|
[ |
|
{ |
|
"name": "ALL Path from Domain Users to High Value Targets", |
|
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p" |
|
}, |
|
{ |
|
"name": "Find all active Domain Admin sessions", |
|
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" |
|
}, |
|
{ |
|
"name": "Find all computers with Unconstrained Delegation", |
|
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" |
|
}, |
|
{ |
|
"name": "Find all computers with unsupported operating systems", |
|
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '.*(2000|2003|2008|xp|vista|7|me)*.' RETURN H" |
|
}, |
|
{ |
|
"name": "Find all Kerberoastable Users", |
|
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n" |
|
}, |
|
{ |
|
"name": "Find all the unconstrained delegation systems that are not part of the domain controllers group", |
|
"query": "MATCH (dc:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH \"516\" WITH COLLECT(dc) as domainControllers MATCH p = (d:Domain)-[:Contains*1..]->(c:Computer {unconstraineddelegation:true}) WHERE NOT c in domainControllers RETURN COUNT(p)" |
|
}, |
|
{ |
|
"name": "Find all users a part of the VPN group", |
|
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" |
|
}, |
|
{ |
|
"name": "Find all users that have local admin rights", |
|
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" |
|
}, |
|
{ |
|
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", |
|
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" |
|
}, |
|
{ |
|
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", |
|
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " |
|
}, |
|
{ |
|
"name": "Find computers that allow unconstrained delegation that AREN\u2019T domain controllers.", |
|
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" |
|
}, |
|
{ |
|
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", |
|
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" |
|
}, |
|
{ |
|
"name": "Find constrained delegation", |
|
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" |
|
}, |
|
{ |
|
"name": "Find groups that can reset passwords (Warning: Heavy)", |
|
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" |
|
}, |
|
{ |
|
"name": "Find groups that contain both users and computers", |
|
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" |
|
}, |
|
{ |
|
"name": "Find groups that have local admin rights (Warning: Heavy)", |
|
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" |
|
}, |
|
{ |
|
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", |
|
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" |
|
}, |
|
{ |
|
"name": "Find if unprivileged users have rights to add members into groups", |
|
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" |
|
}, |
|
{ |
|
"name": "Find Kerberoastable users and where they are AdminTo", |
|
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u1" |
|
}, |
|
{ |
|
"name": "Find Kerberoastable users who are members of high value groups", |
|
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" |
|
}, |
|
{ |
|
"name": "Find Kerberoastable Users with a path to DA", |
|
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" |
|
}, |
|
{ |
|
"name": "Find Kerberoastable Users with a path to High Value", |
|
"query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p" |
|
}, |
|
{ |
|
"name": "Find logged in Admins", |
|
"query": "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p" |
|
}, |
|
{ |
|
"name": "Find machines Domain Users can RDP into", |
|
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" |
|
}, |
|
{ |
|
"name": "Find Servers Domain Users can RDP To", |
|
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p" |
|
}, |
|
{ |
|
"name": "Find users that can be AS-REP roasted", |
|
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" |
|
}, |
|
{ |
|
"name": "Find users that have never logged on and account is still active", |
|
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " |
|
}, |
|
{ |
|
"name": "Find users that logged in within the last 90 days", |
|
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" |
|
}, |
|
{ |
|
"name": "Find users with passwords last set within the last 90 days", |
|
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" |
|
}, |
|
{ |
|
"name": "Find what groups can RDP", |
|
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" |
|
}, |
|
{ |
|
"name": "Find what's next", |
|
"query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" |
|
}, |
|
{ |
|
"name": "Groups with Computer and User Objects", |
|
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" |
|
}, |
|
{ |
|
"name": "List all owned computers", |
|
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" |
|
}, |
|
{ |
|
"name": "List all owned groups", |
|
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" |
|
}, |
|
{ |
|
"name": "List all owned users", |
|
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" |
|
}, |
|
{ |
|
"name": "List the groups of all owned users", |
|
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" |
|
}, |
|
{ |
|
"name": "Non Admin Groups with High Value Privileges", |
|
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p" |
|
}, |
|
{ |
|
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", |
|
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" |
|
}, |
|
{ |
|
"name": "Shortest Path from Domain Users to High Value Targets", |
|
"query": "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p" |
|
}, |
|
{ |
|
"name": "Show all high value target's groups", |
|
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" |
|
}, |
|
{ |
|
"name": "Show owned Nodes with Groups", |
|
"query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p" |
|
}, |
|
{ |
|
"name": "Top Ten Computers with Most Admins", |
|
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p" |
|
}, |
|
{ |
|
"name": "Top Ten Computers with Most Sessions", |
|
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m" |
|
}, |
|
{ |
|
"name": "Top Ten Users with Most Local Admin Rights", |
|
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p" |
|
}, |
|
{ |
|
"name": "Top Ten Users with Most Sessions", |
|
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p" |
|
}, |
|
{ |
|
"name": "View all GPOs", |
|
"query": "Match (n:GPO) RETURN n" |
|
}, |
|
{ |
|
"name": "View all groups that contain the word 'admin'", |
|
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" |
|
} |
|
] |