ETC Collector

ETC Collector is an open-source (Apache 2.0) security auditor for Active Directory and Microsoft Entra ID, written in Go. Single static binary (~20 MB), multiplatform (Linux, Windows, macOS, Docker), with 419+ security checks, ADCS ESC1-ESC11 detection, and attack path graphs. 6.2× faster than PingCastle, 22× faster than Purple Knight.

Why ETC Collector instead of PingCastle or Purple Knight?

• Faster: Full AD audit in 6.58s — 6.2× faster than PingCastle (41s), 22× faster than Purple Knight (~3min)
• More coverage: 275 AD checks + 144 Entra ID checks = 419 total. Covers 96.7% of PingCastle rules and 96.6% of Purple Knight indicators
• AD + Entra ID in one tool: Only open-source auditor that covers both Active Directory and Microsoft Entra ID in a single binary
• Runs on Linux: Native binary for Linux, macOS, Windows, and Docker. No .NET, no Windows dependency
• ADCS ESC1–ESC11: Full certificate abuse taxonomy detection (Pro)
• Apache 2.0: Community Edition is fully open source, free for everyone including enterprises

Features

• Active Directory Auditing: Comprehensive security assessment with 275 detectors across 14 categories
• Azure Entra ID Auditing: Cloud identity security analysis with 144 detectors across 9 categories
• ADCS Detection: ESC1-ESC11 certificate abuse detection (Pro)
• Attack Path Graphs: Privilege escalation path analysis using graph algorithms
• REST API: Programmatic access for automation and integration
• Multiple Output Formats: JSON, HTML, CSV

Quick Start

Download

Download the latest release for your platform:

• Linux (amd64)
• macOS (Intel)
• macOS (Apple Silicon)
• Windows (amd64)

Installation

Linux/macOS:

tar -xzf etc-collector-*.tar.gz
sudo mv etc-collector /usr/local/bin/
chmod +x /usr/local/bin/etc-collector

Windows: Extract the zip file and add the directory to your PATH.

Usage

Active Directory Audit:

etc-collector audit ad \
  --domain contoso.local \
  --username admin@contoso.local \
  --password "P@ssw0rd" \
  --output json

Azure Entra ID Audit:

etc-collector audit azure \
  --tenant-id "12345678-1234-1234-1234-123456789012" \
  --client-id "87654321-4321-4321-4321-210987654321" \
  --client-secret "your-client-secret"

API Server Mode (standalone):

etc-collector server --port 8443

SaaS Daemon Mode:

# Enroll with your organization's SaaS platform
etc-collector enroll YOUR_TOKEN --saas-url https://api.etcsec.com

# Start daemon (SaaS polling + local GUI on port 8443)
etc-collector daemon

The daemon connects to the SaaS backend for remote management while also serving the admin GUI locally. See SaaS Mode for details.

Docker

JWT Keys

The API server requires RSA keys for JWT authentication. Generate them before starting:

mkdir -p keys
openssl genrsa -out keys/private.pem 2048
openssl rsa -in keys/private.pem -pubout -out keys/public.pem

Run

docker pull etcseccom/etc-collector:latest

docker run -d \
  --name etc-collector \
  -p 8443:8443 \
  -v ./keys:/app/keys:ro \
  etcseccom/etc-collector:latest server \
  --ldap-url "ldaps://dc.contoso.local:636" \
  --ldap-bind-dn "CN=admin,CN=Users,DC=contoso,DC=local" \
  --ldap-bind-password "P@ssw0rd" \
  --ldap-base-dn "DC=contoso,DC=local"

Add --ldap-tls-verify=false if using self-signed certificates.

Docker Compose

services:
  etc-collector:
    image: etcseccom/etc-collector:latest
    container_name: etc-collector
    restart: unless-stopped
    ports:
      - "8443:8443"
    command:
      - server
      - --ldap-url=ldaps://dc.contoso.local:636
      - --ldap-bind-dn=CN=admin,CN=Users,DC=contoso,DC=local
      - --ldap-bind-password=P@ssw0rd
      - --ldap-base-dn=DC=contoso,DC=local
    volumes:
      - collector-data:/app/data
      - ./keys:/app/keys:ro

volumes:
  collector-data:

Configuration

Create a config.yaml file:

server:
  host: "0.0.0.0"
  port: 8443

ldap:
  url: "ldaps://dc.contoso.local:636"
  bindDN: "CN=service,CN=Users,DC=contoso,DC=local"
  bindPassword: "${LDAP_BIND_PASSWORD}"
  baseDN: "DC=contoso,DC=local"

log:
  level: "info"
  format: "json"

Then run:

etc-collector server --config config.yaml

Environment Variables

All server flags can also be set via environment variables:

Variable	Flag	Default
PORT	--port	8443
LDAP_URL	--ldap-url	—
LDAP_BIND_DN	--ldap-bind-dn	—
LDAP_BIND_PASSWORD	--ldap-bind-password	—
LDAP_BASE_DN	--ldap-base-dn	—
LDAP_TLS_VERIFY	--ldap-tls-verify	true
ENABLE_NETWORK_PROBES	--enable-network-probes	false

GUI Access Token

The admin GUI is protected by an access token. The token is generated at install time and shown once — only a SHA-256 hash is stored on disk.

# Generate or reset the GUI access token
etc-collector gui-token reset

Output:

New GUI access token generated:

  Token:  etcsec_gt_a1b2c3d4...

  Save this token — it will not be shown again.
  Restart the service for the new token to take effect.

Use this token to log into the web GUI at http://localhost:8443.

SaaS Mode

In SaaS mode, the collector runs as a daemon that polls the SaaS backend for commands (audits, config updates, software updates) while also serving the admin GUI locally.

Setup

# 1. Enroll
etc-collector enroll YOUR_TOKEN --saas-url https://api.etcsec.com

# 2. Set a GUI access token
etc-collector gui-token reset

# 3. Start the daemon
sudo systemctl start etcsec-collector

Embedded GUI

The daemon serves the admin GUI alongside SaaS operations. By default, the GUI listens on 127.0.0.1:8443 (local access only).

Flag	Default	Description
--gui-port	8443	GUI server port (0 to disable)
--gui-host	127.0.0.1	Listen address (0.0.0.0 for all interfaces)

Examples:

# Local access only (default)
etc-collector daemon

# Accessible from all network interfaces
etc-collector daemon --gui-host 0.0.0.0

# Custom port
etc-collector daemon --gui-port 9443

# Disable GUI entirely
etc-collector daemon --gui-port 0

Enable/Disable GUI

Use server enable/disable to permanently activate or deactivate the GUI on the systemd service:

# Interactive setup (asks host, port, confirmation)
sudo etc-collector server enable

# Non-interactive
sudo etc-collector server enable --host 0.0.0.0 --port 8443 -y

# Disable GUI (SaaS daemon keeps running)
sudo etc-collector server disable

These commands update the systemd service file, reload, and restart automatically.

Security note: When using --gui-host 0.0.0.0, ensure the GUI access token is set and firewall rules are configured (sudo firewall-cmd --add-port=8443/tcp --permanent).

API Documentation

See API Documentation for REST API reference.

Requirements

• Network Access:

  • Active Directory: LDAPS (port 636)
  • Azure: HTTPS (port 443) to graph.microsoft.com
  • SMB (port 445) for GPO analysis

• Permissions:

  • Active Directory: Read access to all AD objects (Domain Admins recommended)
  • Azure: Application (read-only, admin consent required) with 9 Microsoft Graph permissions:
    • Directory.Read.All - Read directory data
    • User.Read.All - Read all users' full profiles
    • Group.Read.All - Read all groups
    • Application.Read.All - Read all applications
    • RoleManagement.Read.All - Read role assignments
    • RoleManagementPolicy.Read.Directory - Read PIM policies
    • Policy.Read.All - Read all policies
    • AuditLog.Read.All - Read audit logs
    • IdentityRiskyUser.Read.All - Read risky users (requires Entra ID P2)

Building from Source

git clone https://github.com/etcsec-com/etc-collector.git
cd etc-collector
make build

License

This software is licensed under the Apache License 2.0.

See the LICENSE file for full terms.

Support

For issues and questions, please contact support or open an issue on GitHub.