runoff -- bloodhound ce quick wins

Runoff

BloodHound CE quick win extractor
Query Neo4j. Surface attack paths. Get exploitation commands.

// capabilities

From BloodHound data to attack plan

Connect to BloodHound CE's Neo4j database and instantly surface misconfigurations, dangerous permissions, attack paths, and privilege escalation opportunities across 15 security categories.

177 Security Queries

15 categories covering ACL abuse, ADCS, delegation, credentials, lateral movement, hygiene, and more. Each query returns actionable findings.

Attack Path Discovery

Find shortest paths to Domain Admins, Domain Controllers, and between any two principals. Discover what owned nodes can reach.

Abuse Commands

Toggle --abuse to see exact exploitation commands (Impacket, Certipy, PowerView, Rubeus) for every finding. Copy-paste ready.

ADCS ESC1-ESC15

Complete AD Certificate Services coverage: vulnerable templates, enrollment abuse, CA misconfiguration, and golden certificate paths.

Owned Principal Analysis

Mark compromised accounts, then discover what they can reach: paths to DA, Kerberoastable targets, ADCS abuse, unconstrained delegation.

Multiple Output Formats

Rich terminal tables with Catppuccin Mocha theme, JSON for automation, CSV for spreadsheets, HTML reports for management.

Domain Statistics

Get instant overview: user/computer/group counts, trust relationships, tier-zero exposure, stale accounts, missing LAPS coverage.

BloodHound CE API

Authenticate, upload collector data, manage ingestion history. Full API integration alongside Neo4j queries.

// in action

Connect. Query. Exploit.

Runoff connects to BloodHound CE's Neo4j database, runs categorized Cypher queries, and surfaces findings with severity ratings and exploitation commands.

runoff -p pass run acl -s HIGH --abuse

Connection Info

Bolt URI: bolt://127.0.0.1:7687

Domain: CORP.LOCAL

Queries: 25 ACL queries

Findings - ACL Abuse

CRITICAL GenericAll on Domain Admins

SVCBACKUP@CORP.LOCAL has GenericAll over DOMAIN ADMINS@CORP.LOCAL

# Abuse command: net rpc group addmem "DOMAIN ADMINS" SVCBACKUP -U SVCBACKUP -S dc01.corp.local

HIGH Shadow Admins

HELPDESK@CORP.LOCAL owns EXCHANGE ADMINS@CORP.LOCAL

# Abuse command: Set-DomainObjectOwner -Identity 'EXCHANGE ADMINS' -OwnerIdentity HELPDESK

Runoff running ACL abuse queries with exploitation commands enabled.

// architecture

One command. 177 queries. Zero guesswork.

Connect to BloodHound CE's Neo4j database, run categorized Cypher queries, and get formatted findings with severity ratings and exploitation commands.

system architecture

Neo4j Queries

177 Cypher queries across 15 categories: ACL Abuse (25), ADCS (18), Privilege Escalation (18), Lateral Movement (18), Security Hygiene (23), and more. Flexible domain filtering handles data inconsistencies.

Severity Scoring

Four-level severity system: CRITICAL (immediate exploitation), HIGH (serious risk), MEDIUM (misconfiguration), LOW (hardening). Filter with --severity.

Abuse Templates

YAML-based exploitation commands for each finding type. Covers Impacket, Certipy, PowerView, Rubeus, BloodHound CE API, and native tools.

Rich Display

Catppuccin Mocha themed tables, attack path trees, progress bars, executive summaries, and HTML report generation. Multiple output formats.

Python 3.9+ Neo4j Click Rich PyYAML Requests

// coverage

Comprehensive AD security coverage

15 query categories targeting every major Active Directory attack surface.

177

Security Queries

Cypher queries targeting misconfigurations, attack paths, and privilege escalation

15 categories. Every attack surface.

From ACL abuse to Azure hybrid attacks, each category targets a specific Active Directory attack surface.

Category	Queries	Example Findings
ACL Abuse	25	GenericAll, WriteDacl, Shadow Admins, GPO control
GPO Abuse	3	GPO controllers, GPOs linked to OUs with DCs, GPO creator owners
Security Hygiene	23	Stale accounts, missing LAPS, unsupported OS
ADCS	18	ESC1-ESC15, golden certificates, CA abuse
Privilege Escalation	18	Kerberoasting, AS-REP, DCSync, SID History
Lateral Movement	18	Admin sessions, RDP access, NTLM relay, SQL admin
Basic Info	16	Domain stats, trusts, tier-zero count, functional level
Delegation	11	Unconstrained, constrained, RBCD, coercion chains
Owned	11	Paths from owned to DA, DCSync, high value, ADCS
Dangerous Groups	10	Account/Server/Print/Backup Operators, Schema Admins
Azure/Hybrid	9	AAD Connect, hybrid attack surface, sync accounts
Attack Paths	6	Shortest paths to DA, busiest paths, cross-domain
Miscellaneous	3	Circular groups, duplicate SPNs, security tools
Exchange	5	Exchange domain rights, Exchange groups
Credentials	1	Password in description attributes

// quickstart

Running in 60 seconds

Install with pipx, point at your BloodHound CE Neo4j database, and start finding attack paths. Python 3.9+ is the only requirement.

bash

# Install with pipx (recommended)

$ pipx install git+https://github.com/Real-Fruit-Snacks/runoff.git

# Or install with pip

$ pip install git+https://github.com/Real-Fruit-Snacks/runoff.git

# Run all security queries

$ runoff -p 'bloodhoundcommunityedition' run all

# Quick wins:

$ runoff -p pass kerberoastable # Kerberoastable users

$ runoff -p pass run acl -s HIGH # High-severity ACL

$ runoff -p pass --abuse run adcs # ADCS + abuse cmds

$ runoff -p pass path da USER@CORP.LOCAL

$ runoff -p pass --output json run all # JSON output

pipx is the recommended install method -- it creates an isolated environment and keeps your system Python clean. Install pipx if you don't have it yet.

Point Runoff at your BloodHound CE Neo4j instance. Default connection: bolt://127.0.0.1:7687 with neo4j user.

Use -s CRITICAL,HIGH to filter by severity, --abuse for exploitation commands, -d CORP.LOCAL to filter by domain.

Export as JSON for automation, CSV for spreadsheets, Markdown for documentation, or HTML for management reports.