Created
March 24, 2024 06:34
-
-
Save RalphDesmangles/f12788d125843d8dfa85ad3f984b961d to your computer and use it in GitHub Desktop.
custom bloodhound queries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"queries": [ | |
{ | |
"name": "Find all Certificate Templates", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find enabled Certificate Templates", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Certificate Authorities", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Show Enrollment Rights for Certificate Template", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Certificate Template...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Show Rights for Certificate Authority", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Certificate Authority...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC1)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Enrollment Agent Templates (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Certificate Authorities with User Specified SAN (ESC6)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Unsecured Certificate Templates (ESC9)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Unsecured Certificate Templates (ESC9)", | |
"category": "PKI", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)", | |
"category": "PKI", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Domains", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (d:Domain) RETURN d" | |
} | |
] | |
}, | |
{ | |
"name": "Domain Controllers", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Controllers Group...", | |
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-516\" RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(c:Computer)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "High Value Targets", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(h {highvalue: true}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Computers without LAPS", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(c:Computer {haslaps: false}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Owned Principals", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(o {owned: true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Sensitive Principals by Keywords", | |
"category": "Information Gathering", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "UNWIND ['admin', 'amministratore', 'empfindlich', 'geheim', 'important', 'azure', 'MSOL', 'kennwort', 'pass', 'secret', 'sensib', 'sensitiv'] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Users with Password in AD", | |
"category": "Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.userpassword IS NOT NULL RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users with \"Pass\" in AD Description", | |
"category": "Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users with Password not Required", | |
"category": "Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {passwordnotreqd: true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users with Password never Expiring", | |
"category": "Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {pwdneverexpires: True}) WHERE NOT u.name starts with 'KRBTGT' RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Users with with Same Name in Different Domains", | |
"category": "Accounts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User),(u2:User) WHERE split(u1.name,'@')[0] = split(u2.name,'@')[0] AND u1.domain <> u2.domain AND tointeger(split(u1.objectid,'-')[7]) >= 1000 RETURN u1" | |
} | |
] | |
}, | |
{ | |
"name": "Protected Users", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Protected Users Group...", | |
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-525\" RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "AdminTo Relationships", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u {domain: $result})-[r:AdminTo]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Administrators", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Administrators Group...", | |
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Computers in Administrators", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Administrators Group...", | |
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (c:Computer)-[r:MemberOf|HasSIDHistory*1..]->(g:Group {name: $result}) RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Computers Local Admin to Another Computer", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (c1:Computer {domain: $result})-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer {domain: $result})-[r2:MemberOf|HasSIDHistory*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Sessions of Administrators on non DCs Computers", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (dc:Computer {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE g1.objectid =~ \"S-1-5-.*-516\" WITH COLLECT(dc) AS exclude MATCH p = (c:Computer {domain: $result})-[n:HasSession]->(u:User)-[r2:MemberOf*1..]->(g2:Group) WHERE NOT c IN exclude and g2.objectid ENDS WITH \"-544\" RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "DCSync Principals not Administrators", | |
"category": "Privileged Accounts", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS exclude MATCH p=(n1)-[:MemberOf|GetChanges*0..]->(u:Domain {name: $result}) WHERE NOT n1 IN exclude and (n1:Computer or n1:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "AS-REP Roastable Principals", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {dontreqpreauth: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Principals", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Administrators", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS filter MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) WHERE u IN filter RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Constrained Delegations", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (a {domain: $result})-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Constrained Delegations with Protocol Transition (trustedToAuth)", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (a {domain: $result, trustedtoauth: true})-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Computers Allowed to Delegate for Another Computer", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (c1:Computer {domain: $result})-[:AllowedToDelegate]->(c2:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Unconstrained Delegation Principals", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (dca)-[r:MemberOf*0..]->(g:Group) WHERE g.objectid =~ \"S-1-5-.*-516\" OR g.objectid =~ \".*-S-1-5-32-544\" WITH COLLECT(dca) AS exclude MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(uc {unconstraineddelegation: true}) WHERE (uc:User OR uc:Computer) AND NOT uc IN exclude RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Resource-Based Constrained Delegation Principals", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m)-[r:AllowedToAct]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Configure Resource-Based Constrained Delegation Permissions", | |
"category": "Kerberos", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m)-[r:AddAllowedToAct]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Interesting GPOs by Keyword", | |
"category": "Group Policies", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "UNWIND [\"360totalsecurity\", \"access\", \"acronis\", \"adaware\", \"admin\", \"admin\", \"aegislab\", \"ahnlab\", \"alienvault\", \"altavista\", \"amsi\", \"anti-virus\", \"antivirus\", \"antiy\", \"apexone\", \"applock\", \"arcabit\", \"arcsight\", \"atm\", \"atp\", \"av\", \"avast\", \"avg\", \"avira\", \"baidu\", \"baiduspider\", \"bank\", \"barracuda\", \"bingbot\", \"bitdefender\", \"bluvector\", \"canary\", \"carbon\", \"carbonblack\", \"certificate\", \"check\", \"checkpoint\", \"citrix\", \"clamav\", \"code42\", \"comodo\", \"countercept\", \"countertack\", \"credential\", \"crowdstrike\", \"custom\", \"cyberark\", \"cybereason\", \"cylance\", \"cynet360\", \"cyren\", \"darktrace\", \"datadog\", \"defender\", \"druva\", \"drweb\", \"duckduckbot\", \"edr\", \"egambit\", \"emsisoft\", \"encase\", \"endgame\", \"ensilo\", \"escan\", \"eset\", \"exabot\", \"exception\", \"f-secure\", \"f5\", \"falcon\", \"fidelis\", \"fireeye\", \"firewall\", \"fix\", \"forcepoint\", \"forti\", \"fortigate\", \"fortil\", \"fortinet\", \"gdata\", \"gravityzone\", \"guard\", \"honey\", \"huntress\", \"identity\", \"ikarussecurity\", \"insight\", \"ivanti\", \"juniper\", \"k7antivirus\", \"k7computing\", \"kaspersky\", \"kingsoft\", \"kiosk\", \"laps\", \"lightcyber\", \"logging\", \"logrhythm\", \"lynx\", \"malwarebytes\", \"manageengine\", \"mass\", \"mcafee\", \"microsoft\", \"mj12bot\", \"msnbot\", \"nanoav\", \"nessus\", \"netwitness\", \"office365\", \"onedrive\", \"orion\", \"palo\", \"paloalto\", \"paloaltonetworks\", \"panda\", \"pass\", \"powershell\", \"proofpoint\", \"proxy\", \"qradar\", \"rdp\", \"rsa\", \"runasppl\", \"sandboxe\", \"sap\", \"scanner\", \"scanning\", \"sccm\", \"script\", \"secret\", \"secureage\", \"secureworks\", \"security\", \"sensitive\", \"sentinel\", \"sentinelone\", \"slurp\", \"smartcard\", \"sogou\", \"solarwinds\", \"sonicwall\", \"sophos\", \"splunk\", \"superantispyware\", \"symantec\", \"tachyon\", \"temporary\", \"tencent\", \"totaldefense\", \"transfer\", \"trapmine\", \"trend micro\", \"trendmicro\", \"trusteer\", \"trustlook\", \"uac\", \"vdi\", \"virusblokada\", \"virustotal\", \"virustotalcloud\", \"vpn\", \"vuln\", \"webroot\", \"whitelist\", \"wifi\", \"winrm\", \"workaround\", \"yubikey\", \"zillya\", \"zonealarm\", \"zscaler\"] as word match (n:GPO {domain: $result}) where toLower(n.name) CONTAINS toLower(word) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "GPO Permissions of Non-Admin Principals", | |
"category": "Group Policies", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2:User)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) WHERE NOT u2 IN exclude RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "LAPS Passwords Readable by Non-Admin", | |
"category": "DACL Abuse", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2)-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) WHERE NOT u2 IN exclude RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "LAPS Passwords Readable by Owned Principals", | |
"category": "DACL Abuse", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "ACLs to Computers (excluding High Value Targets)", | |
"category": "DACL Abuse", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (ucg {highvalue: false})-[r {isacl: true}]->(c:Computer {domain: $result}) WHERE (ucg:User OR ucg:Computer OR ucg:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Group Delegated Outbound Object Control of Owned Principals", | |
"category": "DACL Abuse", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2 {isacl: true}]->(t) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Dangerous Rights for Groups under Domain Users", | |
"category": "DACL Abuse", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group {domain: $result})-[r1:MemberOf*1..]->(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n) WHERE m.objectid ENDS WITH '-513' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Set DCSync Principals as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (s)-[r:MemberOf|GetChanges*1..]->(d:Domain) WITH s, d MATCH (s)-[r:MemberOf|GetChangesAll*1..]->(d) WITH s, d MATCH p = (s)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(d) WHERE s.highvalue = false SET s.highvalue = true, s.highvaluereason = 'DCSync Principal' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Set Unconstrained Delegation Principals as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND uc.highvalue = false SET uc.highvalue = true, uc.highvaluereason = 'Unconstrained Delegation Principal' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Set Local Admin or Reset Password Principals as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a)-[r:AdminTo|ForceChangePassword]->(b) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Local Admin or Reset Password Principal' RETURN a" | |
} | |
] | |
}, | |
{ | |
"name": "Set Principals with Privileges on Computers as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a)-[r:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(n:Computer) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on Computers' RETURN a" | |
} | |
] | |
}, | |
{ | |
"name": "Set Principals with Privileges on Cert Publishers as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a)-[r:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ 'S-1-5-21-.*-517' AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on the Cert Publisher group' RETURN a" | |
} | |
] | |
}, | |
{ | |
"name": "Set Members of High Value Targets Groups as High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a)-[r:MemberOf*1..]->(g:Group) WHERE a.highvalue = false AND g.highvalue = true SET a.highvalue = true, a.highvaluereason = 'Member of High Value Target Group' RETURN a" | |
} | |
] | |
}, | |
{ | |
"name": "Remove Inactive Users and Computers from High Value Targets", | |
"category": "Adding High-Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (uc) WHERE uc.highvalue = true AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) SET uc.highvalue = false, uc.nothighvaluereason = 'Inactive' RETURN uc" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Domain (including Computers)", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain {name: $result})) WHERE (uc:User OR uc:Computer) RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to no LAPS", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Kerberoastable Users to Computers", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Kerberoastable Users to High Value Targets", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Owned Principals (including everything)", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Owned Principals to Domain", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true AND d.name = $result RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Owned Principals to High Value Targets", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Owned Principals to no LAPS", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from no Signing to Domain", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false AND d.name = $result RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from no Signing to High Value Targets", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(h)) WHERE NOT c = h AND c.hassigning = false AND h.highvalue = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths from Domain Users and Domain Computers (including everything)", | |
"category": "Shortest Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((g:Group)-[r:{}*1..]->(a)) WHERE (g.objectid =~ $domain_users_id OR g.objectid =~ $domain_computers_id) AND g <> a RETURN p", | |
"props": { | |
"domain_users_id": "S-1-5-.*-513", | |
"domain_computers_id": "S-1-5-.*-515" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "List all owned users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned computers", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List all High Valued Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List the groups of all owned users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the Shortest path to a high value target from an owned object", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the Shortest path to a unconstrained delegation system from an owned object", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Kerberoastable Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable Users with a path to DA", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find machines Domain Users can RDP into", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find what groups can RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that can reset passwords (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that have local admin rights (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users that have local admin rights", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all active Domain Admin sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers with Unconstrained Delegation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers with unsupported operating systems", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that logged in within the last 90 days", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find users with passwords last set within the last 90 days", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find constrained delegation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "View all GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:GPO) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "View all groups that contain the word 'admin'", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that can be AS-REP roasted", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Show all high value target's groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that contain both users and computers", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users who are members of high value groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users and where they are AdminTo", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Find an object in one domain that can do something to a foreign object", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all sessions a user in a specific domain has", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find an object from domain 'A' that can do anything to a foreign object", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {domain:{result}})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All edges any owned user has on a computer", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "----------------------------------------AZURE QUERIES----------------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users that are part of the 'Global Administrator' Role", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All On-Prem users with edges to Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all paths to an Azure VM", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all paths to an Azure KeyVault", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users and their Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Privileged Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Owners of Azure Applications", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets from Owned Principles", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n),(m),p=shortestPath((n)-[r:{}*1..]->(m)) WHERE m.domain={result} AND m.highvalue=true AND NOT m = n AND n.owned=true RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "List Computers where DOMAIN USERS are Local Admin", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Workstations where DOMAIN USERS can RDP To", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Servers where DOMAIN USERS can RDP To", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "ALL Path from DOMAIN USERS to High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all other Rights DOMAIN USERS shouldn’t have", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "DA Account Sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' MATCH p = (c:Computer)-[:HasSession]->(n) return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "DA Account Sessions to NON DC", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group WHERE g.name STARTS WITH 'DOMAIN ADMINS') RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Accounts member of High Value Group", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "List all Kerberoastable Accounts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Users with Most Sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admin Sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Users with Most Local Admin Rights", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all owned Domain Admins", | |
"requireNodeSelect": false, | |
"query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)", | |
"allowCollapse": false, | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
} | |
}, | |
{ | |
"name": "Find Shortest Paths from owned node to Domain Admins", | |
"requireNodeSelect": true, | |
"nodeSelectQuery": { | |
"query": "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name", | |
"queryProps": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
}, | |
"onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p", | |
"start": "", | |
"end": "{}", | |
"allowCollapse": true, | |
"boxTitle": "Select domain to map..." | |
} | |
}, | |
{ | |
"name": "Show Wave", | |
"requireNodeSelect": true, | |
"nodeSelectQuery": { | |
"query": "MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d", | |
"queryProps": { | |
}, | |
"onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m", | |
"start": "", | |
"end": "", | |
"allowCollapse": true, | |
"boxTitle": "Select wave..." | |
} | |
}, | |
{ | |
"name": "Highlight Delta for Wave", | |
"requireNodeSelect": true, | |
"nodeSelectQuery": { | |
"query": "MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d", | |
"queryProps": { | |
}, | |
"onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m", | |
"start": "", | |
"end": "", | |
"allowCollapse": true, | |
"boxTitle": "Select wave to show deltas..." | |
} | |
}, | |
{ | |
"name": "Find Clusters of Password Reuse", | |
"requireNodeSelect": false, | |
"query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Blacklisted Nodes", | |
"requireNodeSelect": false, | |
"query": "MATCH (n) WHERE exists(n.blacklist) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Blacklisted Relationships", | |
"requireNodeSelect": false, | |
"query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Blacklist", | |
"requireNodeSelect": false, | |
"query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show owned Nodes", | |
"requireNodeSelect": false, | |
"query": "MATCH (n) WHERE exists(n.owned) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Find Shortest Paths to DA Equivalency", | |
"requireNodeSelect": true, | |
"nodeSelectQuery": { | |
"query": "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name", | |
"queryProps": { | |
"name": "(?i).*DOMAIN CONTROLLERS.*" | |
}, | |
"onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p", | |
"start": "", | |
"end": "{}", | |
"allowCollapse": true, | |
"boxTitle": "Select domain to map..." | |
} | |
}, | |
{ | |
"name": "Find Shortest Paths to Domain Admins from Foreign User", | |
"requireNodeSelect": true, | |
"nodeSelectQuery": { | |
"query": "MATCH (n:Domain) RETURN n.name", | |
"queryProps": { | |
}, | |
"onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p", | |
"start": "{}", | |
"end": "", | |
"allowCollapse": true, | |
"boxTitle": "Select target domain..." | |
} | |
}, | |
{ | |
"name": "Show Connections over 22/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 80/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 135/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 139/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 389/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 443/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 445/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 1433/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 1521/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 3306/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 3389/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Connections over 5432/tcp", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Database Connections", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Show Web App Connections", | |
"requireNodeSelect": false, | |
"query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Find Top 10 RDP Servers", | |
"requireNodeSelect": false, | |
"query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Find Top 10 SSH Servers", | |
"requireNodeSelect": false, | |
"query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Find Top 10 Web Apps with most Connections", | |
"requireNodeSelect": false, | |
"query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m", | |
"allowCollapse": true, | |
"props": { | |
} | |
}, | |
{ | |
"name": "Return All Azure Users that are part of the 'Global Administrator' Role", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All On-Prem users with edges to Azure", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all paths to an Azure VM", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all paths to an Azure KeyVault", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users and their Groups (Warning: Heavy)", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return GUEST Azure Users and their Groups", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' AND m.userprincipalname=~ '(?i).*#EXT#.*' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users and their Admin Roles", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..]->(:AZRole) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users and their owned Devices (Warning: Heavy)", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Admins and their owned Devices", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser)<-[r2:AZHasRole]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Privileged Service Principals", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Owners of Azure Applications", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the Shortest path to a high value target from an owned object", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the Shortest path to a unconstrained delegation system from an owned object", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Enrollment Agent Templates (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find users with blank passwords that are enabled", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword" | |
} | |
] | |
}, | |
{ | |
"name": "Find users with Temp in user title and created in the last 30 days", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) AND u.title CONTAINS 'Temp' RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find users created in the last 30 days", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find users' credentials in description fields", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.description CONTAINS 'password' RETURN m.name, m.description" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2000 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000).*' AND H.enabled = TRUE RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2000 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2003 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2003).*' AND H.enabled = TRUE RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "All computers without LAPS and the computer is enabled", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2003 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2008 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2008).*' AND H.enabled = TRUE RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned users", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Admins", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
"sid": "(?i)S-1-5-.*-512" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "All Kerberoastable Users", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {hasspn: true}) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Where can owned users RDP", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Users with most local admin rights", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "All Owned Nodes", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {owned: true}) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with owned Admins", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find owned Groups", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find owned Domain Admins", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"title": "Select a domain...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
}, | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find Shortest Path from owned Node to Domain Admin", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest paths from owned objects to High Value Targets (5 hops)", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Next steps (5 hops) from owned objects", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Unconstrained Delegation systems", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c {unconstraineddelegation:true}) return c" | |
} | |
] | |
}, | |
{ | |
"name": "Constrained Delegation systems", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u)-[:AllowedToDelegate]->(c) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Unconstrained Delegation systems (without domain controllers)", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest paths from owned principals to unconstrained delegation systems", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that contain the word 'admin'", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that can RDP into something", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find users that belong to high value groups", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find kerberoastable users", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with seasons in their password and are high value targets", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with seasons in their password and have local admin on at least one computer", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with a variant of \"password\" in their password and are high value targets", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Groups of High Value Targets", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Non Admin Groups with High Value Privileges", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Groups with Computer and User Objects", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that can reset passwords (Warning: Heavy)", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that have local admin rights (Warning: Heavy)", | |
"category": "Group Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users never logged on and account still active", | |
"category": "Password Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Users logged in the last 90 days", | |
"category": "Password Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Users with passwords last set in the last 90 days", | |
"category": "Password Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"category": "Password Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"category": "Password Hunts", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", | |
"category": "Delegation Attacks", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Next steps (3 hops) from owned objects", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Owned users with permissions against GPOs", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all other Rights Domain Users shouldn't have", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Computers with administrative Domain Users", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned computers", | |
"category": "Owned Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned groups", | |
"category": "Owned Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List all High Valued Targets", | |
"category": "Owned Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "List the groups of all owned users", | |
"category": "Owned Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Kerberoastable Users", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable Users with a path to DA", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find machines Domain Users can RDP into", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find what groups can RDP", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that can reset passwords (Warning: Heavy)", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that have local admin rights (Warning: Heavy)", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users that have local admin rights (Warning Can Be Heavy)", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users that have local admin rights or Groups (Warning Can Be Heavy)", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AdminTo|MemberOf*1..]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all active Domain Admin sessions", | |
"category": "Admin Hunter", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers with Unconstrained Delegation", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers with unsupported operating systems", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' AND H.enabled = TRUE RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that logged in within the last 90 days", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find users with passwords last set within the last 90 days", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find constrained delegation", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "View all GPOs", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:GPO) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "View all groups that contain the word 'admin'", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that can be AS-REP roasted", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Show all high value target's groups", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that contain both users and computers", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users who are members of high value groups", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users and where they are AdminTo", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u1" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", | |
"category": "Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find Users/Groups with direct access to GPOs", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Find an object in one domain that can do something to a foreign object", | |
"category": "GPO/Group Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all sessions a user in a specific domain has", | |
"category": "User Information", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:$result}) RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find an object from domain 'A' that can do anything to a foreign object", | |
"category": "User Information", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {domain:$result})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All edges any owned user has on a computer", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Un-Supported OS and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|7|me).*' AND n.enabled = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2008 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Windows XP and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(xp).*' AND H.enabled = true RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Windows XP with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Windows 7 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(7).*' AND H.enabled = true RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Windows 7 session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2012 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2012).*' AND H.enabled = true RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2012 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2016 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2016).*' AND H.enabled = true RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2016 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2019 and Enabled", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2019).*' AND H.enabled = true RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "Find Server 2019 with session", | |
"category": "OS Finder", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H" | |
} | |
] | |
}, | |
{ | |
"name": "All Users with a homedirectory", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.homedirectory =~ '(?i).*.*' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "All Computers without LAPS - with session", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer)-[:HasSession]->(y) WHERE c.haslaps = false RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "All enabled computers with a description", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*.*' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "All enabled computers with a description containing the word file", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*file.*' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Locate enabled accounts with display name of admin - put anyname in you like", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.displayname =~ '(?i).*admin*' AND u.enabled = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users with passwords set over 720 days ago (23 months)", | |
"category": "Password Last Set", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (720 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users with passwords set over 1440 days ago (47 months)", | |
"category": "Password Last Set", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (1440 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Domain Admins (nested SID S-1-5-21-.*-512) having a session opened on a domain computer", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User)-[r:MemberOf*1..]->(n:Group) WHERE n.objectid =~ '(?i)S-1-5-.*-512' WITH m MATCH q=((m)<-[:HasSession]-(o:Computer)) RETURN q" | |
} | |
] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"category": "Password Last Set", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Find users that haven't logged on in 720 days and account is still active", | |
"category": "Password Last Set", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp < (datetime().epochseconds - (720 * 86400)) AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Search for key words in users title such as scientist or Executive - tweak as required", | |
"category": "User Information", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.title =~ '(?i).*scientist*' AND u.enabled = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List Computers where DOMAIN USERS are Local Admin", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group {name:{result}})-[:AdminTo]->(n:Computer) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Path from DOMAIN USERS to High Value Targets", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g:Group {name:{result}})-[*1..]->(n {highvalue:true})) WHERE g.name STARTS WITH 'DOMAIN USERS' return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "All Paths from DOMAIN USERS to High Value Targets", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g:Group {name:{result}})-[*1..]->(n {highvalue:true})) return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Workstations where DOMAIN USERS can RDP To", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "match p=(g:Group {name:{result}})-[:CanRDP]->(c:Computer) where NOT c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Servers where DOMAIN USERS can RDP To", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group {name:{result}})-[:CanRDP]->(c:Computer) WHERE c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find all other Rights DOMAIN USERS shouldn’t have", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Users Group...", | |
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Accounts member of High Value Group", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User)-[r:MemberOf]->(g:Group)) WHERE g.highvalue=true AND n.hasspn=true RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Users with most privileges", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) OPTIONAL MATCH (u)-[:AdminTo]->(c1:Computer) OPTIONAL MATCH (u)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c2:Computer) WITH u,COLLECT(c1) + COLLECT(c2) AS tempVar UNWIND tempVar AS comps RETURN u.name,COUNT(DISTINCT(comps)) ORDER BY COUNT(DISTINCT(comps)) DESC", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "DA Account Sessions to NON DC", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find unsupported OSs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).(2000|2003|2008|xp|vista|7|me).' RETURN n", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find AS-REP Roasting users (no kerberos pre-authentication)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Users with Most Local Admin Rights", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Computers with Most Sessions [Required: sessions]", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Users with Most Sessions [Required: sessions]", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "List non-privileged user(s) with dangerous permissions to any node type", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled: true, admincount: false, domain: $result})-[r]->(a) RETURN u, COUNT(DISTINCT type(r)) AS permissions ORDER BY permissions DESC LIMIT 10", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous permissions to any node type", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled: true, admincount: false, domain: $result})-[r]->(a) WITH u, COUNT(DISTINCT type(r)) AS permissions ORDER BY permissions DESC LIMIT 10 MATCH p=allshortestpaths((u)-[r]->(a)) WHERE NOT u = a RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Users with most cross-domain sessions [Required: sessions]", | |
"category": "Top 10", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g1:Group)<-[:MemberOf*1..]-(u:User {enabled:true, domain: $result})<-[r:HasSession]-(c:Computer) WHERE NOT u.domain = c.domain WITH u, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(c:Computer)-[r:HasSession]->(u) WHERE NOT u.domain = c.domain RETURN p ORDER BY c.name", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List high value target(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (a {highvalue: true, domain: $result}) RETURN a", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List domain(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (d:Domain) RETURN d", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List domain trust(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:Domain)-->(m:Domain) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled user(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled user(s) with an email address", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE exists(u.email) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List non-managed service account(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true, domain: $result}) WHERE NOT u.name CONTAINS '$' AND NOT u.name CONTAINS 'KRBTGT' RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled principal(s) with \"Unconstrained Delegation\"", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (a {unconstraineddelegation: true, enabled: true, domain: $result}) RETURN a", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List domain controller(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {domain: $result})-[:MemberOf]->(g:Group) WHERE g.samaccountname CONTAINS 'Domain Controllers' RETURN c", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List Certificate Authority server(s) [Required: Certipy]", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {type:'Enrollment Service', domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List privileges for Certificate Authority server(s) [Required: Certipy]", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": false, | |
"title": "Select a Certificate Authority...", | |
"query": "MATCH (n:GPO {type:'Enrollment Service', domain: $result}) RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List all Certificate Template(s) [Required: Certipy]", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {type:'Certificate Template', domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find enabled Certificate Template(s) [Required: Certipy]", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {enabled:true, type:'Certificate Template', domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List all Enrollment Right(s) for Certificate Template(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": false, | |
"title": "Select a Certificate Template...", | |
"query": "MATCH (n:GPO {type:'Certificate Template', domain: $result}) RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result, type:'Certificate Template'}) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List computer(s) WITHOUT LAPS", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {haslaps:false, domain: $result}) RETURN c ORDER BY c.name", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List network share(s), ignoring SYSVOL", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (a {domain: $result}) WHERE (any(prop in keys(a) where a[prop] contains '\\\\' and not a[prop] contains 'SYSVOL')) RETURN a" | |
} | |
] | |
}, | |
{ | |
"name": "List all group(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "Match (g:Group {domain: $result}) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "List all GPO(s)", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "Match (g:GPO {domain: $result}) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "List all principal(s) with \"Local Admin\" permission", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(a {domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all principal(s) with \"RDP\" permission", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(a {domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all principal(s) with \"SQLAdmin\" permission", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(a {domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all user session(s) [Required: sessions]", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {domain: $result})<-[r:HasSession]-(c:Computer) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List all user(s) with description field", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {domain: $result}) WHERE u.description IS NOT null return u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) with \"userpassword\" attribute", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.userpassword IS NOT null RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) with \"password never expires\" attribute", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {pwdneverexpires:true, enabled:true, domain: $result}) return u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) with \"password never expires\" attribute and not changed in last year", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.pwdneverexpires=TRUE AND u.pwdlastset < (datetime().epochseconds - (365 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] return u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) with \"don't require passwords\" attribute", | |
"category": "Domain / Macro", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {passwordnotreqd:true, enabled:true, domain: $result}) return u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) but never logged in", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.lastlogontimestamp=-1.0 RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) that logged in within the last 90 days", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled user(s) that set password within the last 90 days", | |
"category": "Domain / Macro", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned user(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {owned:true, domain: $result}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned & enabled user(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {owned:true, enabled:true, domain: $result}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned & enabled user(s) with an email address", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {owned:true, enabled:true, domain: $result}) WHERE exists(u.email) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned & enabled user(s) with \"Local Admin\" permission, and any active sessions and their group membership(s)", | |
"category": "Owned", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List all owned & enabled user(s) with \"RDP\" permission, and any active sessions and their group membership(s)", | |
"category": "Owned", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List all owned & enabled user(s) with \"SQLAdmin\" permission", | |
"category": "Owned", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned computer(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {owned:true, domain: $result}) RETURN c ORDER BY c.name" | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled group membership(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled non-privileged group(s) membership", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount:false}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled privileged group(s) membership", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount:true}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled user(s) with Dangerous Rights to any node type", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a)) WHERE NOT a = u RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled user(s) with Dangerous Rights to group(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(:Group))RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Route all owned & enabled user(s) with Dangerous Rights to user(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((o:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(u:User)) WHERE NOT o = u RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Route from owned & enabled user(s) to all principals with \"Unconstrained Delegation\"", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((o:User {owned:true, enabled:true, domain: $result})-[*]->(a {unconstraineddelegation: true, enabled: true})) WHERE NOT o = a RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route from owned & enabled principals to high value target(s)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((o {owned:true, enabled:true, domain: $result})-[*]->(a {highvalue: true})) WHERE NOT o=a RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Owned: [WIP] Find all owned user with privileged access to Azure Tenancy (Required: azurehound)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {owned:true, enabled:true, domain: $result})-[r:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(:AZTenant) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Owned: [WIP] Find all owned user where group membership grants privileged access to Azure Tenancy (Required: azurehound)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group)-[r:AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(:AZTenant) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Owned: [WIP] Find all Owners of Azure Applications with Owners to Service Principals with Dangerous Rights (Required: azurehound)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (n {enabled:true, owned:true, domain: $result})-[:AZOwns]->(azapp:AZApp)-[r1]->(azsp:AZServicePrincipal)-[r:AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all owned groups that grant access to network shares", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, domain: $result})-[:MemberOf*1..]->(g:Group) where (any(prop in keys(g) where g[prop] contains '\\\\')) return p" | |
} | |
] | |
}, | |
{ | |
"name": "Route all sessions to computers WITHOUT LAPS (Required: sessions)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, domain: $result})<-[r:HasSession]-(c:Computer {haslaps:false}) RETURN p ORDER BY c.name" | |
} | |
] | |
}, | |
{ | |
"name": "Route all sessions to computers (Required: sessions)", | |
"category": "Owned", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true, domain: $result})<-[r:HasSession]-(c:Computer) RETURN p ORDER BY c.name" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled non-privileged user(s) with \"Local Admin\" permission", | |
"category": "Non-privileged", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled non-privileged user(s) with \"Local Admin\" permission, and any active sessions and their group membership(s)", | |
"category": "Non-privileged", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List enabled non-privileged user(s) with \"RDP\" permission", | |
"category": "Non-privileged", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List enabled non-privileged user(s) with \"RDP\" permission, and any active sessions and their group membership(s)", | |
"category": "Non-privileged", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List enabled non-privileged user(s) with \"SQLAdmin\" permission", | |
"category": "Non-privileged", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all \"Domain Users\" group membership(s)", | |
"category": "Non-privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g1:Group {domain: $result})-[:MemberOf*1..]->(g2:Group) WHERE g1.name STARTS WITH 'DOMAIN USERS' RETURN p ORDER BY g2.name" | |
} | |
] | |
}, | |
{ | |
"name": "List all \"Authenticated Users\" group membership(s)", | |
"category": "Non-privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g1:Group {domain: $result})-[:MemberOf*1..]->(g2:Group) WHERE g1.name STARTS WITH 'AUTHENTICATED USERS' RETURN p ORDER BY g2.name" | |
} | |
] | |
}, | |
{ | |
"name": "Find all enabled AS-REP roastable user(s)", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true, enabled:true, domain: $result}) WHERE NOT u.name CONTAINS '$' and NOT u.name CONTAINS 'KRBTGT' RETURN u", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find all enabled kerberoastable user(s)", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn: true, enabled:true, domain: $result}) WHERE NOT u.name CONTAINS '$' and NOT u.name CONTAINS 'KRBTGT' RETURN u", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous rights to user(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:User)) WHERE NOT u = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous rights to group(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Group)) WHERE NOT u = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous rights to computer(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Computer)) WHERE NOT u = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous rights to GPO(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:GPO)) WHERE NOT u = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged user(s) with dangerous rights to privileged node(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a {admincount: true})) WHERE NOT u = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged computer(s) with dangerous rights to user(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:User {domain: $result})) WHERE NOT c = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged computer(s) with dangerous rights to group(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Group {domain: $result})) WHERE NOT c = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged computer(s) with dangerous rights to computer(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Computer {domain: $result})) WHERE NOT c = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged computer(s) with dangerous rights to GPO(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:GPO {domain: $result})) WHERE NOT c = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Route non-privileged computer(s) with dangerous rights to privileged node(s) [HIGH RAM]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a {admincount: true, domain: $result})) WHERE NOT c = a RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC1 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', `Enrollee Supplies Subject`:true, `Client Authentication`:true, domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC2 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', domain: $result}) WHERE (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC3 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', domain: $result}) WHERE (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC4 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO {Enabled:true, type:'Certificate Template', domain: $result})) WHERE g<>n RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC6 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {type:'Enrollment Service', `User Specified SAN`:'Enabled', domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC7 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO {type:'Enrollment Service', domain: $result})) WHERE g<>n RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List ESC8 vulnerable Certificate Template(s) [Required: Certipy]", | |
"category": "Privilege Escalation / Lateral Movement", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO {type:'Enrollment Service', `Web Enrollment`:'Enabled', domain: $result}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List all cross-domain user session(s) and user group membership(s)", | |
"category": "Privilege Escalation / Lateral Movement", | |
"requireNodeSelect": true, | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g1:Group)<-[:MemberOf*1..]-(u:User {enabled:true, domain: $result})<-[:HasSession]-(c:Computer) WHERE NOT u.domain = c.domain RETURN p ORDER BY c.name", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List privileged user(s) without \"Protected Users\" group membership", | |
"category": "Privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (u:User {admincount:true, domain: $result}), (c:Computer), (u)-[:MemberOf*1..]->(g) WHERE g.name CONTAINS 'Protected Users' WITH COLLECT(u) AS privilegedUsers MATCH (u2:User {admincount:true}) WHERE NOT u2 IN privilegedUsers RETURN u2" | |
} | |
] | |
}, | |
{ | |
"name": "List custom privileged group(s)", | |
"category": "Privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (g:Group {admincount:true, highvalue:false, domain: $result}) WHERE NOT (g.objectid =~ $domain_admins or g.objectid =~ $enterprise_admins or g.objectid =~ $administrators or g.objectid =~ $account_operators or g.objectid CONTAINS $replicators or g.objectid =~ $key_admins or g.objectid =~ $read_only_domain_controllers or g.objectid =~ $enterprise_key_admins or g.objectid =~ $schema_admins) RETURN g", | |
"props": { | |
"domain_admins": "(?i)S-1-5-.*-512", | |
"enterprise_admins": "(?i)S-1-5-.*-519", | |
"administrators": "(?i)S-1-5-.*-544", | |
"account_operators": "(?i)S-1-5-.*-548", | |
"replicators": "-552", | |
"key_admins": "(?i)S-1-5-.*-526", | |
"read_only_domain_controllers": "(?i)S-1-5-.*-521", | |
"enterprise_key_admins": "(?i)S-1-5-.*-527", | |
"schema_admins": "(?i)S-1-5-.*-518" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled SVC account(s) with privileged group membership(s)", | |
"category": "Privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: true, hasspn: true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount: true}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Route all privileged user(s) with sessions to non-privileged computer(s) [Required: sessions]", | |
"category": "Privileged", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer), (u:User), (g:Group), (c)-[:MemberOf*1..]->(:Group {admincount:false}) MATCH p=(c)-[:HasSession]->(u {admincount:true, domain: $result}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find allshortestpaths with dangerous rights to AdminSDHolder object", | |
"category": "Persistence", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled:true, admincount:false, domain: $result})-[*]->(c:Container)) WHERE c.distinguishedname CONTAINS 'ADMINSDHOLDER' RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find allshortestpaths with DCSync to domain object", | |
"category": "Persistence", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((u:User {enabled:true, admincount:false, domain: $result})-[r:MemberOf|DCSync*1..]->(:Domain)) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find allshortestpaths with Shadow Credential permission to principal(s)", | |
"category": "Persistence", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((a {domain: $result})-[:MemberOf|AddKeyCredentialLink*1..]->(b)) WHERE NOT a=b RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "List all Tenancy (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (t:AZTenant) RETURN t", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List all AAD Group(s) that are synchronized with AD (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List all principal(s) used for syncing AD and AAD", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*' OR u.userprincipalname =~ '(?i)^sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled Azure User(s) (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:AZUser {enabled:true}) RETURN u", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "List all enabled Azure User(s) Azure Group membership(s) (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(azu:AZUser {enabled:true})-[MemberOf*1..]->(azg:AZGroup) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List all AD principal(s) with edge(s) to Azure principal(s) (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:MemberOf|AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor*1..]->(n) WHERE u.objectid CONTAINS 'S-1-5-21' RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] List all principal(s) with privileged access to Azure Tenancy (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=(a)-[r:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Route all principal(s) that have control permissions to Azure Application(s) running as Azure Service Principals (AzSP), and route from privileged ASP to Azure Tenancy (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=(a)-[:MemberOf|AZOwns|AZAppAdmin*1..]->(azapp:AZApp) OPTIONAL MATCH p2=(azapp)-[:AZRunsAs]->(azsp:AZServicePrincipal) OPTION MATCH p3=(azsp)-[:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p, p2, p3", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Route all user principal(s) that have control permissions to Azure Service Principals (AzSP), and route from AzSP to principal(s) (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=allShortestPaths((a)-[*]->(azsp:AZServicePrincipal)-[*]->(b)) WHERE NOT a=b RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Route from Azure User principal(s) that have dangerous rights to Azure User and User principal(s) (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=allShortestPaths((u:AZUser)-[*]->(a)) WHERE NOT a=u RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Route from principal(s) to Azure VM (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allshortestpaths((a)-[*]->(vm:AZVM)) WHERE NOT a=vm RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "[WIP] Route from principal(s) to principal(s) with Global Administrator permissions (Required: azurehound)", | |
"category": "AAD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(ga)-[:AZGlobalAdmin|AZPrivilegedAdminRole*1..]->(:AZTenant) WHERE (ga:User OR ga:AZUser) WITH ga MATCH p=allshortestpaths((a)-[*]->(ga)) WHERE NOT a=ga RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find ALL Shortest Paths to Domain Admins", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m RETURN p", | |
"allowCollapse": false, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find ALL Shortest Paths to Domain Admins - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p,nodes(p) as nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"allowCollapse": false, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find ALL Shortest Paths to Domain Admins - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"allowCollapse": false, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find Shortest Paths to Domain Admins - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH q=((src:Computer)-[:Open]->(trgt:Computer)) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,q,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,q,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p,q", | |
"allowCollapse": false, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find Shortest Paths to Domain Admins - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH q=((src:Computer)-[:Open]->(trgt:Computer)) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,q,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,q,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p,q", | |
"allowCollapse": false, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Unconstrained Delegation Systems - Network", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[:{}*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Unconstrained Delegation Systems - Filtered", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[:{}*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Domain Admins from Kerberoastable Users - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User {hasspn:true})-[:{}*1..]->(m:Group {name:$result})) WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Domain Admins from Kerberoastable Users - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User {hasspn:true})-[:{}*1..]->(m:Group {name:$result})) WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Path from Owned Principals - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a user", | |
"query": "MATCH (n) WHERE n.owned=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((a {name:$result})-[:{}*1..]->(b:Computer)) WHERE NOT a=b WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"startNode": "{}", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Path from Owned Principals - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a user", | |
"query": "MATCH (n) WHERE n.owned=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((a {name:$result})-[:{}*1..]->(b:Computer)) WHERE NOT a=b WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"startNode": "{}", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Domain Admins from Owned Principals - Network", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Domain Admins from Owned Principals - Filtered", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i)S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets - Network", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets - Filtered", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
"sid": "(?i)S-1-5-.*-512" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "All Kerberoastable Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {hasspn: true}) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Where can owned users RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Users with most local admin rights", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "All Owned Nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {owned: true}) RETURN n", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with owned Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find owned Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g", | |
"allowCollapse": true, | |
"props": { | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find owned Domain Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"title": "Select a domain...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
}, | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find Shortest Path from owned Node to Domain Admin", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find all other Rights Domain Users shouldn't have", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Computers with administrative Domain Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "-------------------------- Engagement-specific Queries --------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "List all high-valued nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:true}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {owned:true}) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned computers", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer {owned:true}) RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:Group {owned:true}) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "List all owned users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {owned:true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List the groups of all owned users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User {owned:true})-[:MemberOf*]->(:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Set the groups of all owned users as owned", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User {owned:true})-[:MemberOf*]->(g:Group) SET g.owned = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "--------------------------- High-value-specific Queries ---------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Remove inactive nodes from the list of high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:true, enabled:false}) SET n.highvalue = false, n.nothighvaluereason = 'Inactive' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Set DCSync principals as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n {highvalue:false})-[:MemberOf|GetChanges|GetChangesAll*]->(:Domain) SET n.highvalue = true, n.highvaluereason = 'DCSync Principal' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Set Local Admin or Reset Password principals as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:false})-[:AdminTo|ForceChangePassword*]->(m) SET n.highvalue = true, n.highvaluereason = 'Local Admin or Reset Password Principal' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Set Unconstrained Delegation principals as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:false, unconstraineddelegation:true}) SET n.highvalue = true, n.highvaluereason = 'Unconstrained Delegation Principal' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Set principals with privileges on Computers as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:false})-[*]->(:Computer) SET n.highvalue = true, n.highvaluereason = 'Principal with Privileges on Computers' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Set members of high-value groups as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:false})-[:MemberOf*]->(g:Group {highvalue:true}) SET n.highvalue = true, n.highvaluereason = 'Member of a High-Value Group' RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "Set the groups of high-value nodes as high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {highvalue:true})-[:MemberOf*]->(g:Group {highvalue:false}) SET g.highvalue = true, g.highvaluereason = 'Contains High-Value Members' RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "---------------------------- Kerberos-related Queries ----------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users who have administrative rights", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u {hasspn:true})-[:AdminTo*]->(:Computer) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users who are members of high-value groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((:User {hasspn:true})-[:MemberOf*1..]->(:Group {highvalue:true})) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Kerberoastable users with a path to Domain Admin", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((:User {hasspn:true})-[*1..]->(g:Group)) WHERE g.objectid =~ $domainAdminId RETURN p", | |
"props": { | |
"domainAdminId": "(?i)S-1-5-.*-512" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "List all Kerberoastable users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List all users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hassspn:true}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " | |
} | |
] | |
}, | |
{ | |
"name": "List all users with an SPN/List all Kerberoastable users with passwords last set more than 5 years ago", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List users that can be AS-REP roasted", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "----------------------------- Owned-related Queries -----------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find the shortest path to Domain Admins from an owned node", | |
"queryList": [ | |
{ | |
"final": false, | |
"query": "MATCH (g:Group) WHERE g.objectid =~ $domainAdminId RETURN g.name ORDER BY g.name DESC", | |
"props": { | |
"domainAdminId": "(?i)S-1-5-.*-512" | |
}, | |
"title": "Select a Domain Admin group..." | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(m:Group {name:$result})) WHERE n <> m RETURN p" | |
} | |
], | |
"requireNodeSelect": true | |
}, | |
{ | |
"name": "Find the shortest path to a computer from an owned user", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((:User {owned:true})-[*1..]->(:Computer)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the shortest path to a computer with Unconstrained Delegation enabled from an owned node", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(c:Computer {unconstraineddelegation: true})) WHERE n <> c RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find the shortest path to a high-value node from an owned node", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(m {highvalue:true})) WHERE n <> m RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "----------------------- Password/Session-related Queries -----------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find all active Domain Admin sessions", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User)-[:MemberOf*]->(g:Group) WHERE g.objectid =~ $domainAdminId MATCH p=(:Computer)-[:HasSession*]->(u) RETURN p", | |
"props": { | |
"domainAdminId": "(?i)S-1-5-.*-512" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find all sessions a user in a specific domain has", | |
"queryList": [ | |
{ | |
"final": false, | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name", | |
"title": "Select source domain..." | |
}, | |
{ | |
"final": false, | |
"query": "MATCH (u:User {domain:$result}) RETURN u.name ORDER BY u.name", | |
"title": "Select source user..." | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(:User {name:$result})-[:HasSession*]->(:Computer) RETURN p" | |
} | |
], | |
"requireNodeSelect": true | |
}, | |
{ | |
"name": "Find all users with their password in the AD", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.userpassword IS NOT NULL RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users with the keyword \"pass\" in their description field", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.description =~ $regex RETURN u", | |
"props": { | |
"regex": "(?i).*pass.*" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled:true}) WHERE u.lastlogontimestamp = -1.0 RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "-------------------------- Recon-related Queries (Basic) --------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Show the groups of all high-value nodes", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User)-[:MemberOf*]->(:Group {highvalue:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "View all computers (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (c:Computer) RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "View all GPOs (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (g:GPO) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "View all groups (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (g:Group) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "View all users (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (u:User) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "View all groups that contain the word 'admin'", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (g:Group) WHERE g.name CONTAINS 'ADMIN' RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "----------------------- Recon-related Queries (Advanced) -----------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "----------------------------- Computer-related Queries -----------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers with unsupported Operating Systems", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.operatingsystem =~ $unsupportedOS RETURN c", | |
"props": { | |
"unsupportedOS": ".*(2000|2003|2008|xp|vista|7|me).*" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find computers that allow Domain Users to RDP into", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP*]->(c:Computer) WHERE g.objectid =~ $domainUserId return p", | |
"props": { | |
"domainUserId": "(?i)S-1-5-.*-513" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find computers that allow Unconstrained Delegation that AREN’T domain controllers.", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*]->(g:Group) WHERE g.objectid =~ $domainControllerId WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2", | |
"props": { | |
"domainControllerId": "(?i)S-1-5-.*-516" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "Find computers with constrained delegation and the corresponding nodes where they allowed to delegate", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "------------------------- Domain/Forest-related Queries -------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find an node from domain 'A' that can do anything to a foreign node", | |
"queryList": [ | |
{ | |
"final": false, | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name", | |
"title": "Select source domain..." | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n:Domain {domain:$result})-[*]->(m:Domain) WHERE n <> m RETURN p" | |
} | |
], | |
"requireNodeSelect": true | |
}, | |
{ | |
"name": "Find an node in one domain that can do something to a foreign node", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:Domain)-[*]->(m:Domain) WHERE n <> m RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "------------------------------- Group-related Queries -------------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that can reset passwords (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:Group)-[:ForceChangePassword*]->(:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that can RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:Group)-[:CanRDP*]->(:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that contain both users and computers", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (:Computer)-[:MemberOf*]->(groupsWithComps:Group) WITH groupsWithComps MATCH (:User)-[:MemberOf*]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" | |
} | |
] | |
}, | |
{ | |
"name": "Find groups that have local admin rights (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:Group)-[:AdminTo*]->(:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find rights that member of the Domain User group should not have on computers", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword*]->(:Computer) WHERE g.objectid =~ $domainUserId RETURN p", | |
"props": { | |
"domainUserId": "(?i)S-1-5-.*-513" | |
} | |
} | |
] | |
}, | |
{ | |
"name": "-------------------------------- User-related Queries --------------------------------", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users that are part of the VPN group", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match p=(:User)-[:MemberOf*]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users that have local admin rights", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User)-[:AdminTo*]->(:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find constrained delegation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User)-[:AllowedToDelegate*]->(:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User)-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*]->(:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((:User {admincount:False})-[:AddMember*1..]->(:Group)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "List all users with password not required", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {passwordnotreqd:true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "List the groups of all users with password not required", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:User {passwordnotreqd:true})-[:MemberOf*]->(:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find more privileged groups", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark more privileged groups as HVT", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' SET g.highvalue=TRUE RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "Find low value members of High Value Target Groups (1 hop)", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark low value members of High Value Target Groups as HVT (1 hop)", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(o {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) SET o.highvalue=TRUE RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find objects containing names of some tier 0 software (SCCM, Veeam, ...)", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') RETURN o" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark objects containing names of some tier 0 software (SCCM, Veeam, ...) as HVT", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') SET o.highvalue=TRUE RETURN o" | |
} | |
] | |
}, | |
{ | |
"name": "Find low value objects with ACLs on high value objects (1 hop, max 200, Heavy)", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark low value objects with ACLs on high value objects as HVT (1 hop, max 200, Heavy)", | |
"category": "High Value Targets", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') SET a.highvalue=TRUE RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Owned objects", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m) WHERE m.owned=TRUE RETURN m" | |
} | |
] | |
}, | |
{ | |
"name": "Direct groups of owned users", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p", | |
"props": { | |
}, | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Unrolled groups of owned users", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest paths from owned objects to High Value Targets (5 hops)", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Next steps (5 hops) from owned objects", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Next steps (3 hops) from owned objects", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Owned users with permissions against GPOs", | |
"category": "Owned Objects", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Connections between different domains/forests", | |
"category": "Domains/Forests", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Connections (ACEs only) between different domains/forests", | |
"category": "Domains/Forests", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = True RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Can a user from domain A do anything to any computer in domain B (Warning: VERY Heavy)", | |
"category": "Domains/Forests", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": false, | |
"title": "Select destination domain...", | |
"query": "MATCH (n:Domain) RETURN $result + '=>' + n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "WITH split($result, \"=>\") as selectedDomains WITH selectedDomains[0] as sourceDomain, selectedDomains[1] as destDomain MATCH (n:User {domain: sourceDomain}) MATCH (m:Computer {domain: destDomain}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) WHERE NOT n = m RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable users with a path to DA", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable users with a path to High Value", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": " Kerberoastable users and where they are AdminTo", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "OPTIONAL MATCH (u:User) WHERE u.hasspn=true OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable users who are members of high value groups", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable users with passwords last set > 5 years ago", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Kerberoastable Users", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "AS-REProastable Users", | |
"category": "Roasting", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Unconstrained Delegations", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c {unconstraineddelegation:true}) RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Constrained Delegations (with Protocol Transition)", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Constrained Delegations (without Protocol Transition)", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Resource-Based Constrained Delegations", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u)-[:AllowedToAct]->(c) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Unconstrained Delegation systems (without domain controllers)", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest paths from owned principals to unconstrained delegation systems", | |
"category": "Kerberos Delegations", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Between users (1 hop, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between users (3 hops, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between computers (1 hop, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between computers (3 hops, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Find computers admin to other computers", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Between enabled users and computers (1 hop, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between enabled users and computers (3 hops, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between enabled computers and users (1 hop, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Between enabled computers and users (3 hops, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on an enabled computer", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g {enabled: TRUE})-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer {enabled: TRUE}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Miscellaneous direct ACLs from enabled objects (1 hop, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Miscellaneous direct ACLs from enabled objects (3 hops, max 200)", | |
"category": "Weak ACLs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates*1..3]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" | |
} | |
] | |
}, | |
{ | |
"name": "Logged in Admins", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(a:Computer {enabled: TRUE})-[r:HasSession]->(b:User {enabled: TRUE}) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Users with local admin rights", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:User {enabled: TRUE})-[r:AdminTo]->(n:Computer {enabled: TRUE}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Domain admins sessions", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {enabled: TRUE})-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Privileged users sessions", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Enabled Domain/Enterprise Administrators, not sensitive for delegation and not members of Protected Users", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) as protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers AND g2.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Enabled users, members of high value groups, not sensitive for delegation and not members of Protected Users (Heavy)", | |
"category": "Admins", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) as protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE NOT u2.objectid IN protectedUsers RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that contain the word 'admin'", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that can change user passwords", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC" | |
} | |
] | |
}, | |
{ | |
"name": "Groups of High Value Targets", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Non Admin Groups with High Value Privileges", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Groups with Computer and User Objects", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that can reset passwords (Warning: Heavy)", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Groups that have local admin rights (Warning: Heavy)", | |
"category": "Groups", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Users never logged on and account still active", | |
"category": "Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
} | |
] | |
}, | |
{ | |
"name": "Users logged in the last 90 days", | |
"category": "Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Users with passwords last set in the last 90 days", | |
"category": "Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"category": "Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"category": "Users", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "View all GPOs", | |
"category": "GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:GPO) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark all GPOs as High Value Target", | |
"category": "GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:GPO) SET g.highvalue=TRUE RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "Find if any low value object has interesting permissions against a GPO (1 hop)", | |
"category": "GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark any low value object with interesting permissions against a GPO as HVT (1 hop)", | |
"category": "GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) SET o.highvalue=TRUE RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"category": "GPOs", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows XP", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows 2000", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows 2003", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows 2008", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows Vista", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Find all computers running with Windows 7", | |
"category": "Outdated OS", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Users with Most Sessions", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Sessions", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Users with Most Local Admin Rights", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admins and their admins", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admins", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top 20 nodes with most first degree object controls", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u)-[r1]->(n) WHERE r1.isacl = true WITH u, count(r1) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Top Ten nodes with most group delegated object controls", | |
"category": "Top Ten", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find machines Domain Users can RDP into", | |
"category": "RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Servers Domain Users can RDP To", | |
"category": "RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find what groups can RDP", | |
"category": "RDP", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users that are part of the ‘Global Administrator’ Role", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return All Azure Users and their Groups", | |
"category": "Azure", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find objects with the ManageCa or ManageCertificates right on Certificate Authorities", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(o)-[:ManageCa|ManageCertificates]->(c:GPO {type: 'Enrollment Service'}) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Show Enrollment Rights for Certificate Template", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Certificate Template...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Show Rights for Certificate Authority", | |
"category": "Certificates", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select a Certificate Authority...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) RETURN p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC1)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC2)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Enrollment Agent Templates (ESC3)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Certificate Authorities with User Specified SAN (ESC6)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Unsecured Certificate Templates - Domain Escalation (ESC9)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Find Unsecured Certificate Templates - PKI (ESC9)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)", | |
"category": "AD CS Domain Escalation", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find users with a plaintext attribute that can RDP into something", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find users with a plaintext attribute that belong to high value groups", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find users with a plaintext attribute that are kerberoastable", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with seasons in their password and have local admin on at least one computer", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n RETURN u1 LIMIT 25", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", | |
"category": "PlainText Password Queries", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n RETURN u1 LIMIT 25", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Members of the 'Global Administrator' Role", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Members of High Privileged Roles", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Members of High Privileged Roles that are synced from OnPrem AD", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n WHERE n.onpremisesyncenabled = true)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR') RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Users that are synced from OnPrem AD", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZUser WHERE n.onpremisesyncenabled = true) RETURN n", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Groups that are synced from OnPrem AD", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (g:AZGroup {onpremsyncenabled: True}) RETURN g" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Owners of Azure Applications", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Subscriptions", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZSubscription) RETURN n" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Subscriptions and their direct Controllers", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns|AZUserAccessAdministrator]->(g:AZSubscription) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all principals with the UserAccessAdministrator Role against Subscriptions", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (u)-[r:AZUserAccessAdministrator]->(n:AZSubscription) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all prinicpals with the UserAccessAdministrator Role", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (u)-[r:AZUserAccessAdministrator]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Users that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:AZUser) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Principals that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"", | |
"category": "Azure - General", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Azure Users with a Path to High Value Targets", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:AZUser),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find OnPrem synced Users with Paths to High Value Targets", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:AZUser WHERE m.onpremisesyncenabled = true),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths to High Value Roles", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZRole WHERE n.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR'), (m), p=shortestPath((m)-[r*1..]->(n)) WHERE NOT m=n RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Azure Applications with Paths to High Value Targets", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:AZApp),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths from Azure Users to Subscriptions", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZUser) WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZSubscription)) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Paths to Azure VMs", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Path from Owned Azure Users to VMs", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZVM) MATCH p = shortestPath((m:AZUser{owned: true})-[*..]->(n)) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all Paths to Azure KeyVaults", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find all Paths to Azure KeyVaults from Owned Principals", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = ({owned: true})-[r]->(g:AZKeyVault) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths to Azure Subscriptions", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZSubscription), (m), p=shortestPath((m)-[r*1..]->(n)) WHERE NOT m=n RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find the Paths to Resources from Azure Users that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u:AZUser)-[:AZUserAccessAdministrator]->(target) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) RETURN u, p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find the Paths to Resources from Azure Principals that DON'T hold an Azure Role but the RBAC \"User Access Administrator\"", | |
"category": "Azure - Paths", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(u)-[:AZUserAccessAdministrator]->(target) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) RETURN u, p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Service Principals with MS Graph AZMGGrantAppRoles rights -> PrivEsc Path to Global Admin", | |
"category": "Azure - MS Graph", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n)-[r:AZMGGrantAppRoles]->(o:AZTenant) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Service Principals with MS Graph App Role Assignments", | |
"category": "Azure - MS Graph", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:AZServicePrincipal)-[r:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All]->(n:AZServicePrincipal) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all direct Controllers of MS Graph", | |
"category": "Azure - MS Graph", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZAddOwner|AZAddSecret|AZAppAdmin|AZCloudAppAdmin|AZMGAddOwner|AZMGAddSecret|AZOwns]->(g:AZServicePrincipal {appdisplayname: \"Microsoft Graph\"}) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths to MS Graph", | |
"category": "Azure - MS Graph", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n) WHERE NOT n.displayname=\"Microsoft Graph\" WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZServicePrincipal {appdisplayname: \"Microsoft Graph\"})) WHERE n<>g RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Service Principals", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (sp:AZServicePrincipal) RETURN sp", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all PRIVILEGED Azure Service Principals", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(n:AZServicePrincipal)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all VMs with a tied Managed Identity", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(:AZVM)-[:AZManagedIdentity]->(n) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Service Principals that are Managed Identities", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (sp:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) RETURN sp", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Azure Service Principals that are tied to Apps", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (sp:AZServicePrincipal {serviceprincipaltype: 'Application'}) RETURN sp", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all Azure Privileged Service Principals", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths from Owned Azure Users to Azure Service Principals", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:AZUser {owned: true}), (m:AZServicePrincipal) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths from Owned Azure Users to Azure Service Principals that are Managed Identities", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:AZUser {owned: true}), (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths from all Azure Users to Azure Service Principals that are Managed Identities", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u:AZUser), (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all Service Principals that are Managed Identities an have a Path to an Azure Key Vault", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'})-[*]->(kv:AZKeyVault) WITH collect(m) AS managedIdentities MATCH p = (n)-[r]->(kv:AZKeyVault) WHERE n IN managedIdentities RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find Paths from Managed Identities tied to a VM with a path to a Key Vault", | |
"category": "Azure - Service Principals", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p1 = (:AZVM)-[:AZManagedIdentity]->(n) WITH collect(n) AS managedIdentities MATCH p2 = (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'})-[*]->(kv:AZKeyVault) WHERE m IN managedIdentities RETURN p2", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Return all Users and Azure Users possibly related to AADConnect", | |
"category": "Azure - AADConnect", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*' OR u.userprincipalname =~ '(?i)^sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all Sessions of possibly AADConnect related Accounts", | |
"category": "Azure - AADConnect", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Computer)-[:HasSession]->(n) WHERE (n:User OR n:AZUser) AND ((n.name =~ '(?i)^MSOL_|.*AADConnect.*') OR (n.userPrincipalName =~ '(?i)^sync_.*')) RETURN p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find all AADConnect Servers (extracted from the SYNC_ Account names)", | |
"category": "Azure - AADConnect", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.*?)_(.*?)@.*' WITH n, split(n.name, '_')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern RETURN c", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Find shortest Paths to AADConnect Servers from Owned Users", | |
"category": "Azure - AADConnect", | |
"queryList": [ | |
{ | |
"final": true, | |
"query": "MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.*?)_(.*?)@.*' WITH n, split(n.name, '_')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern WITH collect(c) AS computers MATCH p = shortestPath((u:User)-[*]-(c:Computer)) WHERE c IN computers AND length(p) > 0 AND u.owned = true RETURN u, p", | |
"allowCollapse": true | |
} | |
] | |
}, | |
{ | |
"name": "Add indexes to the database", | |
"category": "Indexes", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Add index on the property Base SamAccountName", | |
"query": "CREATE INDEX BaseSamAccountNameIdx IF NOT EXISTS FOR (b:Base) on (b.samaccountname)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Computer SamAccountName", | |
"query": "CREATE INDEX ComputerSamAccountNameIdx IF NOT EXISTS FOR (c:Computer) on (c.samaccountname)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User SamAccountName", | |
"query": "CREATE INDEX UserSamAccountNameIdx IF NOT EXISTS FOR (u:User) on (u.samaccountname)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Computer SamAccountName", | |
"query": "CREATE INDEX ComputerOwnedIdx IF NOT EXISTS FOR (c:Computer) on (c.owned)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User Owned", | |
"query": "CREATE INDEX UserOwnedIdx IF NOT EXISTS FOR (u:User) on (u.owned)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Group Owned", | |
"query": "CREATE INDEX GroupOwnedIdx IF NOT EXISTS FOR (g:Group) on (g.owned)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property GPO Owned", | |
"query": "CREATE INDEX GPOOwnedIdx IF NOT EXISTS FOR (g:GPO) on (g.owned)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Computer Highvalue", | |
"query": "CREATE INDEX ComputerHighValueIdx IF NOT EXISTS FOR (c:Computer) on (c.highvalue)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User Highvalue", | |
"query": "CREATE INDEX UserHighValueIdx IF NOT EXISTS FOR (u:User) on (u.highvalue)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Group Highvalue", | |
"query": "CREATE INDEX GroupHighValueIdx IF NOT EXISTS FOR (g:Group) on (g.highvalue)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property GPO Highvalue", | |
"query": "CREATE INDEX GPOHighValueIdx IF NOT EXISTS FOR (g:GPO) on (g.highvalue)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User Sensitive", | |
"query": "CREATE INDEX UserSensitiveIdx IF NOT EXISTS FOR (u:User) on (u.sensitive)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User Admincount", | |
"query": "CREATE INDEX UserAdminCountIdx IF NOT EXISTS FOR (u:User) on (u.admincount)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property Computer Enabled", | |
"query": "CREATE INDEX ComputerEnabledIdx IF NOT EXISTS FOR (c:Computer) on (c.enabled)" | |
}, | |
{ | |
"final": false, | |
"title": "Add index on the property User Enabled", | |
"query": "CREATE INDEX UserEnabledIdx IF NOT EXISTS FOR (u:User) on (u.enabled)" | |
}, | |
{ | |
"final": true, | |
"title": "Add index on the property GPO Enabled", | |
"query": "CREATE INDEX GPOEnabledIdx IF NOT EXISTS FOR (g:GPO) on (g.enabled)" | |
} | |
] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment