Adalanche is a powerful open-source tool that provides immediate insights into the permissions of users and groups within an Active Directory. It can effectively visualize and investigate potential account, machine, or domain takeovers, and also identify and display any misconfigurations.
What sets Adalanche apart?
According to Lars Karlslund, the creator of Adalanche, one of its best features is the low user effort required to get results. Adalanche has no prerequisites, doesn’t require installation, runs on the three major OS platforms natively, and can provide surprising results within minutes, even for regular non-admin users.
Adalanche offers a visual attack graph representation of the Active Directory in a web browser, allowing users to explore the data and gain insights. By running the open-source Windows collector, users can extract local accounts, groups, services, file/registry permissions, and more from workstations and servers, all displayed in the graph.
The screenshot above demonstrates the search for Domain Controller machines and their accessible permissions. It shows an example where a user has permission to take ownership of a GPO applied to a Domain Controller, along with an admin who has placed a plaintext password in the description field. These types of vulnerabilities are common in Active Directory analysis, even for large companies, highlighting the importance of attention to detail.
Karlslund mentioned that the open-source version of Adalanche has recently undergone a UI overhaul, added new features, and improved search capabilities, including the ability to export data for password audits. He also mentioned plans to implement a real graph query language for Adalanche and make minor UI improvements.
Adalanche can collect and analyze information from Active Directory or local Windows machines. Users can download the binary for their preferred platform for Active Directory analysis or deploy the dedicated collector .exe for Windows member machines via GPO or other orchestration for further insight.
The repository provides sample data from the Orange Cyberdefense lab Game of Active Directory project, a vulnerable Active Directory lab with 5 Windows machines (three DCs across two forests) and two Windows servers.