Administrators (DA,BA,EA) Sessions Finds sessions from members of the Administrator groups(Domain Admins,Built-in Administrators,Enterprise Admins) to any computers.

Find Administrators (DA,BA,EA) Sessions to Non Domain Controllers:Finds sessions sessions from members of the Administrator groups(Domain Admins,Built-in Administrators,Enterprise Admins) to computers where the computer is not a domain controller.

Find Groups with RDP Rights: Finds group objects that have been allowed to connect with Remote Desktop Protocol to a computer.

Find Groups with PS Remoting Rights: Finds group objects that have been allowed to connect and execute commands on a computer over the PowerShell.

Find Groups with DCOM Execution Rights: Finds group objects that have been allowed to connect and execute commands on a computer over the Distributed Component Object Model (DCOM).

Find Groups that have Local Admin Rights:Finds group objects that have local administrator rights on any computer in the environment.

Find Service Accounts' Sessions: Finds the service users that have an existing session on any computer object.

Find Accounts which Used in Local Services: Finds accounts that are responsible for managing and running a local service.

Get All Trust Relations: Gets all trust relations between domains/forests and other domains/forests.

Get Inter Domain/Forest Group Memberships: Gets group memberships between entities from cross-domain or сross-forest.

Get Inter Domain/Forest Access Control Entries: Finds the access control entries between entities from cross-domain or сross-forest.

PathFinder

The Pathfinder tab allows users to find the shortest paths between entities. The edges in the paths consist of the critical relations which can cause to perform a critical operation on a node or fully compromise this node.

PreviousSmbShare NextSettings

Last updated 10 months ago