ADCollector

ADCollector is a lightweight .NET tool designed for rapid, low-noise Active Directory enumeration during the early stages of post-compromise reconnaissance. It focuses on extracting high-value information—such as key attributes, ACLs, and trust relationships—without the overhead of full-domain scraping, making it suitable for large enterprise environments where stealth and speed are critical. While not a replacement for comprehensive tools like PowerView, ADCollector provides a fast, automated overview of the AD landscape, ideal for triaging potential attack paths before moving to deeper, targeted enumeration.

Enumerating ACLs via LDAP is difficult due to the binary format of the nTSecurityDescriptor attribute, which requires specialized parsing. Tools like ADSearch and StandIn lack full support for decoding this data. ADCollector handles ACL enumeration more effectively with structured output, though BloodHound remains the easiest and most complete option.

# Enumerate the DCAL of DAs
ADCollector.exe '--DACL "cn=domain admins,cn=users,dc=dollarcorp,dc=moneycorp,dc=local"'

To check if a user has Modify or similar rights over directory objects, the --ACLScan flag can be used along with the target username. It scans DACLs tied to both the user and any groups they belong to, providing a complete view of direct and inherited permissions.

ADCollector.exe '--ACLScan student337'

PreviousC2 Tools NextADSearch

Last updated 7 months ago