Buy

Home > Support > User's Guides > Active Directory Privilege Escalation Path Identifier User's Guide

Active Directory Privilege Escalation Path Identifier

User's Guide

Active Directory Privilege Escalation Path Identifier

Introduction

This User's Guide shows you how to use the Active Directory Privilege Escalation Path Identifier to accurately identify privilege escalation paths in Active Directory.

It contains thirteen sections -

  1. Pre-requisites

  2. Getting Started

  3. Exploring the User Interface

  4. Identifying all Security Principals that have a Path

  5. Identifying Privilege Escalation Paths to an Object

  6. Analyzing Results

  7. Identifying Privilege Escalation Paths in a Tree

  8. Analyzing Tree-wide Results

  9. Exporting Results

  10. Using Single-User Mode

  11. Using Basic Options

  12. Using Advanced Options

  13. Getting Technical Support


Pre-requisites

1. Pre-requisites

Prior to getting started with the Gold Finger application, please ensure that the following pre-requisites are met -

  1. The computer on which the application will be installed must be running a Windows operating system that is currently supported by Microsoft Corporation. AND it must have network access to the Active Directory forest you wish to analyze.

  2. The computer on which the application will be used must be joined to the Active Directory forest it is to be used in.

  3. The user in whose security context the application will be used, must be logged on to the Windows machine on which the application is installed, using a domain user account belonging to the same Active Directory forest.

    4. Note 1 - For pre-requisites 2 and 3, alternatively, the user using the application can specify and use alternate credentials of a domain account belonging to the same Active Directory forest, specifiable via Basic Options.

    Note 2 - The account used to install the application on a computer must have local admin rights on that computer. This is only required to be able to install/update required Microsoft Windows platform redistributable dependency files.

Getting started

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -


  1. Download and install Gold Finger

    Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

    Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.


  2. Download and install your Gold Finger License

    Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

    Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

    Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.


  3. Launch Gold Finger

    Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

    Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

Active Directory Privilege Escalation Path Identifier User Interface

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -


  1. Tool Selector - The tool selector is used to select a specific tool.

  2. Reports Pane - The reports pane lists all the reports available in the selected tool.

  3. Scope Field - The scope field is used to specify the report's scope/target.

  4. Search Utility - The inbuilt search utility is used to locate and specify targets.

  5. Exclusion, Depth and Branch Control Options button - These options are used to control two special options.

  6. Duplicate Node Processing Options - These options are used to configure duplicate node processing options.

  7. Run button - The run button, also known as the Gold Finger button, is used to generate a report.

  8. Results Pane(s) - Results are displayed in the results panes, comprised of Escalation Paths and Source panes.

  9. Status Indicator - The status indicator provides an indication of the report's status.

  10. Export Button - The Export button is used to export the results of privilege escalation reports to a text file.

  11. List Button - The List button is used to enumerate (list) all security principals that exist in the escalation path tree.

  12. Escalation Task dropdown - This selector displays all the ways in which a selected security principal can escalate their privilege onto a specific target, i.e. all the tasks the principal can enact to escalate privilege on to the target.

  13. How button - This button is used to display the underlying permissions enabling a specific escalation path way.
Identifying Security Principals that have a Privilege Escalation Path

4. Identifying all Security Principals that have a Path

To identify all security principals that have a privilege escalation path to an Active Directory object, select the Privilege Escalation Path Identifier from the Tool Selector, then enact the following three steps -

  1. Select a report

    In the Reports pane, select the following report by clicking on it -

    1. Identify all security principals that have a privilege escalation path to an Active Directory object


  2. Specify a scope

    In the Scope field, enter the distinguished name (DN) of the AD domain, OU, container or object you wish to target.

    Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.


  3. Click a button

    Click the Gold Finger (Run) button, and the tool will proceed to identify all security principals that have a privilege escalation path to the specified Active Directory object, and upon completion, display results in the Results pane.

Identifying Privilege Escalation Paths

5. Identifying Privilege Escalation Paths to an Object

To identify all privilege escalation paths leading to an Active Directory object, select the Privilege Escalation Path Identifier from the Tool Selector, then enact the following three steps -

  1. Select a report

    In the Reports pane, select the following report by clicking on it -

    1. Identify all privilege escalation paths leading to an Active Directory object

      2. Note - You may wish to configure special options, i.e. Exclusions, Depth and Branch Control and Duplicate Node Processing.


  2. Specify a scope

    In the Scope field, enter the distinguished name (DN) of the specific Active Directory object you wish to target.

    Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.


  3. Click a button

    Click the Gold Finger (Run) button, and the tool will proceed to identify all privilege escalation paths leading to the specified Active Directory object, and upon completion, it will display results in the Results pane, to be analyzed as described below.

Analyzing Results

6. Analyzing Results

Upon successful completion, Gold Finger displays identified privilege escalation paths leading to the specified object in the Escalation Paths pane, in the form of a standard expandable inverted tree, with the specified target as its root (Root). Nodes can be expanded by clicking + and collapsed by clicking -.

In this tree, all security principals that have one or more direct privilege escalation paths to the target are displayed as its immediate child nodes. Similarly, and in turn, all security principals that have one or more direct privilege escalation paths to each one of these security principals, are displayed as their immediate child nodes, and so on.


Identifying Privilege Escalation Actors, Paths (Actions) and Source Permissions

1. To identify all security principals (actors) that have a direct privilege escalation path to the target (node, or to any node in the tree,) click on + in front of the node, and all such security principals will be displayed as its immediate child nodes.


2. To identify the exact privilege escalation paths that a particular security principal (displayed as a child node) in the tree has to its immediate ascendant target (i.e. its parent node) in the tree, click on that security principal to select it.

When you do so, all the actions that security principal can enact on its target to escalate its privilege onto it, i.e. all tasks that security principal can enact on its target to escalate its privilege, will be displayed in the Escalation Task dropdown.


3. To identify how the selected security principal is entitled to enacting a specific action (task) that enables it to escalate privilege to its target, select that task in the Escalation Task dropdown, then click the How button [?] located to its right.

When you do so, the underlying security permission entitling the selected security principal to enact the selected task on the target, in the ACL of the object that is the target of the selected escalation, will be displayed in the Source pane.

Identifying Privilege Escalation Paths in a Tree

7. Identifying Privilege Escalation Paths in a Tree

To identify privilege escalation paths in Active Directory, select the Privilege Escalation Path Identifier from the Tool Selector, then enact the following three steps -

  1. Select a report

    In the Reports pane, select the following report by clicking on it -

    1. Identify all privilege escalation paths leading to multiple objects in an Active Directory tree

      2. Note - You may wish to configure special options, i.e. Exclusions, Depth and Branch Control and Duplicate Node Processing.


  2. Specify a scope

    In the Scope field, enter the distinguished name (DN) of the root of the Active Directory tree you wish to target.

    Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

    Note 2 - You can optionally also configure scope options to customize the report's scope and depth, and/or specify a custom LDAP filter.


  3. Click a button

    Click the Gold Finger (Run) button, and the tool will proceed to identify all privilege escalation paths leading to multiple objects in the specified Active Directory tree, and upon completion, it will display results in the Results panes, to be analyzed as described below.

Analyzing Tree-wide Results

8. Analyzing Tree-wide Results

Upon the successful completion of the report Identify all privilege escalation paths leading to multiple objects in an Active Directory tree, Gold Finger will display the list of all* objects in the specified Active Directory tree in the Objects pane.

* If scope options are in use to customize the report's scope and depth, and/or specify a custom LDAP filter, the list of objects may be a subset of all the objects in the target Active Directory tree, based on the scope, depth and/or custom LDAP filter specified in the scope options.


To view the privilege escalation paths leading to a specific Active Directory object listed in the Objects pane, click on it.

When you do so, all privilege escalation paths leading to the selected object will be displayed in the Escalation Paths pane, in the form of an expandable inverted tree, with the selected Active Directory object as the root of the tree.


The next sequential step is to analyze the object's privilege escalation path tree displayed in the Escalation Paths pane.

The procedure involved in analyzing the privilege escalation path tree displayed in the Escalation Paths pane is identical to the procedure described above for analyzing the privilege escalation path tree of a specific Active Directory object.

Consequently, to analyze the tree displayed in the Escalation Paths pane, refer to the Analyzing Results section above.

Exporting Results

9. Exporting Results

Gold Finger makes exporting Active Directory privilege escalation paths as easy as touching a button, as described below -


  1. Exporting Results

    To export the results of any privilege escalation path identification report, simply click the Export button once.

    When you do so, Gold Finger will generate a text file containing the entire data set, and prompt you to specify a location at which to save the file.

Single-User Mode

10. Using Single-User Mode

Gold Finger's unique Single-User mode lets organizations easily assess whether a specific user of interest has any privilege escalation paths to a specific Active Directory object, and if so, which ones, and how.

To use Single-User mode, activate it by using the Mode option in the application menu, then enact the following steps -

  1. Select a User

    Click the Select a User button (User, located in the top-left corner of the Reports pane) to locate and select a user.


  2. Select a Report and Specify a Scope

    Select the report you wish to generate, then specify the target of your asessment by using the Scope field.

    Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

    Note 2 - You may wish to configure Exclusions and Depth and Branch Control options.


  3. Click a button

    Click the Gold Finger button to generate the report.


Upon the completion of the report, results will be displayed in the Results pane. The steps involved in analyzing results and exporting results are identical to those for the default (Multi-User) mode, with the exception that only those privilege escalation pathways that begin from the specified user and lead to the specified target are identified and displayed.

Note - To return to the Multi-User mode, use the Mode option in the Application menu.

Using Basic Options

11. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -


  1. Target a specific Domain Controller

    Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

    Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.


  2. Use specific Alternate Credentials

    Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

    Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.


  3. Use contemporary 'Run' Button

    This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

Using Advanced Options

12. Using Advanced Options

Gold Finger offers four advanced options for the Privilege Escalation Path Identifier tool, accessible via the Options > Advanced Options application menu -

  1. Use 'Display Names' for user accounts - This option controls whether Gold Finger should retrieve and display the Display Name of domain user accounts in the Name field. If checked, it will display the Display Name instead.

  2. Include 'System Container' contents - This option controls whether Gold Finger should include the contents of the System container when identifying escalation paths. If checked, it will include objects in the System container.

    [ Also include DNS data ] - This sub-option is used to control whether Gold Finger should also include DNS data that resides in the System container when identifying escalation paths. If checked, it will also include DNS contents in the System container.

  3. Include 'Anonymous' in 'Everyone' - If checked, Gold Finger will include the Anonymous well-known security principal when dynamically evaluating the membership of the Everyone well-known security principal.

  4. Include impact of object ownership - This option controls whether Gold Finger should include the impact of an object's owner having implicit Modify Permissions on the object. If checked, it will include the impact of ownership.
Getting Technical Support

13. Getting Technical Support

Should you require technical support or assistance, please feel free to contact us.


-- End of User's Guide --

Our Global Customers

  • Australian Government
  • United States Treasury
  • British Government
  • Government of Canada
  • British Petroleum
  • Ernst and Young
  • Saudi Arabian Monetary Agency
  • Juniper Networks
  • U.S. Department of Defense
  • Microsoft Corporation
  • United Nations
  • Quantium
  • Nestle
  • IBM Corporation
  • U.S. Federal Aviation Administration
  • Columbia University

Corporate Headquarters

620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.


Telephone: 001-949-468-5770

Your Privacy

We use cookies to provide you the best online experience. Please let us know if you accept these cookies.