Skip to content

Adalanche - Active Directory ACL Attack Path Visualizer Cheatsheet

Adalanche - Active Directory ACL Attack Path Visualizer Cheatsheet

Adalanche is an open-source, Go-based tool that collects Active Directory objects, permissions (ACLs), and group memberships, then instantly graphs the attack paths — who can take control of whom, and how. It answers “what permissions do users have in AD, and who can attack whom?” without needing an external database or ingestor stack: it dumps AD, analyzes ACL-based privilege escalation, and serves an interactive graph in your browser. It is a fast, self-contained alternative/complement to BloodHound for authorized AD security assessments.

For authorized Active Directory assessments only. Collecting and analyzing directory data requires permission from the domain owner.

Installation

MethodHow
BinaryDownload for Windows/Linux/macOS from GitHub Releases
From sourcego install github.com/lkarlslund/adalanche@latest
Single binaryNo dependencies; collector + analyzer + web UI in one
Verifyadalanche version

Two Phases

PhaseCommand
CollectDump AD data into a local file
AnalyzeLoad the data and serve the graph UI

Collecting Data

# Collect from a domain (LDAP), authenticated
adalanche collect activedirectory \
  --domain example.local \
  --username analyst --password '***' \
  --server dc01.example.local
FlagPurpose
--domainTarget AD domain (FQDN)
--serverDomain controller to query
--username / --passwordCredentials (or Kerberos)
--authmodeAuthentication method (ntlm, kerberos, …)
--tlsmodeTLS/LDAPS options
collectorsactivedirectory, plus local-machine collectors

Data is saved to a local data/ directory as compressed objects.

Analyzing / Serving the Graph

# Load collected data and open the web UI
adalanche analyze
# → browse to http://localhost:8080
FlagPurpose
--datapathWhere the collected data lives
--bindAddress/port for the web UI
Query boxEnter LDAP-style / built-in queries
Pre-defined analyses”Who can reach Domain Admins”, etc.

What It Maps (Attack Edges)

Edge/techniqueMeaning
WriteDACL / WriteOwnerCan rewrite an object’s permissions
GenericAll / GenericWriteFull/partial control of an object
ForceChangePasswordReset a target’s password
AddMemberAdd self to a privileged group
AllExtendedRightsDCSync and other sensitive rights
Kerberos delegationConstrained/unconstrained delegation abuse
GPO linksControl via linked Group Policy

Querying

QueryFinds
Target Domain AdminsEverything that can reach the DA group
Pick a user → “Reach”What that principal can ultimately control
Filter by edge typeOnly WriteDACL, only delegation, etc.
Shortest pathMinimal chain from A to a high-value target

The UI highlights the shortest privilege-escalation path from any principal to a sensitive target, which is the core assessment output.

Common Workflows

# Full assessment: collect then analyze
adalanche collect activedirectory --domain corp.local \
  --username audit --password '***' --server dc.corp.local
adalanche analyze    # open the browser, target "Domain Admins"

# Offline analysis: share the data/ folder, analyze anywhere
adalanche analyze --datapath ./data

Adalanche vs BloodHound

AspectAdalancheBloodHound (CE)
BackendNone (single binary)Neo4j / API + collectors
FocusACL/permission attack pathsBroad AD/Azure attack paths
SetupMinimalHeavier stack
CollectorsBuilt-in AD + localSharpHound / AzureHound / NetExec
Best forFast ACL-centric analysisComprehensive path mapping

Complements BloodHound and collectors like NetExec; use Adalanche for quick, database-free ACL analysis.

Resources