Recipes
Six small, self-contained recipes that show how the blocks in the block reference snap together into real pipelines. Each one fits on one screen, is wired to actually validate against the engine, and ends in something useful — discovered shares, cracked hashes, a kill-chain entry.
| Recipe | Teaches |
|---|---|
| Portscan + SMB finger | The simplest possible chain. Targets in, structured results out. |
| Credential spray | CREDMUX, cross-product semantics, FILTER on result fields. |
| DCSync from creds | Cross-product on OPEN_SESSION_*, CMD_DCSYNC, CREDENTIAL_QUEUE feedback. |
| Kerberoast and crack | Output → transform → queue. ATT&CK badges in the kill chain. |
| ADCS ESC1 to NT | Enumeration block, dataset wire type, CONVERT_PFX_TO_NT. |
| Runloop convergence | A self-feeding pipeline that uses runloop to walk itself to a fixed point. |
How to use a recipe
Every recipe page follows the same template:
- Goal — one sentence: what the pipeline produces.
- Pipeline — a mermaid diagram of the wiring.
- Block-by-block walkthrough — what each block contributes and what params matter, linking back to the block reference.
- Saved graph JSON — the actual JSON you can copy into a file
and load with
loadfile. - Variations — sensible tweaks (different scope, opsec tightening, alternative transforms).
You should usually:
- Read through the recipe in the docs.
- Drop the JSON into a
.jsonfile under/tmp/or your engagement workdir. createutil FLOWGRAPHandloadfilethe JSON.- Open the FLOWGRAPH window to inspect the loaded graph — node positions are encoded in the JSON so the layout matches the mermaid diagram.
- Adjust
targets/credentials/ params in the config panel to your scope, then hit Run.
The recipes are deliberately minimal — they teach a pattern, not a turnkey engagement script. Composite-ising them and chaining them is left to the composites page.