AD Miner is an Active Directory (on-premise and Entra ID) auditing tool that:

• Leverages Cypher queries to analyze data from the BloodHound graph database (Neo4j).
• Provides a comprehensive overview of existing weaknesses through a static, web-based report.

Web-based reports features:

• Detailed listings of identified weaknesses
• Dynamic graphs for visual analysis
• Historical key indicators to track changes over time
• Risk ratings to prioritize threats and actions

Quick overview of a report

Comprehensive Mitigation Paths for Active Directory Risks

A risk-based rating of Active Directory weaknesses, along with comprehensive mitigation paths.

A dynamic web interface

Search bar and controls that are carefully tailored to identify the most risky misconfigurations.

Progress Monitoring through an Evolving Interface

You can also observe indicators over time to help measuring mitigation efficiency.

AD Miner has been initially created by Forvis Mazars and is maintained by Grant Thornton Cybersecurity Audit & Advisory Team.

Prerequisites

To run AD Miner, you first need a neo4j database which contains the Active Directory objects:

1. To extract the data from the domain, you can use tools like SharpHound, RustHound-CE or BloodHound.py and AzureHound for EntraID environments.

   We strongly recommend using BloodHound Automation, as it installs the Graph Data Science Neo4j plugin, which :

   • significantly improves computation time and overall performance.
   • enables the use of Smartest Path instead of built-in Neo4j shortestPath() (i.e., Paths that are easier to exploit rather than least nodes hops).

1. To set up your BloodHound environment (including the GUI and Neo4j database), BloodHound Automation is highly recommended due to its seamless integration with the Graph Data Science plugin. Though it is perfectly fine to use the default BloodHound CE installation, be aware that you will miss out on the benefits of GDS (e.g., smarter pathfinding, improved execution speed, etc.).

2. By default, BloodHound creates a neo4j base accessible on port 7687.

Installation and setup

The easier way is to do the following command using pipx:

pipx install 'git+https://github.com/AD-Security/AD_Miner.git'

ADMiner is also available on some Linux distributions:

• BlackArch: pacman -S ad-miner
• NixOS: nix-env -iA nixos.ad-miner

A Docker image is available to build. Build the image with the following commmand:

docker build -t ad-miner .

To run this on Windows with the BloodHound Community Edition data, use the commands below:

docker run -v ${PWD}:/tmp ad-miner AD-miner -b bolt://host.docker.internal:7687 -u neo4j -p mypassword -cf YOUR_PREFIX

To run this on Linux with the BloodHound Community Edition data, use the commands below:

docker run -v ${PWD}:/tmp --network host ad-miner AD-miner -b bolt://localhost:7687 -u neo4j -p mypassword -cf YOUR_PREFIX

Note that mounting the volume with -v is critical to get the output of the data. This assumes that the BHCE server is running on the Docker host with default settings.

Usage

Run the tool:

AD-miner [-h] [-b BOLT] [-u USERNAME] [-p PASSWORD] [-e EXTRACT_DATE] [-r RENEWAL_PASSWORD] [-a] [-c] [-l LEVEL] -cf CACHE_PREFIX [-ch NB_CHUNKS] [-co NB_CORES] [--rdp] [--evolution EVOLUTION] [--cluster CLUSTER]

Example:

AD-miner -cf My_Report -u neo4j -p mypassword

Cache files are generated at the completion of each Neo4j request. This feature allows you to pause or stop AD Miner at any point during its process without losing previously computed results. To leverage the cache, use the -c parameter. The cache files are stored in the cache_neo4j folder in your current repository. For the cache to be used, the report name must match the cache file’s name prefix :

AD-miner -c -cf My_Report -u neo4j -p mypassword

To better handle large data sets, it is possible to enable multi-threading and also to use a cluster of neo4j databases, as shown in the following example (where server1 handles 32 threads and server2 handles 16) :

AD-miner -c -cf My_Report -b bolt://server1:7687 -u neo4j -p mypassword  --cluster server1:7687:32,server2:7687:16

If password renewal policy is known, you can specify it using the -r parameter to ensure that password renewal controls align with your environment’s settings (default is 90 days). For example, if the password policy is set to 180 days, you can use the following:

AD-miner -c -cf My_Report -b bolt://server:7687 -u neo4j -p mypassword -r 180

The default password of the Bloodhound CE neo4j database is bloodhoundcommunityedition or neo5j if you use BloodHound Automation

Options:

  -h, --help            show this help message and exit
  -b BOLT, --bolt BOLT  Neo4j bolt connection (default: bolt://127.0.0.1:7687)
  -u USERNAME, --username USERNAME
                        Neo4j username (default : neo4j)
  -p PASSWORD, --password PASSWORD
                        Neo4j password (default : bloodhoundcommunityedition)
  -e EXTRACT_DATE, --extract_date EXTRACT_DATE
                        Extract date (e.g., 20220131). Default: last logon date
  -r RENEWAL_PASSWORD, --renewal_password RENEWAL_PASSWORD
                        Password renewal policy in days. Default: 90
  -c, --cache           Use local file for neo4j data
  -l LEVEL, --level LEVEL
                        Recursive level for path queries
  -cf CACHE_PREFIX, --cache_prefix CACHE_PREFIX
                        Cache file to use (in case of multiple company cache files)
  --gpo_low             Perform a faster but incomplete query for GPO (faster than the regular query)
  -ch NB_CHUNKS, --nb_chunks NB_CHUNKS
                        Number of chunks for parallel neo4j requests. Default : 20 * number of CPU
  -co NB_CORES, --nb_cores NB_CORES
                        Number of cores for parallel neo4j requests. Default : number of CPU
  --rdp                 Include the CanRDP edge in graphs
  --evolution EVOLUTION
                        Evolution over time : location of json data files. ex : '../../tests/'
  --cluster CLUSTER     Nodes of the cluster to run parallel neo4j queries. ex : host1:port1:nCore1,host2:port2:nCore2,...

In the graph pages, you can right-click on the graph nodes to cluster them or to open the cluster.

Evolution

If you have multiple AD-Miner reports over time, you can easily track the evolution with the --evolution argument: each AD-Miner report generates a JSON data file alongside the index.html file. You just need to gather these different JSON files into a single folder and specify the path to that folder after the --evolution argument.

AD-miner -c -cf My_Report -b bolt://server:7687 -u neo4j -p mypassword -r 180 --evolution evolution_folder/

An ‘Evolution over time’ tab appears on the main page, providing evolution graphs for each category (Permissions, Passwords, Kerberos, and Misc).

Detailed evolution for each control is also available and can be accessed via the “Show evolution” button for each category. A logarithmic scale is available to better highlight subtle variations over time.

Smartest paths

AD Miner can compute paths based on their actual exploitability. Indeed, sometimes the shortest path is difficult to exploit (here because of the ExecuteDCOM before the HasSession).

While a longer but simpler path exists (here with MemberOf and AdminTo instead of ExecuteDCOM).

AD Miner automatically switches to smartest path mode when your neo4j database has the Graph Data Science plugin installed (https://neo4j.com/docs/graph-data-science/current/). The easiest way to install this plugin is to define an environment variable in your neo4j docker: NEO4J_PLUGINS=["graph-data-science"] (it is by default installed with BloodHound Automation).

Currently, 10 controls utilize full graph coverage and optimize the smartest paths for analysis.

Implemented controls

The following provides a list controls that have already been implemented in AD Miner :

Controls for On-premise

Controls for Entra ID

Contributing

Check out how to contribute here.