Home > Products > Gold Finger > Active Directory Privilege Escalation Path Identifier
Active Directory Privilege Escalation Path Identifier
The world's only cyber security solution that can accurately identify privilege escalation paths in Active Directory.
"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."
Charles Coates, Senior Product Manager
Identity and Security Business Group
Overview
Active Directory is foundational, and all organizations that operate on Active Directory possess the three cardinal imperatives of organizational security - foundational security, operational autonomy and organizational privacy.
The #1 cyber security risk to organizations operating on Active Directory is Active Directory Privilege Escalation, because it provides perpetrators the opportunity to quickly gain and exploit the most powerful privileged access in an organization.
Consequently, the need to accurately identify and eliminate privilege escalation paths in Active Directory is paramount.
Active Directory Privilege Escalation Path Identifier is a specialized tool designed by former Microsoft Program Manager for Active Directory Security to empower organizations to easily, efficiently and trustworthily fulfill this need.
It is the world's only tooling can accurately identify privilege escalation paths in Active Directory because it is the world's only tooling that bases its determinations on the accurate determination of effective permissions in Active Directory, which is the only correct way to determine who actually has what access in Active Directory.
It's powered by Microsoft-endorsed innovative patented access-assessment technology that is unrivaled in capability.
Capability Summary
Active Directory Privilege Escalation Path Identifier is the only solution in the world that can accurately identify privilege esclation paths in Active Directory, because it is the world's only solution that actually identifies privilege escalation paths in Active Directory based on the determination of effective permissions in Active Directory.
It can instantly and accurately identify all privilege escalation paths leading to any Active Directory object.
Saliently -
It can identify exactly which entities have a privilege escalation path to an Active Directory object
It can identify exactly which actions each such entity can perform to escalate privilege to the target
It can identify exactly which underlying security permission in the target's ACL enable the escalation
It can* optionally also automatically identify privilege escalation paths on multiple objects in any Active Directory tree.
In essence, it is the world's only solution that can accurately make these paramount determinatons, and it can do all this instantly, at a button's touch, without requiring any admin access or changes to Active Directory.
Unrivaled in Capability
The need to identify and eliminate privilege escalation paths in Active Directory is vital to organizational cyber security.
Our unique, unrivaled Microsoft-endorsed Gold Finger is the world's only solution that can instantly, accurately and automatically identify privilege escalation paths in Active Directory.
It can also instantly identify and reveal exactly which underlying security permission enable all identified paths.
It accomplishes in mere minutes, what no other solution can,
and it does all this, and more, at the touch of a button.
The Paramount Difference
Accuracy powered by Effective Permissions
The cardinal and paramount tenet in the identification of privilege escalation paths in Active Directory is accuracy, and the only way to achieve accuracy in escalation path identification is by determining effective permissions in Active Directory.
(After all, of what use is inaccurate privilege escalation insight?)
Active Directory Effective Permissions are the actual (resulting) set of permissions that a user is actually granted (i.e. allowed) on an Active Directory object, in light of accurately considering the collective impact of all (i.e. Allow, Deny, , ) the security permissions specified in the access control list (ACL) of that Active Directory object.
Cardinally, it is not "Who has what permissions in Active Directory" but in fact "Who has what effective permissions in Active Directory" that determines who actually has what privileged access on every single object in Active Directory.
Consequently, the only way to accuratley identify privilege escalation paths in Active Directory is by determining who has what effective permissions on the target Active Directory object and subsequently on all identified escalation subjects.
Active Directory Privilege Escalation Path Identifier is the world's only solution that actually identifies privilege escalation paths in Active Directory based on the determination of effective permissions in Active Directory.
Paramount Insights
Active Directory Privilege Escalation Path Identifier accurately and instantly delivers three indispensable privilege escalation insights that enable organizational IT personnel to quickly identify and eliminate privilege escalation paths -
Exactly which entities have a privilege escalation path to a specific target Active Directory object
Exactly which actions (tasks) can each such entity perform to escalate their privilege to the target
Exactly which underlying security permissions in the target object's ACL enables these privilege escalations
Armed with these three unrivaled indispensable insights, organizational IT personnel can instantly enact risk mitigation steps to lockdown all such identified access in Active Directory that is currently enabling all existing escalation paths.
[ These insights are accurately identified and provided for each and every escalation path in the escalation path graph. ]
Features
Accurate Privilege Escalation Path Identification
Accurately identify privilege escalation paths in Active Directory
Privilege Escalation Path Entity Identification
Identify all entities that have a privilege escalation path to an AD object
Privilege Escalation Path Source Identification
Identify the underlying permissions that enable a privilege escalation path
Per-object Privilege Escalation Path Identification
Identify privilege escalation paths on any specific Active Directory object
Tree-wide Privilege Escalation Path Identification
Identify privilege escalation paths on multiple Active Directory objects
Accuracy is Paramount
There are certain fields in the world today, such as a surgeon performing heart surgery, or a nation's military conducting precision strikes on its adversaries, where accuracy is absolutely paramount and there is absolutely no room for error.
The identification of privilege escalation paths in Active Directory is one such field where accuracy is paramount.
The reason accuracy is paramount in this endeavor is because a perpetrator needs only one high-value exploitable privilege escalation path to gain and subsequently exploit the most powerful privileged access in an organization.
Literally, just one.
A proficient adversary that could gain the most powerful privileged access in an organization could cause substantial irreverible damage, such as compromising all organizaitonal identities and endpoints, exfiltrating oceans of confidential organizational data, unleashing ransomware organization-wide and automating the destruction of the entire organization.
One exploitable privilege escalation path in Active Directory is all that the perpetrator needs to be able to do so. Just one.
In essence, when the stakes are so high, and everything could be at stake, there is just no room for error when it comes to accurately identifying privilege escalation paths in Active Directory. None whatsover.
Achieving Accuracy -A Simple Example
Understanding just how difficult it is to achieve accuracy in identification is vital, and its best done with a simple example.
Consider a user, John Doe, and assume that he is a member of the Helpdesk Team domain security group.
Next, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -
Explicit Deny IT Contractors All Extended Rights
Explicit Allow Helpdesk Team Full Control
Question: Will John Doe be able to reset the CEO's password? (which is one of several ways of escalating privilege)
Novice Answer: Yes. (Any privilege escalation path identification tool that relies on mere permissions analysis to make this determination, will always deduce Yes as the answer, and inaccurately identify a non-existent escalation path.)
Correct Answer: It depends on whether or not John Doe is also a member of the IT Contractors group. If he is, the answer is No. (Only Gold Finger relies on effective permissions analysis to make this determination, and if John is a member, it will correctly deduce No as the answer, and will not inaccurately identify a non-existent escalation path.)
Achieving Accuracy -
A Real-world Example
Now consider a real-world example, so assume that a user John Doe is a member of multiple (e.g. 20+) domain security groups, many of which are members of other security groups, some of which are circularly nested.
Further assume that there are 50 permissions in the ACL protecting the CEO's domain user account in Active Directory -
Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control
...
Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password
Question: Will John Doe be able to reset the CEO's password? (i.e. does he have an escalation path to the CEO?)
Correct Answer: To correctly answer this question, one needs to accurately take into account the of 50 permissions in the ACL, which involves correctly expanding 50+ security groups, dynamically evaluating well-known security principals, intersecting all conflicting permissions (Allow, Deny) in light of precedence orders etc. etc., a process known as determining effective permissions in Active Directory
Accurate Identification is Extremely Difficult
As illustrated by the examples above, the accurate identification of privilege escalation paths is extremely difficult.
The main reason it is extremely difficult is because to be able to accuratley identify privilege escalation paths in Active Directory, one needs to accurately determine effective permissions in Active Directory, on anywhere from one to thousands of objects, and that is extremely difficult, laborious, painstaking, error-prone and time-consuming.
To determine effective permissions in Active Directory, IT personnel and/or software developers first need to acquire sufficient proficiency in Active Directory security and then apply their expertise towards accurately making these determinations, taking into account all factors that influence access in Active Directory, such as its complex security model, access control lists (ACLs), inheritance of permissions, precedence orders, conflicting permissions (Allow vs Deny), group membership types, rules, expansions and nesting, Schema constraints, dynamic evaluation of well-known security principals, knowledge of Active Directory security permissions (generic permissions, extended rights and validated writes) etc., and do so with no room for error.
In fact, the accurate determination of effective permissions in Active Directory and in turn the accurate identification of privilege escalation paths in Active Directory are amongst the most complex of technical challenges in the world today.
Mission Accomplished
If you can click a button, you can now instantly and accurately identify privilege escalation paths in Active Directory.
Active Directory Privilege Escalation Path Identifier fully automates the accurate identificaton of privilege escalation paths in Active Directory based on the accurate determination of effective permissions forest-wide in Active Directory.
This unique tooling can instantly and accurately identify privilege escalation paths in any Active Directory domain in the world, including identifying the underlying security permissions that enable each of these paths, all at a button's touch.
Developing this tooling was no ordinary feat. This unique tooling was conceived and architected by none other than former Microsoft Program Manager for Active Directory Security, the world's #1 expert in Active Directory Security.
This tooling is the culmination of twenty years of innovative, industry-leading research and development in the paramount field of access assessment, and is powered by unrivaled, patented, Microsoft-endorsed access assessment technology
Active Directory is mission-critical, and its cyber security is absolutely paramount today. This unique tooling was built to empower thousands of organizations worldwide to be able bulletproof their Active Directory.
Standard Mode
The Standard Mode (default mode) of Active Directory Privilege Escalation Path Identifier lets organizations instantly, accurately and automatically identify all entities that have a privilege escalation path to an Active Directory object.
For example -
Which users and/or groups have a privilege escalation path leading to a specific Active Directory object?
Which administrative tasks can a user enact to escalate privilege to a specific Active Directory object?
Which security permissions pave privilege escalation paths to a specific Active Directory object?
It can* optionally also automatically determine whether any privilege escalation paths exist leading to multiple (one or more) Active Directory objects, such as to all executive or admin accounts or groups etc. in a single assessment.
Single-User Mode
The Single-User Mode of Active Directory Privilege Escalation Path Identifier lets organizations instantly, accurately and automatically determine whether a specific user has a privilege escalation path to an Active Directory object.
For example -
Does a specific user have a privilege escalation path leading to a specific Active Directory object?
Which administrative tasks can a specific user enact to escalate privilege to a specific Active Directory object?
Which security permissions pave privilege escalation paths for a specific user on a specific Active Directory object?
It can* optionally also automatically determine whether any privilege escalation paths exist from a specific user to multiple (one or more) Active Directory objects, such as to all admin accounts or groups etc. in a single assessment.
Technical Deep-dive
If you're a Domain Admin or an Active Directory (AD) Security expert, you likely know that accurately identifying privilege escalation paths in AD is not easy.
To accurately identify privilege escalation paths leading to an AD object, we first need to correctly determine effperms (effective permissions) on it, to identify all SPs (security principals) that possess effective modify access on it that could be used to escalate privilege e.g. reset pwd, modify membership, modify DACL etc.
For instance, if the target is a domain user account, we first need to determine all SPs that have effective WD (Write DACL), WO (Write Owner) or CR-ResetPwd (Extended Right - Reset Password) on the target. The operative term here is effective because we need to precisely determine the impact of inheritance (inherited permissions) and precedence orders (i.e. ED > EA > ID > IA) etc.
Having determined all SPs that have one of the required modify effperms on the target, next we will need to recursively do the same on each of these SPs.
For instance, if we end up identifying that 37 accounts and 23 security groups have sufficient mod effperms on the target, then we will have to recursively evaluate effperms on each of these 60 AD objects, and once you've run this to completion, you'll end with a binary tree graph showing all privesc paths leading to the target.
Ideally, you'll also want to identify the underlying ACEs in each AD object's ACL due to which a path exists, so you know which perms to tweak to eliminate the path.
This intricate process could involve determining effperms on thousands of objects.
Our unique tooling fully automates this intricate, laborious, painstaking process.
Note - This section was penned by former Microsoft Program Manager for Active Directory Security, the world's #1 expert in Active Directory Security.
A Simple Litmus Test
Several products claim to be able to identify privilege escalation paths in Active Directory, but in fact none can do so accurately.
The following test can instantly reveal whether a product can accurately identify privilege escalation paths in Active Directory.
Step 1 - Create a test domain user account and configure its ACL as shown below -
Explicit Deny Everyone All Extended Rights
Explicit Allow Domain Users Reset Password
Explicit Allow Authenticated Users Read All Properties, Read Control, List Child
Explicit Allow Administrator Modify Permissions
Note - For simplicity, assume the account is owned by Domain Admins (DA), whose only member is Administrator. If you prefer, you can configure it as such.
Step 2 - Proceed to use the product to identify privilege escalation paths on the domain user account created above.
Check - If its output indicates that any account except the Administrator's can escalate their privilege to it, it's results are inaccurate.
Tip - If you have 1,000 users in the domain, virtually all other products will inaccurately report that 1,000 users can escalate privilege.
Basis - ACE 2 allows all domain users the extended right to reset the password but ACE 1 explictly denies everyone all extended rights, and thus will override ACE 1, negating the allow. ACE 4 grants the administrator the right to modify permissions, which is the only privilege escalation path on the object. The correct answer is '1'.
Benefits
Accurately Identify Privilege Escalation Paths
Accurately identify privilege escalation paths in Active Directory
Instantly Identify Privilege Escalation Paths
Instantly identify privilege escalation paths in Active Directory
Easily Perform Per-Object and Tree-wide Assessments
Automatically identify privilege escalation paths on one or multiple objects
Eliminate Unauthorized Access in Active Directory
Correctly identify and eliminate escalation paths in Active Directory
Lockdown Access and Secure Active Directory
Demonstrably lockdown and secure access in Active Directory
Example Reports
The following real-world examples illustrate the Active Directory Privilege Escalation Path Identifier's capabilities -
- Identify all individuals that can escalate their privilege to Domain Admin.
- Identify all privilege escalation paths leading to AdminSDHolder.
- Pinpoint the exact security permission that is enabling a privilege escalation path from Anonymous to Domain Admin.
- Identify all individuals that can escalate their privilege to the CEO's domain user's account.
- Identify all privilege escalation paths leading to the CEO's domain user's account.
- Pinpoint the exact security permission that is enabling a privilege escalation path from a specific contractor to the CEO's domain user's account.
- Identify all privilege escalation paths leading to all administrative accounts and groups in Active Directory.
- Identify all privilege escalation paths leading to all executive user accounts and groups in Active Directory.
- Identify all privilege escalation paths leading to all OUs, accounts and groups in the top-level Corp OU.
Eliminate The World's #1 Attack Vector
Active Directory Privilege Escalation based on the exploitation of a sea of excessive unidentified privileged access in Active Directory is the world's #1 attack vector because it threatens the foundational security of 85% of organizations.
It can be exploited to compromise the security of virtually everything in Active Directory, including any (and every) domain user account, computer account, group, OU etc., and particularly all-powerful Active Directory privileged accounts and groups, and high-value targets such as AzureADConnect that enable Cloud integration.
Fact - In virtually ever major cyber security breach, including the SolarWinds Breach, Colonial Pipeline Hack, Okta Breach and most others, perpetrators targeted, exploited and misused privileged access in Active Directory to gain unrestricted system-wide access and swiftly inflict colossal damage.
The most effective security measure organizations can take is to identify and eliminate privilege escalation paths in Active Directory. Unfortunately, accurate identificaton of privilege escalation paths in Active Directory is very difficult.
Our Active Directory Privilege Escalation Path Identifier uniquely empowers organizations to accurately, quickly and easily identify and eliminate all privilege escalation paths in their Active Directory, virtually eliminating the #1 attack vector.
Requirements and Licensing
Active Directory Privilege Escalation Path Identifier can be instantly downloaded, installed and run on any Windows computer. Its use does not require any administrative privileges, any changes to or any knowledge of Active Directory.
The tool is licensed on a subscription model, and can be licensed on an annual basis.
"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."
Sean Seeliger, Architect
Our Global Customers
Corporate Headquarters
620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.
Telephone: 001-949-468-5770
Your Privacy
We use cookies to provide you the best online experience. Please let us know if you accept these cookies.
