PlasmaPup: Hunting Down Active Directory Exposures

In the current landscape of constant cybersecurity threats in which universities are often targets, administrators of Active Directory (AD) environments do their best to institute security practices to protect valuable digital assets. However, the decentralized nature of these environments makes it challenging to maintain visibility to exposures and to implement security measures consistently.

This is where PlasmaPup, a Windows GUI app written at U-M, comes to the rescue. The aptly named sidekick to BloodHound can run on any Windows system and shows all accounts with write permissions to objects within a selected organizational unit (OU). PlasmaPup can be used by any system admin – Identity and Access Management (IAM) personnel, central IT service, and unit AD – and provides specific actionable analysis of permissions in their OU.

Insights are typically centralized; not all admins have access.Allows individual unit admins to analyze their OUs directly.
Requires specific setup and access rights.Operates independently, from any workstation or server.
Offers broad AD security insights.Specializes in detailed OU-specific permissions and policy analysis.

Campus units can run PlasmaPup against their own OU and periodically check for any unexpected users with permissions. Central IT groups at U-M, such as IAM, MiServer, MiWorkspace, or the Virtualization team, can run PlasmaPup to see what permissions might exist for legacy admins and users, or for forgotten services and processes.

Getting started with PlasmaPup is easy. The source code is available for download on GitHub. A setup project is included for straightforward installation on Windows systems..For any questions related to PlasmaPup, please submit a service ticket and mention vulnerability scanning with PlasmaPup.

a graphic of an orange dog with a white neck and teal color with gold tag sits against a light blue background