BloodHound Integration
How it works
RACFHound uploads the RACF graph to BloodHound via the OpenGraph API. Once ingested, you can run Cypher queries and visualize attack paths in the BloodHound UI exactly as you would for Active Directory or Azure.
Saved queries
RACFHound ships with a set of pre-built Cypher queries. Install them:
racfhound query install \
--url https://your-bloodhound-host \
--token YOUR_API_TOKEN
APF write → SPECIAL
Find users who can write to an APF library — a path to supervisor state and full system compromise.
MATCH p=(u:RACFUser)-[:RACFCanWrite]->(d:RACFDataset {isAPF: true})
RETURN p
Surrogate chain to SPECIAL
Find users who can submit jobs as a SPECIAL user (directly or transitively).
MATCH p=(u:RACFUser)-[:RACFSurrogateFor*1..5]->(v:RACFUser)
-[:RACFHasPrivilege]->(:RACFPrivilege {name: 'SPECIAL'})
RETURN p
Group JOIN → APF write
Find users whose group JOIN authority transitively grants write to an APF library.
MATCH p=(u:RACFUser)-[:RACFGroupAuth_JOIN]->(g:RACFGroup)
-[:RACFCanWrite]->(d:RACFDataset {isAPF: true})
RETURN p
World-writable APF (UACC misconfiguration)
Datasets that any user can write to because UACC is too permissive.
MATCH p=(:RACFUser {name: 'PUBLIC'})-[:RACFCanWrite]->(d:RACFDataset {isAPF: true})
RETURN p
PROCLIB write → TRUSTED started task
Users who can write to a PROCLIB that runs a TRUSTED or PRIVILEGED started task.
MATCH (u:RACFUser)-[:RACFCanWrite]->(d:RACFDataset {isPROCLIB: true})
MATCH (t:RACFStartedTask)-[:RACFHasPrivilege]->(:RACFPrivilege {name: 'TRUSTED'})
RETURN u, d, t
Group-scoped SPECIAL
Users with SPECIAL authority scoped to a subtree of the group hierarchy.
MATCH p=(u:RACFUser)-[:RACFGroupScopeSpecial]->(g:RACFGroup)
RETURN p
Node properties reference
| Property | Nodes | Description |
|---|---|---|
name |
all | Profile name / identifier |
isAPF |
RACFDataset |
Dataset is in an APF library |
isPROCLIB |
RACFDataset |
Dataset is in a PROCLIB concatenation |
isRevoked |
RACFUser |
User account is revoked |
isProtected |
RACFUser |
NOPWD=PRO; no password set (started task identity) |
hasSpecial |
RACFUser |
RACF SPECIAL attribute |
hasOperations |
RACFUser |
RACF OPERATIONS attribute |
hasAuditor |
RACFUser |
RACF AUDITOR attribute |