Adalanche - Active Directory ACL Attack Path Visualizer Cheatsheet
Adalanche is an open-source, Go-based tool that collects Active Directory objects, permissions (ACLs), and group memberships, then instantly graphs the attack paths — who can take control of whom, and how. It answers “what permissions do users have in AD, and who can attack whom?” without needing an external database or ingestor stack: it dumps AD, analyzes ACL-based privilege escalation, and serves an interactive graph in your browser. It is a fast, self-contained alternative/complement to BloodHound for authorized AD security assessments.
For authorized Active Directory assessments only. Collecting and analyzing directory data requires permission from the domain owner.
Installation
| Method | How |
|---|
| Binary | Download for Windows/Linux/macOS from GitHub Releases |
| From source | go install github.com/lkarlslund/adalanche@latest |
| Single binary | No dependencies; collector + analyzer + web UI in one |
| Verify | adalanche version |
Two Phases
| Phase | Command |
|---|
| Collect | Dump AD data into a local file |
| Analyze | Load the data and serve the graph UI |
Collecting Data
# Collect from a domain (LDAP), authenticated
adalanche collect activedirectory \
--domain example.local \
--username analyst --password '***' \
--server dc01.example.local
| Flag | Purpose |
|---|
--domain | Target AD domain (FQDN) |
--server | Domain controller to query |
--username / --password | Credentials (or Kerberos) |
--authmode | Authentication method (ntlm, kerberos, …) |
--tlsmode | TLS/LDAPS options |
| collectors | activedirectory, plus local-machine collectors |
Data is saved to a local data/ directory as compressed objects.
Analyzing / Serving the Graph
# Load collected data and open the web UI
adalanche analyze
# → browse to http://localhost:8080
| Flag | Purpose |
|---|
--datapath | Where the collected data lives |
--bind | Address/port for the web UI |
| Query box | Enter LDAP-style / built-in queries |
| Pre-defined analyses | ”Who can reach Domain Admins”, etc. |
What It Maps (Attack Edges)
| Edge/technique | Meaning |
|---|
WriteDACL / WriteOwner | Can rewrite an object’s permissions |
GenericAll / GenericWrite | Full/partial control of an object |
ForceChangePassword | Reset a target’s password |
AddMember | Add self to a privileged group |
AllExtendedRights | DCSync and other sensitive rights |
| Kerberos delegation | Constrained/unconstrained delegation abuse |
| GPO links | Control via linked Group Policy |
Querying
| Query | Finds |
|---|
| Target Domain Admins | Everything that can reach the DA group |
| Pick a user → “Reach” | What that principal can ultimately control |
| Filter by edge type | Only WriteDACL, only delegation, etc. |
| Shortest path | Minimal chain from A to a high-value target |
The UI highlights the shortest privilege-escalation path from any principal to a sensitive target, which is the core assessment output.
Common Workflows
# Full assessment: collect then analyze
adalanche collect activedirectory --domain corp.local \
--username audit --password '***' --server dc.corp.local
adalanche analyze # open the browser, target "Domain Admins"
# Offline analysis: share the data/ folder, analyze anywhere
adalanche analyze --datapath ./data
Adalanche vs BloodHound
| Aspect | Adalanche | BloodHound (CE) |
|---|
| Backend | None (single binary) | Neo4j / API + collectors |
| Focus | ACL/permission attack paths | Broad AD/Azure attack paths |
| Setup | Minimal | Heavier stack |
| Collectors | Built-in AD + local | SharpHound / AzureHound / NetExec |
| Best for | Fast ACL-centric analysis | Comprehensive path mapping |
Complements BloodHound and collectors like NetExec; use Adalanche for quick, database-free ACL analysis.
Resources