Forest Druid Frequently Asked Questions

  • What is Forest Druid?

    Forest Druid is a free attack path discovery tool, natively compatible with Active Directory, that helps cybersecurity defensive teams quickly prioritize high-risk misconfigurations that could represent opportunities for attackers to gain privileged domain access. Forest Druid helps you 1) identify the groups and accounts with access to Tier 0 assets, 2) define Tier 0 assets otherwise missed by default configurations, 3) scan AD for high-risk violations, and 4) protect Tier 0 assets by applying the analysis results to prioritize remediation and cut down excessive privileges with a focus on Tier 0 assets.

  • How does Forest Druid work?

    Forest Druid simplifies and accelerates attack path analysis by helping you prioritize exposure and vulnerabilities according to their proximity to Tier 0 assets. Forest Druid scans the target AD environment to collect objects and their access relationships. It then categorizes the objects and presents both list and relationship graphs showing the privilege escalation relationships between objects. The assessment results help you understand where objects in lower tiers have privilege escalation relationships to Tier 0 assets. With this data, you can produce a well-defined set of Tier 0 assets and identify all violations of the administrative tiering security model.

  • Who is Forest Druid intended for?

    Forest Druid provides a point-in-time assessment that’s intended to help cybersecurity defensive teams and IT administrators track attack paths from Tier 0 assets that violate the administrative security model, accelerating efforts to discover and eradicate threat actors. You can also use Forest Druid in post-breach scenarios to identify previously undisclosed domain persistence techniques.

  • Who developed Forest Druid?

    Developed by cybersecurity and Active Directory experts, Forest Druid is the second in a group of free community tools provided by Semperis, which offers Active Directory Forest Recovery (cyber-first disaster recovery for AD) and Directory Services Protector (comprehensive Identity Threat Detection and Response for hybrid AD). Forest Druid joins Purple Knight, a free AD security assessment tool downloaded by 10,000+ organizations that scans the AD environment for indicators of exposure (IOEs) and indicators of compromise (IOCs), provides an overall security score, and offers prioritized remediation guidance.

  • How do I get access to Forest Druid?

    You can join the priority access list by filling out the request form.  You will receive an email with the download link, a user guide, and additional resources.

  • Where can I learn more about Forest Druid?
  • Which Active Directory permissions are required to run Forest Druid?

    The user running Forest Druid must have Read permissions to Active Directory. Running Forest Druid with elevated privileges, such as a Domain Admin, will return more objects and relationships. Forest Druid collects data for all domains in the Active Directory forest from which the currently logged in user belongs.

  • What does Semperis do with the information Forest Druid generates about our environment?

    Nothing! Forest Druid has no phone-home capabilities. The data and information that the tool generates are exclusively available to the organization running the tool and never available to Semperis.