Gold Finger

Special Options

1. Exclusion Options

There are many accounts and security groups that are considered to be administrative by default in Active Directory, such as the default Administrator account, the Administrators, Enterprise Admins and Domain Admins groups etc.

In addition, all non-default accounts and groups that have been made members of these default administrative groups are also considered to be administrative, and altogether, all such accounts are groups are marked as 'administrative'.

By virtue of the unrestricted access that all such 'administrative' accounts and groups have in Active Directory, they can already escalate their privilege to virtually any and every object in Active Directory.

Consequently, including these 'administrative' accounts and groups in privilege escalation path identification process only results in vast parts of the tree being taken up by such accounts and groups that we already know can escalate privilege.

The pervasive presence of these accounts and groups in the tree only detracts from being able to identify other security principals that are not administrative in nature but/and yet possess the ability to escalate privileges in Active Directory.

Thus, the Privilege Escalation Path Identifier tool offers five self-explanatory exclusion options to exclude all such 'administrative' accounts and groups in Active Directory from the privilege escalation path determination process -

1. None   (i.e. include all such administrative accounts and groups in Active Directory, and expand them)

2. Exclude all accounts and groups currently marked as administrative in Active Directory

3. Include all accounts and groups currently marked as administrative in Active Directory, but don't expand them

4. Exclude all default administrative accounts and groups in Active Directory

5. Include all default administrative accounts and groups in Active Directory, but don't expand them

2. Depth and Branch Control Options

Privilege escalation paths identified by Privilege Escalation Path Identifier are displayed in the form of an inverted tree.

This inverted tree is rooted at the specified target () and is comprised of many branches, with nodes at varying levels.

The size of the escalation path tree, i.e. the number of nodes contained in the tree, is directly proportional to the amount of (excessive) modify access currently provisioned in Active Directory, and in cases, could result in millions of nodes.

In a tree containing millions of nodes, trying to hone-in on a specific node is akin to trying to find a needle in a haystack.

There are many scenarios wherein IT or cyber security personnel may only want to be able to view a certain branch of the tree and/or only view the tree to a certain depth, so as to be able to hone-in on certain privilege escalation paths.

For such scenarios, the ability to restrict tree depth and/or focus on a specific branch can be very helpful.

The Privilege Escalation Path Identifier tool offers two helpful options for such scenarios -

1. Restrict depth to [n] level - If checked, the depth of the entire tree will be restricted to the specified depth.

2. Render branch [n] only - - If checked, only the specified branch of the tree will be generated and displayed.

These options can also help deep-dive into individual branches, as well as identify escalation paths on a per-level basis.

Note - For performance reasons, by design Gold Finger is intentionally limited to being able to generate trees containing upto five million nodes. In situations or environments, wherein the number of resulting nodes in the tree exceeds this threshold, the tree will not be rendered. In such scenarios, these options can be used to obtain compartmentalized views into specific parts of the resulting tree, by depth and/or by branch.

3. Duplicate Node Processing Options

Privilege escalation paths identified by Privilege Escalation Path Identifier are displayed in the form of an inverted tree, comprised of a collection of nodes arranged in an inverted tree structure, with each node representing a specific security principal that has one or more escalation paths to the security principal identified by it's parent node.

It is possible for there to exist multiple (duplicate) nodes in the tree representing a(ny) specific security principal. For example, a user JSmith, could have a privilege escalation path to twenty security principals in the tree, each located in a different branch of the tree, and thus a node representing JSmith will show up as a child node, twenty times, in the tree.

Each time JSmith's account shows up as a node somewhere in the tree, its own escalation path sub-tree, comprised of all security principals that can escalate privilege to it, will also be reproduced in the tree, resulting in thousands of nodes being duplicated (reproduced) in the tree, substantially increasing tree size.

It can be useful to control whether or not duplicate nodes should be added to the escalation path tree, and/or expanded again, for a security principal, for whom a node (and its subtree) has already been added and already exists in the tree.

The Privilege Escalation Path Identifier tool offers three control options for duplicate node processing -

1. Add and expand - Add a new node, and expand its subtree, even if a node already exists for a security principal.

2. Add but don't expand - Add a new node, but don't expand it, even if a node already exists for that security principal.

3. Skip - Do not add a new node if a node already exists for a security principal. i.e. skip duplicating it altogether.

Note - For performance reasons, by design Gold Finger is intentionally limited to being able to generate trees containing upto five million nodes. In situations, wherein the number of resulting nodes in the tree exceeds this threshold, the tree will not be rendered. In such situations, these options can be used to substantially reduce or eliminate duplicate nodes in tree, thereby enabling it to be rendered.