Adalanche : ADDS Security Visualised

Adalanche is a visual tool for mapping out you’re active directly domain and all its objects and links, it is a little more bloodhound, The purpose of this tool is to do risk-based remediation and map out attack vectors.

However, unlike bloodhound, you don’t need a Neo4J database, then a collector service to grab the data - this application is very nicely packaged into a single executable, you can run it on Linux or Windows

You can quite happily run this tool as a user, and while some company administrators will be worried about is it dangerous or does it attack the domain - The question you need to ask is if you don’t run it can you afford not to run it?

All information like this that’s about the security of your domain is absolutely good information if used in the correct fashion, remember if you can run it at User, so can anybody else on your domain - Don’t immediately block applications, because ignorance in this example is absolutely not blissful.

Download Adalanche

Downloading this application is very simple, navigate to this link below:

https://github.com/lkarlslund/Adalanche/releases/tag/v2024.1.11

If you scroll down, section labeled assets, this will give you for your binaries for the relevant operating system plan to use it with:

Security Warnings

In this example let use Windows, download these executable which sounds simple, but....

Then you need to yet again keep the file, this is good if this is malicious, but not for labs and testing:

Rename the download

Then when you have the download it will be called, the version will be in keeping with the latest version released at the time you down it:

adalanche-windows-x64-v2024.1.11.exe

This needs to be renamed to the correct name with this command:

ren adalanche-windows-x64-v2024.1.11.exe adalanche.exe

Noisy Version : Run the executable

Note : Noisy if you have monitoring and alerting setup on your domain, which really you should have, this should NOT be a silent operation.

Then you can simply run the command and it will kind your local domain, scan it, then start a webserver on give you the results in your browser of choice, like this from the directory you have it downloaded to:

adalanche.exe

Then it will do its scan, give it a moment, this will depend on the size of your ADDS....

Then wait for it to give a summary of your ADDS domain:

Then it will automatically start your default browser and show you the graphing and mapping like this however this image is a new domain with a couple of users to it looks simple and easy to understand:

You then get a load of preset queries where you can choose one and then select "analyse" and you will see the results in the mapping:

It is also interactive, so for example if you right click on the domain controller called FakeDC and choose "paths to target" you get a nicely formatted interactive map:

Then finally if you ask, who can "own" the ADDS server then you get another dynamic chart:

If you are interested the LDAP for this inside the utility is as follows for my example:

(distinguishedname=CN=FakeDC,OU=Domain Controllers,DC=bear,DC=local)

Silent Version : Dump Data from ADExplorer

If you wish to dump data from ADExplorer then download that tool here once downloaded extract the file ADExplorer64.exe to a relevant location, then run that executable - enter the name of the domain only then click OK....

One connected, chose the domain options, usually the one at the stop then choose "Create Snapshot"

Then will in the details in the next window give it a name and a location to save the file then click OK:

While it saves, there is no progress bar so be patient, you may notice it might say "not responding" but wait for it to complete, be patient.

Then now you have the BIN file from the directory where adalanche.exe is located run this, in this example you will need to update your path to the one you have:

adalanche collect activedirectory --adexplorerfile=lootfile.bin