SACL Scanner is a tool designed to scan and analyze System Access Control Lists (SACLs) across various Windows objects, such as registry keys, services, files, directories, and Active Directory paths. It provides options to perform detailed checks while maintaining operational security (OPSEC).
NOTE: You will need the appropriate privileges to read the SACLs (i.e., SE_SECURITY_NAME for the registry/services/files/directories, AD privileges over the AD object checked)
SACL_Scanner.exe [option] [target]-r: Check all registry keys in a hive or a specific registry key. Expected hives includeHKEY_LOCAL_MACHINE,HKEY_CURRENT_USER,HKEY_CLASSES_ROOT,HKEY_USERS, andHKEY_CURRENT_CONFIG.-s: Check all services or a specific service.-f: Check a specific file or directory.-d: Check all files in a specific directory. Use only-dto scan the entireC:\drive.-a: Check objects in an Active Directory path. Expected format:"LDAP://CN=username,CN=Users,DC=contoso,DC=local".-recursive: Enable recursive mode for Active Directory scans.-opsec: Enable operational security (OPSEC) safe mode.-v: Enable verbose mode for detailed output.
SACL_Scanner.exe -r HKEY_LOCAL_MACHINESACL_Scanner.exe -r HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesSACL_Scanner.exe -s SomeServiceNameSACL_Scanner.exe -f "C:\Path\To\File.txt"SACL_Scanner.exe -d "C:\Path\To\Directory"SACL_Scanner.exe -a "LDAP://CN=username,CN=Users,DC=contoso,DC=local"- Use the
-recursiveoption to recursively scan a container in Active Directory environments. - OPSEC safe mode minimizes detection risks but might limit scanning capabilities.
- Ensure proper permissions are available to access SACLs on the targeted objects.
- When compiling from source, make sure to set the Runtime Library flag to Multi-threaded (/MT)