Skip to content

Instantly share code, notes, and snippets.

@RalphDesmangles

RalphDesmangles/customqueries.json

Created March 24, 2024 06:34
Show Gist options
  • Save RalphDesmangles/f12788d125843d8dfa85ad3f984b961d to your computer and use it in GitHub Desktop.
Save RalphDesmangles/f12788d125843d8dfa85ad3f984b961d to your computer and use it in GitHub Desktop.
Download ZIP
custom bloodhound queries
Raw
customqueries.json
{
"queries": [
{
"name": "Find all Certificate Templates",
"category": "Certificates",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n"
}
]
},
{
"name": "Find enabled Certificate Templates",
"category": "Certificates",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n"
}
]
},
{
"name": "Find Certificate Authorities",
"category": "Certificates",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n"
}
]
},
{
"name": "Show Enrollment Rights for Certificate Template",
"category": "Certificates",
"queryList": [
{
"final": false,
"title": "Select a Certificate Template...",
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p",
"allowCollapse": false
}
]
},
{
"name": "Show Rights for Certificate Authority",
"category": "Certificates",
"queryList": [
{
"final": false,
"title": "Select a Certificate Authority...",
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p",
"allowCollapse": false
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC1)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p"
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC2)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n"
}
]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN p"
}
]
},
{
"name": "Find Enrollment Agent Templates (ESC3)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n"
}
]
},
{
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p"
}
]
},
{
"name": "Find Certificate Authorities with User Specified SAN (ESC6)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p"
}
]
},
{
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n"
}
]
},
{
"name": "Find Unsecured Certificate Templates (ESC9)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Find Unsecured Certificate Templates (ESC9)",
"category": "PKI",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)",
"category": "PKI",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) return p"
}
]
},
{
"name": "Domains",
"category": "Information Gathering",
"queryList": [
{
"final": true,
"query": "MATCH (d:Domain) RETURN d"
}
]
},
{
"name": "Domain Controllers",
"category": "Information Gathering",
"queryList": [
{
"final": false,
"title": "Select a Domain Controllers Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-516\" RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(c:Computer)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "High Value Targets",
"category": "Information Gathering",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(h {highvalue: true}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Computers without LAPS",
"category": "Information Gathering",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(c:Computer {haslaps: false}) RETURN p"
}
]
},
{
"name": "Owned Principals",
"category": "Information Gathering",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(o {owned: true}) RETURN p"
}
]
},
{
"name": "Sensitive Principals by Keywords",
"category": "Information Gathering",
"queryList": [
{
"final": true,
"query": "UNWIND ['admin', 'amministratore', 'empfindlich', 'geheim', 'important', 'azure', 'MSOL', 'kennwort', 'pass', 'secret', 'sensib', 'sensitiv'] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN n"
}
]
},
{
"name": "Users with Password in AD",
"category": "Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.userpassword IS NOT NULL RETURN p"
}
]
},
{
"name": "Users with \"Pass\" in AD Description",
"category": "Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p"
}
]
},
{
"name": "Users with Password not Required",
"category": "Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {passwordnotreqd: true}) RETURN p"
}
]
},
{
"name": "Users with Password never Expiring",
"category": "Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {pwdneverexpires: True}) WHERE NOT u.name starts with 'KRBTGT' RETURN u"
}
]
},
{
"name": "Users with with Same Name in Different Domains",
"category": "Accounts",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User),(u2:User) WHERE split(u1.name,'@')[0] = split(u2.name,'@')[0] AND u1.domain <> u2.domain AND tointeger(split(u1.objectid,'-')[7]) >= 1000 RETURN u1"
}
]
},
{
"name": "Protected Users",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Protected Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-525\" RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p"
}
]
},
{
"name": "AdminTo Relationships",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(u {domain: $result})-[r:AdminTo]->(c:Computer) RETURN p"
}
]
},
{
"name": "Administrators",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Administrators Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p"
}
]
},
{
"name": "Computers in Administrators",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Administrators Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (c:Computer)-[r:MemberOf|HasSIDHistory*1..]->(g:Group {name: $result}) RETURN p",
"endNode": "{}"
}
]
},
{
"name": "Computers Local Admin to Another Computer",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (c1:Computer {domain: $result})-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer {domain: $result})-[r2:MemberOf|HasSIDHistory*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p"
}
]
},
{
"name": "Sessions of Administrators on non DCs Computers",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (dc:Computer {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE g1.objectid =~ \"S-1-5-.*-516\" WITH COLLECT(dc) AS exclude MATCH p = (c:Computer {domain: $result})-[n:HasSession]->(u:User)-[r2:MemberOf*1..]->(g2:Group) WHERE NOT c IN exclude and g2.objectid ENDS WITH \"-544\" RETURN p"
}
]
},
{
"name": "DCSync Principals not Administrators",
"category": "Privileged Accounts",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS exclude MATCH p=(n1)-[:MemberOf|GetChanges*0..]->(u:Domain {name: $result}) WHERE NOT n1 IN exclude and (n1:Computer or n1:User) RETURN p"
}
]
},
{
"name": "AS-REP Roastable Principals",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {dontreqpreauth: true}) RETURN u"
}
]
},
{
"name": "Kerberoastable Principals",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) RETURN u"
}
]
},
{
"name": "Kerberoastable Administrators",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS filter MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) WHERE u IN filter RETURN u"
}
]
},
{
"name": "Constrained Delegations",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (a {domain: $result})-[:AllowedToDelegate]->(c:Computer) RETURN p"
}
]
},
{
"name": "Constrained Delegations with Protocol Transition (trustedToAuth)",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (a {domain: $result, trustedtoauth: true})-[:AllowedToDelegate]->(c:Computer) RETURN p"
}
]
},
{
"name": "Computers Allowed to Delegate for Another Computer",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (c1:Computer {domain: $result})-[:AllowedToDelegate]->(c2:Computer) RETURN p"
}
]
},
{
"name": "Unconstrained Delegation Principals",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (dca)-[r:MemberOf*0..]->(g:Group) WHERE g.objectid =~ \"S-1-5-.*-516\" OR g.objectid =~ \".*-S-1-5-32-544\" WITH COLLECT(dca) AS exclude MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(uc {unconstraineddelegation: true}) WHERE (uc:User OR uc:Computer) AND NOT uc IN exclude RETURN p"
}
]
},
{
"name": "Resource-Based Constrained Delegation Principals",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m)-[r:AllowedToAct]->(n) RETURN p"
}
]
},
{
"name": "Configure Resource-Based Constrained Delegation Permissions",
"category": "Kerberos",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m)-[r:AddAllowedToAct]->(n) RETURN p"
}
]
},
{
"name": "Interesting GPOs by Keyword",
"category": "Group Policies",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "UNWIND [\"360totalsecurity\", \"access\", \"acronis\", \"adaware\", \"admin\", \"admin\", \"aegislab\", \"ahnlab\", \"alienvault\", \"altavista\", \"amsi\", \"anti-virus\", \"antivirus\", \"antiy\", \"apexone\", \"applock\", \"arcabit\", \"arcsight\", \"atm\", \"atp\", \"av\", \"avast\", \"avg\", \"avira\", \"baidu\", \"baiduspider\", \"bank\", \"barracuda\", \"bingbot\", \"bitdefender\", \"bluvector\", \"canary\", \"carbon\", \"carbonblack\", \"certificate\", \"check\", \"checkpoint\", \"citrix\", \"clamav\", \"code42\", \"comodo\", \"countercept\", \"countertack\", \"credential\", \"crowdstrike\", \"custom\", \"cyberark\", \"cybereason\", \"cylance\", \"cynet360\", \"cyren\", \"darktrace\", \"datadog\", \"defender\", \"druva\", \"drweb\", \"duckduckbot\", \"edr\", \"egambit\", \"emsisoft\", \"encase\", \"endgame\", \"ensilo\", \"escan\", \"eset\", \"exabot\", \"exception\", \"f-secure\", \"f5\", \"falcon\", \"fidelis\", \"fireeye\", \"firewall\", \"fix\", \"forcepoint\", \"forti\", \"fortigate\", \"fortil\", \"fortinet\", \"gdata\", \"gravityzone\", \"guard\", \"honey\", \"huntress\", \"identity\", \"ikarussecurity\", \"insight\", \"ivanti\", \"juniper\", \"k7antivirus\", \"k7computing\", \"kaspersky\", \"kingsoft\", \"kiosk\", \"laps\", \"lightcyber\", \"logging\", \"logrhythm\", \"lynx\", \"malwarebytes\", \"manageengine\", \"mass\", \"mcafee\", \"microsoft\", \"mj12bot\", \"msnbot\", \"nanoav\", \"nessus\", \"netwitness\", \"office365\", \"onedrive\", \"orion\", \"palo\", \"paloalto\", \"paloaltonetworks\", \"panda\", \"pass\", \"powershell\", \"proofpoint\", \"proxy\", \"qradar\", \"rdp\", \"rsa\", \"runasppl\", \"sandboxe\", \"sap\", \"scanner\", \"scanning\", \"sccm\", \"script\", \"secret\", \"secureage\", \"secureworks\", \"security\", \"sensitive\", \"sentinel\", \"sentinelone\", \"slurp\", \"smartcard\", \"sogou\", \"solarwinds\", \"sonicwall\", \"sophos\", \"splunk\", \"superantispyware\", \"symantec\", \"tachyon\", \"temporary\", \"tencent\", \"totaldefense\", \"transfer\", \"trapmine\", \"trend micro\", \"trendmicro\", \"trusteer\", \"trustlook\", \"uac\", \"vdi\", \"virusblokada\", \"virustotal\", \"virustotalcloud\", \"vpn\", \"vuln\", \"webroot\", \"whitelist\", \"wifi\", \"winrm\", \"workaround\", \"yubikey\", \"zillya\", \"zonealarm\", \"zscaler\"] as word match (n:GPO {domain: $result}) where toLower(n.name) CONTAINS toLower(word) RETURN n"
}
]
},
{
"name": "GPO Permissions of Non-Admin Principals",
"category": "Group Policies",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2:User)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) WHERE NOT u2 IN exclude RETURN p"
}
]
},
{
"name": "LAPS Passwords Readable by Non-Admin",
"category": "DACL Abuse",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2)-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) WHERE NOT u2 IN exclude RETURN p"
}
]
},
{
"name": "LAPS Passwords Readable by Owned Principals",
"category": "DACL Abuse",
"queryList": [
{
"final": true,
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) RETURN p"
}
]
},
{
"name": "ACLs to Computers (excluding High Value Targets)",
"category": "DACL Abuse",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p = (ucg {highvalue: false})-[r {isacl: true}]->(c:Computer {domain: $result}) WHERE (ucg:User OR ucg:Computer OR ucg:Group) RETURN p"
}
]
},
{
"name": "Group Delegated Outbound Object Control of Owned Principals",
"category": "DACL Abuse",
"queryList": [
{
"final": true,
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2 {isacl: true}]->(t) RETURN p"
}
]
},
{
"name": "Dangerous Rights for Groups under Domain Users",
"category": "DACL Abuse",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m:Group {domain: $result})-[r1:MemberOf*1..]->(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n) WHERE m.objectid ENDS WITH '-513' RETURN p"
}
]
},
{
"name": "Set DCSync Principals as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (s)-[r:MemberOf|GetChanges*1..]->(d:Domain) WITH s, d MATCH (s)-[r:MemberOf|GetChangesAll*1..]->(d) WITH s, d MATCH p = (s)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(d) WHERE s.highvalue = false SET s.highvalue = true, s.highvaluereason = 'DCSync Principal' RETURN p"
}
]
},
{
"name": "Set Unconstrained Delegation Principals as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND uc.highvalue = false SET uc.highvalue = true, uc.highvaluereason = 'Unconstrained Delegation Principal' RETURN p"
}
]
},
{
"name": "Set Local Admin or Reset Password Principals as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (a)-[r:AdminTo|ForceChangePassword]->(b) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Local Admin or Reset Password Principal' RETURN a"
}
]
},
{
"name": "Set Principals with Privileges on Computers as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (a)-[r:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(n:Computer) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on Computers' RETURN a"
}
]
},
{
"name": "Set Principals with Privileges on Cert Publishers as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (a)-[r:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ 'S-1-5-21-.*-517' AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on the Cert Publisher group' RETURN a"
}
]
},
{
"name": "Set Members of High Value Targets Groups as High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (a)-[r:MemberOf*1..]->(g:Group) WHERE a.highvalue = false AND g.highvalue = true SET a.highvalue = true, a.highvaluereason = 'Member of High Value Target Group' RETURN a"
}
]
},
{
"name": "Remove Inactive Users and Computers from High Value Targets",
"category": "Adding High-Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (uc) WHERE uc.highvalue = true AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) SET uc.highvalue = false, uc.nothighvaluereason = 'Inactive' RETURN uc"
}
]
},
{
"name": "Shortest Paths to Domain (including Computers)",
"category": "Shortest Paths",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain {name: $result})) WHERE (uc:User OR uc:Computer) RETURN p",
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to no LAPS",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p"
}
]
},
{
"name": "Shortest Paths from Kerberoastable Users to Computers",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p"
}
]
},
{
"name": "Shortest Paths from Kerberoastable Users to High Value Targets",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p"
}
]
},
{
"name": "Shortest Paths from Owned Principals (including everything)",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p"
}
]
},
{
"name": "Shortest Paths from Owned Principals to Domain",
"category": "Shortest Paths",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true AND d.name = $result RETURN p",
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths from Owned Principals to High Value Targets",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p"
}
]
},
{
"name": "Shortest Paths from Owned Principals to no LAPS",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p"
}
]
},
{
"name": "Shortest Paths from no Signing to Domain",
"category": "Shortest Paths",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false AND d.name = $result RETURN p",
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths from no Signing to High Value Targets",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(h)) WHERE NOT c = h AND c.hassigning = false AND h.highvalue = true RETURN p"
}
]
},
{
"name": "Shortest Paths from Domain Users and Domain Computers (including everything)",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = allShortestPaths((g:Group)-[r:{}*1..]->(a)) WHERE (g.objectid =~ $domain_users_id OR g.objectid =~ $domain_computers_id) AND g <> a RETURN p",
"props": {
"domain_users_id": "S-1-5-.*-513",
"domain_computers_id": "S-1-5-.*-515"
}
}
]
},
{
"name": "List all owned users",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "List all owned computers",
"queryList": [
{
"final": true,
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "List all owned groups",
"queryList": [
{
"final": true,
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "List all High Valued Targets",
"queryList": [
{
"final": true,
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m"
}
]
},
{
"name": "List the groups of all owned users",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}
]
},
{
"name": "Find the Shortest path to a high value target from an owned object",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p"
}
]
},
{
"name": "Find the Shortest path to a unconstrained delegation system from an owned object",
"queryList": [
{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p"
}
]
},
{
"name": "Find all Kerberoastable Users",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}
]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}
]
},
{
"name": "Find Kerberoastable Users with a path to DA",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}
]
},
{
"name": "Find machines Domain Users can RDP into",
"queryList": [
{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
}
]
},
{
"name": "Find what groups can RDP",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}
]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find all users that have local admin rights",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find all active Domain Admin sessions",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
}
]
},
{
"name": "Find all computers with Unconstrained Delegation",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
}
]
},
{
"name": "Find all computers with unsupported operating systems",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H"
}
]
},
{
"name": "Find users that logged in within the last 90 days",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find users with passwords last set within the last 90 days",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find constrained delegation",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}
]
},
{
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}
]
},
{
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}
]
},
{
"name": "View all GPOs",
"queryList": [
{
"final": true,
"query": "Match (n:GPO) RETURN n"
}
]
},
{
"name": "View all groups that contain the word 'admin'",
"queryList": [
{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}
]
},
{
"name": "Find users that can be AS-REP roasted",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}
]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Show all high value target's groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}
]
},
{
"name": "Find groups that contain both users and computers",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}
]
},
{
"name": "Find Kerberoastable users who are members of high value groups",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}
]
},
{
"name": "Find Kerberoastable users and where they are AdminTo",
"queryList": [
{
"final": true,
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
}
]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}
]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}
]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}
]
},
{
"name": "Find all users a part of the VPN group",
"queryList": [
{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}
]
},
{
"name": "Find users that have never logged on and account is still active",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Find an object in one domain that can do something to a foreign object",
"queryList": [
{
"final": true,
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p"
}
]
},
{
"name": "Find all sessions a user in a specific domain has",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find an object from domain 'A' that can do anything to a foreign object",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {domain:{result}})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find All edges any owned user has on a computer",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p"
}
]
},
{
"name": "----------------------------------------AZURE QUERIES----------------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Return All Azure Users that are part of the 'Global Administrator' Role",
"queryList": [
{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}
]
},
{
"name": "Return All On-Prem users with edges to Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p"
}
]
},
{
"name": "Find all paths to an Azure VM",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p"
}
]
},
{
"name": "Find all paths to an Azure KeyVault",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p"
}
]
},
{
"name": "Return All Azure Users and their Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p"
}
]
},
{
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n"
}
]
},
{
"name": "Find all Privileged Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p"
}
]
},
{
"name": "Find all Owners of Azure Applications",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p"
}
]
},
{
"name": "Shortest Paths to High Value Targets from Owned Principles",
"queryList": [
{
"final": false,
"title": "Select a Domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (n),(m),p=shortestPath((n)-[r:{}*1..]->(m)) WHERE m.domain={result} AND m.highvalue=true AND NOT m = n AND n.owned=true RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "List Computers where DOMAIN USERS are Local Admin",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Workstations where DOMAIN USERS can RDP To",
"queryList": [
{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}
]
},
{
"name": "Find Servers where DOMAIN USERS can RDP To",
"queryList": [
{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}
]
},
{
"name": "ALL Path from DOMAIN USERS to High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
"allowCollapse": true
}
]
},
{
"name": "Find all other Rights DOMAIN USERS shouldn’t have",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "DA Account Sessions",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' MATCH p = (c:Computer)-[:HasSession]->(n) return p",
"allowCollapse": true
}
]
},
{
"name": "DA Account Sessions to NON DC",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group WHERE g.name STARTS WITH 'DOMAIN ADMINS') RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Kerberoastable Accounts member of High Value Group",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r",
"allowCollapse": true
}
]
},
{
"name": "List all Kerberoastable Accounts",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Users with Most Sessions",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Admins",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Sessions",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Admin Sessions",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Users with Most Local Admin Rights",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all owned Domain Admins",
"requireNodeSelect": false,
"query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)",
"allowCollapse": false,
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
}
},
{
"name": "Find Shortest Paths from owned node to Domain Admins",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
"queryProps": {
"name": "(?i).*DOMAIN ADMINS.*"
},
"onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p",
"start": "",
"end": "{}",
"allowCollapse": true,
"boxTitle": "Select domain to map..."
}
},
{
"name": "Show Wave",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
"queryProps": {
},
"onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
"start": "",
"end": "",
"allowCollapse": true,
"boxTitle": "Select wave..."
}
},
{
"name": "Highlight Delta for Wave",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
"queryProps": {
},
"onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
"start": "",
"end": "",
"allowCollapse": true,
"boxTitle": "Select wave to show deltas..."
}
},
{
"name": "Find Clusters of Password Reuse",
"requireNodeSelect": false,
"query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Blacklisted Nodes",
"requireNodeSelect": false,
"query": "MATCH (n) WHERE exists(n.blacklist) RETURN n",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Blacklisted Relationships",
"requireNodeSelect": false,
"query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Blacklist",
"requireNodeSelect": false,
"query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show owned Nodes",
"requireNodeSelect": false,
"query": "MATCH (n) WHERE exists(n.owned) RETURN n",
"allowCollapse": true,
"props": {
}
},
{
"name": "Find Shortest Paths to DA Equivalency",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
"queryProps": {
"name": "(?i).*DOMAIN CONTROLLERS.*"
},
"onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p",
"start": "",
"end": "{}",
"allowCollapse": true,
"boxTitle": "Select domain to map..."
}
},
{
"name": "Find Shortest Paths to Domain Admins from Foreign User",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n:Domain) RETURN n.name",
"queryProps": {
},
"onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p",
"start": "{}",
"end": "",
"allowCollapse": true,
"boxTitle": "Select target domain..."
}
},
{
"name": "Show Connections over 22/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 80/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 135/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 139/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 389/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 443/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 445/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 1433/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 1521/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 3306/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 3389/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Connections over 5432/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Database Connections",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Show Web App Connections",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {
}
},
{
"name": "Find Top 10 RDP Servers",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {
}
},
{
"name": "Find Top 10 SSH Servers",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {
}
},
{
"name": "Find Top 10 Web Apps with most Connections",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {
}
},
{
"name": "Return All Azure Users that are part of the 'Global Administrator' Role",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}
]
},
{
"name": "Return All On-Prem users with edges to Azure",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p"
}
]
},
{
"name": "Find all paths to an Azure VM",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p"
}
]
},
{
"name": "Find all paths to an Azure KeyVault",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p"
}
]
},
{
"name": "Return All Azure Users and their Groups (Warning: Heavy)",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p"
}
]
},
{
"name": "Return GUEST Azure Users and their Groups",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' AND m.userprincipalname=~ '(?i).*#EXT#.*' RETURN p"
}
]
},
{
"name": "Return All Azure Users and their Admin Roles",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..]->(:AZRole) RETURN p"
}
]
},
{
"name": "Return All Azure Users and their owned Devices (Warning: Heavy)",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser) RETURN p"
}
]
},
{
"name": "Return All Azure Admins and their owned Devices",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser)<-[r2:AZHasRole]->(n) RETURN p"
}
]
},
{
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n"
}
]
},
{
"name": "Find all Privileged Service Principals",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p"
}
]
},
{
"name": "Find all Owners of Azure Applications",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p"
}
]
},
{
"name": "Find the Shortest path to a high value target from an owned object",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p"
}
]
},
{
"name": "Find the Shortest path to a unconstrained delegation system from an owned object",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p"
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC2)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p"
}
]
},
{
"name": "Find Enrollment Agent Templates (ESC3)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p"
}
]
},
{
"name": "Find users with blank passwords that are enabled",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword"
}
]
},
{
"name": "Find users with Temp in user title and created in the last 30 days",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) AND u.title CONTAINS 'Temp' RETURN u"
}
]
},
{
"name": "Find users created in the last 30 days",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) RETURN u"
}
]
},
{
"name": "Find users' credentials in description fields",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.description CONTAINS 'password' RETURN m.name, m.description"
}
]
},
{
"name": "Find Server 2000 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000).*' AND H.enabled = TRUE RETURN H"
}
]
},
{
"name": "Find Server 2000 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H"
}
]
},
{
"name": "Find Server 2003 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2003).*' AND H.enabled = TRUE RETURN H"
}
]
},
{
"name": "All computers without LAPS and the computer is enabled",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p"
}
]
},
{
"name": "Find Server 2003 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H"
}
]
},
{
"name": "Find Server 2008 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2008).*' AND H.enabled = TRUE RETURN H"
}
]
},
{
"name": "List all owned users",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "Kerberoastable Admins",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p",
"allowCollapse": true,
"props": {
"sid": "(?i)S-1-5-.*-512"
}
}
]
},
{
"name": "All Kerberoastable Users",
"category": "User Information",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {hasspn: true}) RETURN n",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Where can owned users RDP",
"category": "User Information",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Users with most local admin rights",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "All Owned Nodes",
"category": "User Information",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {owned: true}) RETURN n",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Find computers with owned Admins",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p",
"allowCollapse": false
}
]
},
{
"name": "Find owned Groups",
"category": "User Information",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Find owned Domain Admins",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"title": "Select a domain...",
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
},
"allowCollapse": false
}
]
},
{
"name": "Find Shortest Path from owned Node to Domain Admin",
"category": "Admin Hunter",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
}
},
{
"final": true,
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest paths from owned objects to High Value Targets (5 hops)",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Most exploitable paths from owned objects to High Value Targets (5 hops)",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Next steps (5 hops) from owned objects",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p"
}
]
},
{
"name": "Unconstrained Delegation systems",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH (c {unconstraineddelegation:true}) return c"
}
]
},
{
"name": "Constrained Delegation systems",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH p=(u)-[:AllowedToDelegate]->(c) RETURN p"
}
]
},
{
"name": "Unconstrained Delegation systems (without domain controllers)",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}
]
},
{
"name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2"
}
]
},
{
"name": "Shortest paths from owned principals to unconstrained delegation systems",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p"
}
]
},
{
"name": "Users with adminCount, not sensitive for delegation, not members of Protected Users",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p"
}
]
},
{
"name": "Groups that contain the word 'admin'",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}
]
},
{
"name": "Find users that can RDP into something",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find users that belong to high value groups",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find kerberoastable users",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and are high value targets",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and are high value targets",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25",
"allowCollapse": true
}
]
},
{
"name": "Groups of High Value Targets",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}
]
},
{
"name": "Non Admin Groups with High Value Privileges",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Groups with Computer and User Objects",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Groups that can reset passwords (Warning: Heavy)",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}
]
},
{
"name": "Groups that have local admin rights (Warning: Heavy)",
"category": "Group Hunts",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Users never logged on and account still active",
"category": "Password Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Users logged in the last 90 days",
"category": "Password Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Users with passwords last set in the last 90 days",
"category": "Password Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"category": "Password Hunts",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}
]
},
{
"name": "Find all users a part of the VPN group",
"category": "Password Hunts",
"queryList": [
{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}
]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"category": "Delegation Attacks",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}
]
},
{
"name": "Next steps (3 hops) from owned objects",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p"
}
]
},
{
"name": "Owned users with permissions against GPOs",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}
]
},
{
"name": "Find all other Rights Domain Users shouldn't have",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Computers with administrative Domain Users",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p"
}
]
},
{
"name": "List all owned computers",
"category": "Owned Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "List all owned groups",
"category": "Owned Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "List all High Valued Targets",
"category": "Owned Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m"
}
]
},
{
"name": "List the groups of all owned users",
"category": "Owned Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}
]
},
{
"name": "Find all Kerberoastable Users",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}
]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}
]
},
{
"name": "Find Kerberoastable Users with a path to DA",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}
]
},
{
"name": "Find machines Domain Users can RDP into",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
}
]
},
{
"name": "Find what groups can RDP",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}
]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find all users that have local admin rights (Warning Can Be Heavy)",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find all users that have local admin rights or Groups (Warning Can Be Heavy)",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo|MemberOf*1..]->(n:Computer) RETURN p"
}
]
},
{
"name": "Find all active Domain Admin sessions",
"category": "Admin Hunter",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
}
]
},
{
"name": "Find all computers with Unconstrained Delegation",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
}
]
},
{
"name": "Find all computers with unsupported operating systems",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' AND H.enabled = TRUE RETURN H"
}
]
},
{
"name": "Find users that logged in within the last 90 days",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find users with passwords last set within the last 90 days",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find constrained delegation",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}
]
},
{
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}
]
},
{
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}
]
},
{
"name": "View all GPOs",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "Match (n:GPO) RETURN n"
}
]
},
{
"name": "View all groups that contain the word 'admin'",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}
]
},
{
"name": "Find users that can be AS-REP roasted",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}
]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Show all high value target's groups",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}
]
},
{
"name": "Find groups that contain both users and computers",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}
]
},
{
"name": "Find Kerberoastable users who are members of high value groups",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}
]
},
{
"name": "Find Kerberoastable users and where they are AdminTo",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u1"
}
]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"category": "Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}
]
},
{
"name": "Find Users/Groups with direct access to GPOs",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) RETURN p"
}
]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}
]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}
]
},
{
"name": "Find all users a part of the VPN group",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}
]
},
{
"name": "Find users that have never logged on and account is still active",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Find an object in one domain that can do something to a foreign object",
"category": "GPO/Group Information",
"queryList": [
{
"final": true,
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p"
}
]
},
{
"name": "Find all sessions a user in a specific domain has",
"category": "User Information",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:$result}) RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find an object from domain 'A' that can do anything to a foreign object",
"category": "User Information",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {domain:$result})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find All edges any owned user has on a computer",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p"
}
]
},
{
"name": "Find Un-Supported OS and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|7|me).*' AND n.enabled = true RETURN n"
}
]
},
{
"name": "Find Server 2008 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H"
}
]
},
{
"name": "Find Windows XP and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(xp).*' AND H.enabled = true RETURN H"
}
]
},
{
"name": "Find Windows XP with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H"
}
]
},
{
"name": "Find Windows 7 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(7).*' AND H.enabled = true RETURN H"
}
]
},
{
"name": "Find Windows 7 session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H"
}
]
},
{
"name": "Find Server 2012 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2012).*' AND H.enabled = true RETURN H"
}
]
},
{
"name": "Find Server 2012 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H"
}
]
},
{
"name": "Find Server 2016 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2016).*' AND H.enabled = true RETURN H"
}
]
},
{
"name": "Find Server 2016 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H"
}
]
},
{
"name": "Find Server 2019 and Enabled",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2019).*' AND H.enabled = true RETURN H"
}
]
},
{
"name": "Find Server 2019 with session",
"category": "OS Finder",
"queryList": [
{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H"
}
]
},
{
"name": "All Users with a homedirectory",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.homedirectory =~ '(?i).*.*' RETURN p"
}
]
},
{
"name": "All Computers without LAPS - with session",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer)-[:HasSession]->(y) WHERE c.haslaps = false RETURN p"
}
]
},
{
"name": "All enabled computers with a description",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*.*' RETURN p"
}
]
},
{
"name": "All enabled computers with a description containing the word file",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*file.*' RETURN p"
}
]
},
{
"name": "Locate enabled accounts with display name of admin - put anyname in you like",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.displayname =~ '(?i).*admin*' AND u.enabled = true RETURN p"
}
]
},
{
"name": "Find all users with passwords set over 720 days ago (23 months)",
"category": "Password Last Set",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (720 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find all users with passwords set over 1440 days ago (47 months)",
"category": "Password Last Set",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (1440 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find all Domain Admins (nested SID S-1-5-21-.*-512) having a session opened on a domain computer",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH (m:User)-[r:MemberOf*1..]->(n:Group) WHERE n.objectid =~ '(?i)S-1-5-.*-512' WITH m MATCH q=((m)<-[:HasSession]-(o:Computer)) RETURN q"
}
]
},
{
"name": "Find users that have never logged on and account is still active",
"category": "Password Last Set",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Find users that haven't logged on in 720 days and account is still active",
"category": "Password Last Set",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp < (datetime().epochseconds - (720 * 86400)) AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Search for key words in users title such as scientist or Executive - tweak as required",
"category": "User Information",
"queryList": [
{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.title =~ '(?i).*scientist*' AND u.enabled = true RETURN p"
}
]
},
{
"name": "List Computers where DOMAIN USERS are Local Admin",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m:Group {name:{result}})-[:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Shortest Path from DOMAIN USERS to High Value Targets",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((g:Group {name:{result}})-[*1..]->(n {highvalue:true})) WHERE g.name STARTS WITH 'DOMAIN USERS' return p",
"allowCollapse": true
}
]
},
{
"name": "All Paths from DOMAIN USERS to High Value Targets",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((g:Group {name:{result}})-[*1..]->(n {highvalue:true})) return p",
"allowCollapse": true
}
]
},
{
"name": "Find Workstations where DOMAIN USERS can RDP To",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "match p=(g:Group {name:{result}})-[:CanRDP]->(c:Computer) where NOT c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}
]
},
{
"name": "Find Servers where DOMAIN USERS can RDP To",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(g:Group {name:{result}})-[:CanRDP]->(c:Computer) WHERE c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": false
}
]
},
{
"name": "Find all other Rights DOMAIN USERS shouldn’t have",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.name STARTS WITH 'DOMAIN USERS' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Kerberoastable Accounts member of High Value Group",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n:User)-[r:MemberOf]->(g:Group)) WHERE g.highvalue=true AND n.hasspn=true RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Kerberoastable Users with most privileges",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) OPTIONAL MATCH (u)-[:AdminTo]->(c1:Computer) OPTIONAL MATCH (u)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c2:Computer) WITH u,COLLECT(c1) + COLLECT(c2) AS tempVar UNWIND tempVar AS comps RETURN u.name,COUNT(DISTINCT(comps)) ORDER BY COUNT(DISTINCT(comps)) DESC",
"allowCollapse": true
}
]
},
{
"name": "DA Account Sessions to NON DC",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find unsupported OSs",
"queryList": [
{
"final": true,
"query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).(2000|2003|2008|xp|vista|7|me).' RETURN n",
"allowCollapse": true
}
]
},
{
"name": "Find AS-REP Roasting users (no kerberos pre-authentication)",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Users with Most Local Admin Rights",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Computers with Most Sessions [Required: sessions]",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Users with Most Sessions [Required: sessions]",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:User {domain: $result}),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "List non-privileged user(s) with dangerous permissions to any node type",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled: true, admincount: false, domain: $result})-[r]->(a) RETURN u, COUNT(DISTINCT type(r)) AS permissions ORDER BY permissions DESC LIMIT 10",
"allowCollapse": true
}
]
},
{
"name": "Route non-privileged user(s) with dangerous permissions to any node type",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled: true, admincount: false, domain: $result})-[r]->(a) WITH u, COUNT(DISTINCT type(r)) AS permissions ORDER BY permissions DESC LIMIT 10 MATCH p=allshortestpaths((u)-[r]->(a)) WHERE NOT u = a RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Users with most cross-domain sessions [Required: sessions]",
"category": "Top 10",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(g1:Group)<-[:MemberOf*1..]-(u:User {enabled:true, domain: $result})<-[r:HasSession]-(c:Computer) WHERE NOT u.domain = c.domain WITH u, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(c:Computer)-[r:HasSession]->(u) WHERE NOT u.domain = c.domain RETURN p ORDER BY c.name",
"allowCollapse": false
}
]
},
{
"name": "List high value target(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (a {highvalue: true, domain: $result}) RETURN a",
"allowCollapse": false
}
]
},
{
"name": "List domain(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": true,
"query": "MATCH (d:Domain) RETURN d",
"allowCollapse": false
}
]
},
{
"name": "List domain trust(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:Domain)-->(m:Domain) RETURN p"
}
]
},
{
"name": "List enabled user(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) RETURN u"
}
]
},
{
"name": "List enabled user(s) with an email address",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE exists(u.email) RETURN u"
}
]
},
{
"name": "List non-managed service account(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {hasspn:true, domain: $result}) WHERE NOT u.name CONTAINS '$' AND NOT u.name CONTAINS 'KRBTGT' RETURN u"
}
]
},
{
"name": "List enabled principal(s) with \"Unconstrained Delegation\"",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (a {unconstraineddelegation: true, enabled: true, domain: $result}) RETURN a",
"allowCollapse": false
}
]
},
{
"name": "List domain controller(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (c:Computer {domain: $result})-[:MemberOf]->(g:Group) WHERE g.samaccountname CONTAINS 'Domain Controllers' RETURN c",
"allowCollapse": false
}
]
},
{
"name": "List Certificate Authority server(s) [Required: Certipy]",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {type:'Enrollment Service', domain: $result}) RETURN n"
}
]
},
{
"name": "[WIP] List privileges for Certificate Authority server(s) [Required: Certipy]",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": false,
"title": "Select a Certificate Authority...",
"query": "MATCH (n:GPO {type:'Enrollment Service', domain: $result}) RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p",
"allowCollapse": false
}
]
},
{
"name": "List all Certificate Template(s) [Required: Certipy]",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {type:'Certificate Template', domain: $result}) RETURN n"
}
]
},
{
"name": "Find enabled Certificate Template(s) [Required: Certipy]",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {enabled:true, type:'Certificate Template', domain: $result}) RETURN n"
}
]
},
{
"name": "[WIP] List all Enrollment Right(s) for Certificate Template(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": false,
"title": "Select a Certificate Template...",
"query": "MATCH (n:GPO {type:'Certificate Template', domain: $result}) RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result, type:'Certificate Template'}) return p",
"allowCollapse": false
}
]
},
{
"name": "List computer(s) WITHOUT LAPS",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (c:Computer {haslaps:false, domain: $result}) RETURN c ORDER BY c.name",
"allowCollapse": false
}
]
},
{
"name": "List network share(s), ignoring SYSVOL",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (a {domain: $result}) WHERE (any(prop in keys(a) where a[prop] contains '\\\\' and not a[prop] contains 'SYSVOL')) RETURN a"
}
]
},
{
"name": "List all group(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "Match (g:Group {domain: $result}) RETURN g"
}
]
},
{
"name": "List all GPO(s)",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "Match (g:GPO {domain: $result}) RETURN g"
}
]
},
{
"name": "List all principal(s) with \"Local Admin\" permission",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(a {domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List all principal(s) with \"RDP\" permission",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(a {domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List all principal(s) with \"SQLAdmin\" permission",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(a {domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List all user session(s) [Required: sessions]",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {domain: $result})<-[r:HasSession]-(c:Computer) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "List all user(s) with description field",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {domain: $result}) WHERE u.description IS NOT null return u"
}
]
},
{
"name": "List all enabled user(s) with \"userpassword\" attribute",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.userpassword IS NOT null RETURN u"
}
]
},
{
"name": "List all enabled user(s) with \"password never expires\" attribute",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {pwdneverexpires:true, enabled:true, domain: $result}) return u"
}
]
},
{
"name": "List all enabled user(s) with \"password never expires\" attribute and not changed in last year",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.pwdneverexpires=TRUE AND u.pwdlastset < (datetime().epochseconds - (365 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] return u"
}
]
},
{
"name": "List all enabled user(s) with \"don't require passwords\" attribute",
"category": "Domain / Macro",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {passwordnotreqd:true, enabled:true, domain: $result}) return u"
}
]
},
{
"name": "List all enabled user(s) but never logged in",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.lastlogontimestamp=-1.0 RETURN u"
}
]
},
{
"name": "List all enabled user(s) that logged in within the last 90 days",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "List all enabled user(s) that set password within the last 90 days",
"category": "Domain / Macro",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {enabled:true, domain: $result}) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "List all owned user(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {owned:true, domain: $result}) RETURN u"
}
]
},
{
"name": "List all owned & enabled user(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {owned:true, enabled:true, domain: $result}) RETURN u"
}
]
},
{
"name": "List all owned & enabled user(s) with an email address",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {owned:true, enabled:true, domain: $result}) WHERE exists(u.email) RETURN u"
}
]
},
{
"name": "List all owned & enabled user(s) with \"Local Admin\" permission, and any active sessions and their group membership(s)",
"category": "Owned",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3",
"allowCollapse": false
}
]
},
{
"name": "List all owned & enabled user(s) with \"RDP\" permission, and any active sessions and their group membership(s)",
"category": "Owned",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3",
"allowCollapse": false
}
]
},
{
"name": "List all owned & enabled user(s) with \"SQLAdmin\" permission",
"category": "Owned",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled: true, domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List all owned computer(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (c:Computer {owned:true, domain: $result}) RETURN c ORDER BY c.name"
}
]
},
{
"name": "Route all owned & enabled group membership(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Route all owned & enabled non-privileged group(s) membership",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount:false}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Route all owned & enabled privileged group(s) membership",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount:true}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Route all owned & enabled user(s) with Dangerous Rights to any node type",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a)) WHERE NOT a = u RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Route all owned & enabled user(s) with Dangerous Rights to group(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(:Group))RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Route all owned & enabled user(s) with Dangerous Rights to user(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((o:User {owned:true, enabled:true, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(u:User)) WHERE NOT o = u RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Route from owned & enabled user(s) to all principals with \"Unconstrained Delegation\"",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((o:User {owned:true, enabled:true, domain: $result})-[*]->(a {unconstraineddelegation: true, enabled: true})) WHERE NOT o = a RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Route from owned & enabled principals to high value target(s)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allShortestPaths((o {owned:true, enabled:true, domain: $result})-[*]->(a {highvalue: true})) WHERE NOT o=a RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Owned: [WIP] Find all owned user with privileged access to Azure Tenancy (Required: azurehound)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {owned:true, enabled:true, domain: $result})-[r:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(:AZTenant) RETURN p"
}
]
},
{
"name": "Owned: [WIP] Find all owned user where group membership grants privileged access to Azure Tenancy (Required: azurehound)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {owned:true, enabled:true, domain: $result})-[:MemberOf*1..]->(g:Group)-[r:AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(:AZTenant) RETURN p"
}
]
},
{
"name": "Owned: [WIP] Find all Owners of Azure Applications with Owners to Service Principals with Dangerous Rights (Required: azurehound)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p = (n {enabled:true, owned:true, domain: $result})-[:AZOwns]->(azapp:AZApp)-[r1]->(azsp:AZServicePrincipal)-[r:AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all owned groups that grant access to network shares",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, domain: $result})-[:MemberOf*1..]->(g:Group) where (any(prop in keys(g) where g[prop] contains '\\\\')) return p"
}
]
},
{
"name": "Route all sessions to computers WITHOUT LAPS (Required: sessions)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, domain: $result})<-[r:HasSession]-(c:Computer {haslaps:false}) RETURN p ORDER BY c.name"
}
]
},
{
"name": "Route all sessions to computers (Required: sessions)",
"category": "Owned",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {owned:true, domain: $result})<-[r:HasSession]-(c:Computer) RETURN p ORDER BY c.name"
}
]
},
{
"name": "List enabled non-privileged user(s) with \"Local Admin\" permission",
"category": "Non-privileged",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List enabled non-privileged user(s) with \"Local Admin\" permission, and any active sessions and their group membership(s)",
"category": "Non-privileged",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|AdminTo*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3",
"allowCollapse": false
}
]
},
{
"name": "List enabled non-privileged user(s) with \"RDP\" permission",
"category": "Non-privileged",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List enabled non-privileged user(s) with \"RDP\" permission, and any active sessions and their group membership(s)",
"category": "Non-privileged",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|CanRDP*1..]->(c:Computer) OPTIONAL MATCH p2=(c)-[:HasSession]->(u2:User) OPTIONAL MATCH p3=(u2:User)-[:MemberOf*1..]->(:Group) RETURN p, p2, p3",
"allowCollapse": false
}
]
},
{
"name": "List enabled non-privileged user(s) with \"SQLAdmin\" permission",
"category": "Non-privileged",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|SQLAdmin*1..]->(c:Computer) RETURN p"
}
]
},
{
"name": "List all \"Domain Users\" group membership(s)",
"category": "Non-privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(g1:Group {domain: $result})-[:MemberOf*1..]->(g2:Group) WHERE g1.name STARTS WITH 'DOMAIN USERS' RETURN p ORDER BY g2.name"
}
]
},
{
"name": "List all \"Authenticated Users\" group membership(s)",
"category": "Non-privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(g1:Group {domain: $result})-[:MemberOf*1..]->(g2:Group) WHERE g1.name STARTS WITH 'AUTHENTICATED USERS' RETURN p ORDER BY g2.name"
}
]
},
{
"name": "Find all enabled AS-REP roastable user(s)",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true, enabled:true, domain: $result}) WHERE NOT u.name CONTAINS '$' and NOT u.name CONTAINS 'KRBTGT' RETURN u",
"allowCollapse": false
}
]
},
{
"name": "Find all enabled kerberoastable user(s)",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {hasspn: true, enabled:true, domain: $result}) WHERE NOT u.name CONTAINS '$' and NOT u.name CONTAINS 'KRBTGT' RETURN u",
"allowCollapse": false
}
]
},
{
"name": "Route non-privileged user(s) with dangerous rights to user(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:User)) WHERE NOT u = a RETURN p"
}
]
},
{
"name": "Route non-privileged user(s) with dangerous rights to group(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Group)) WHERE NOT u = a RETURN p"
}
]
},
{
"name": "Route non-privileged user(s) with dangerous rights to computer(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Computer)) WHERE NOT u = a RETURN p"
}
]
},
{
"name": "Route non-privileged user(s) with dangerous rights to GPO(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:GPO)) WHERE NOT u = a RETURN p"
}
]
},
{
"name": "Route non-privileged user(s) with dangerous rights to privileged node(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled: true, admincount: false, domain: $result})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a {admincount: true})) WHERE NOT u = a RETURN p"
}
]
},
{
"name": "Route non-privileged computer(s) with dangerous rights to user(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:User {domain: $result})) WHERE NOT c = a RETURN p"
}
]
},
{
"name": "Route non-privileged computer(s) with dangerous rights to group(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Group {domain: $result})) WHERE NOT c = a RETURN p"
}
]
},
{
"name": "Route non-privileged computer(s) with dangerous rights to computer(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:Computer {domain: $result})) WHERE NOT c = a RETURN p"
}
]
},
{
"name": "Route non-privileged computer(s) with dangerous rights to GPO(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a:GPO {domain: $result})) WHERE NOT c = a RETURN p"
}
]
},
{
"name": "Route non-privileged computer(s) with dangerous rights to privileged node(s) [HIGH RAM]",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((c:Computer {admincount: false})-[:MemberOf|Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|AllowedToDelegate|ForceChangePassword|AdminTo*1..]->(a {admincount: true, domain: $result})) WHERE NOT c = a RETURN p"
}
]
},
{
"name": "List ESC1 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', `Enrollee Supplies Subject`:true, `Client Authentication`:true, domain: $result}) RETURN n"
}
]
},
{
"name": "List ESC2 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', domain: $result}) WHERE (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "List ESC3 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {Enabled:true, type:'Certificate Template', domain: $result}) WHERE (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "List ESC4 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO {Enabled:true, type:'Certificate Template', domain: $result})) WHERE g<>n RETURN p"
}
]
},
{
"name": "List ESC6 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {type:'Enrollment Service', `User Specified SAN`:'Enabled', domain: $result}) RETURN n"
}
]
},
{
"name": "List ESC7 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO {type:'Enrollment Service', domain: $result})) WHERE g<>n RETURN p"
}
]
},
{
"name": "List ESC8 vulnerable Certificate Template(s) [Required: Certipy]",
"category": "Privilege Escalation / Lateral Movement",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (n:GPO {type:'Enrollment Service', `Web Enrollment`:'Enabled', domain: $result}) RETURN n"
}
]
},
{
"name": "List all cross-domain user session(s) and user group membership(s)",
"category": "Privilege Escalation / Lateral Movement",
"requireNodeSelect": true,
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(g1:Group)<-[:MemberOf*1..]-(u:User {enabled:true, domain: $result})<-[:HasSession]-(c:Computer) WHERE NOT u.domain = c.domain RETURN p ORDER BY c.name",
"allowCollapse": false
}
]
},
{
"name": "List privileged user(s) without \"Protected Users\" group membership",
"category": "Privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (u:User {admincount:true, domain: $result}), (c:Computer), (u)-[:MemberOf*1..]->(g) WHERE g.name CONTAINS 'Protected Users' WITH COLLECT(u) AS privilegedUsers MATCH (u2:User {admincount:true}) WHERE NOT u2 IN privilegedUsers RETURN u2"
}
]
},
{
"name": "List custom privileged group(s)",
"category": "Privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (g:Group {admincount:true, highvalue:false, domain: $result}) WHERE NOT (g.objectid =~ $domain_admins or g.objectid =~ $enterprise_admins or g.objectid =~ $administrators or g.objectid =~ $account_operators or g.objectid CONTAINS $replicators or g.objectid =~ $key_admins or g.objectid =~ $read_only_domain_controllers or g.objectid =~ $enterprise_key_admins or g.objectid =~ $schema_admins) RETURN g",
"props": {
"domain_admins": "(?i)S-1-5-.*-512",
"enterprise_admins": "(?i)S-1-5-.*-519",
"administrators": "(?i)S-1-5-.*-544",
"account_operators": "(?i)S-1-5-.*-548",
"replicators": "-552",
"key_admins": "(?i)S-1-5-.*-526",
"read_only_domain_controllers": "(?i)S-1-5-.*-521",
"enterprise_key_admins": "(?i)S-1-5-.*-527",
"schema_admins": "(?i)S-1-5-.*-518"
}
}
]
},
{
"name": "List all enabled SVC account(s) with privileged group membership(s)",
"category": "Privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(u:User {enabled: true, hasspn: true, domain: $result})-[:MemberOf*1..]->(g:Group {admincount: true}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Route all privileged user(s) with sessions to non-privileged computer(s) [Required: sessions]",
"category": "Privileged",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH (c:Computer), (u:User), (g:Group), (c)-[:MemberOf*1..]->(:Group {admincount:false}) MATCH p=(c)-[:HasSession]->(u {admincount:true, domain: $result}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Find allshortestpaths with dangerous rights to AdminSDHolder object",
"category": "Persistence",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled:true, admincount:false, domain: $result})-[*]->(c:Container)) WHERE c.distinguishedname CONTAINS 'ADMINSDHOLDER' RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Find allshortestpaths with DCSync to domain object",
"category": "Persistence",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((u:User {enabled:true, admincount:false, domain: $result})-[r:MemberOf|DCSync*1..]->(:Domain)) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Find allshortestpaths with Shadow Credential permission to principal(s)",
"category": "Persistence",
"queryList": [
{
"final": false,
"title": "Select source domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=allshortestpaths((a {domain: $result})-[:MemberOf|AddKeyCredentialLink*1..]->(b)) WHERE NOT a=b RETURN p",
"allowCollapse": false
}
]
},
{
"name": "List all Tenancy (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (t:AZTenant) RETURN t",
"allowCollapse": true
}
]
},
{
"name": "[WIP] List all AAD Group(s) that are synchronized with AD (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n",
"allowCollapse": true
}
]
},
{
"name": "[WIP] List all principal(s) used for syncing AD and AAD",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*' OR u.userprincipalname =~ '(?i)^sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s",
"allowCollapse": true
}
]
},
{
"name": "List all enabled Azure User(s) (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (u:AZUser {enabled:true}) RETURN u",
"allowCollapse": true
}
]
},
{
"name": "List all enabled Azure User(s) Azure Group membership(s) (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH p=(azu:AZUser {enabled:true})-[MemberOf*1..]->(azg:AZGroup) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "[WIP] List all AD principal(s) with edge(s) to Azure principal(s) (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[r:MemberOf|AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor*1..]->(n) WHERE u.objectid CONTAINS 'S-1-5-21' RETURN p",
"allowCollapse": false
}
]
},
{
"name": "[WIP] List all principal(s) with privileged access to Azure Tenancy (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=(a)-[r:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "[WIP] Route all principal(s) that have control permissions to Azure Application(s) running as Azure Service Principals (AzSP), and route from privileged ASP to Azure Tenancy (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=(a)-[:MemberOf|AZOwns|AZAppAdmin*1..]->(azapp:AZApp) OPTIONAL MATCH p2=(azapp)-[:AZRunsAs]->(azsp:AZServicePrincipal) OPTION MATCH p3=(azsp)-[:MemberOf|AZGlobalAdmin|AZPrivilegedRoleAdmin*1..]->(azt:AZTenant) RETURN p, p2, p3",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Route all user principal(s) that have control permissions to Azure Service Principals (AzSP), and route from AzSP to principal(s) (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=allShortestPaths((a)-[*]->(azsp:AZServicePrincipal)-[*]->(b)) WHERE NOT a=b RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Route from Azure User principal(s) that have dangerous rights to Azure User and User principal(s) (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH (a) WHERE (a:User OR a:AZUser) WITH a MATCH p=allShortestPaths((u:AZUser)-[*]->(a)) WHERE NOT a=u RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Route from principal(s) to Azure VM (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH p=allshortestpaths((a)-[*]->(vm:AZVM)) WHERE NOT a=vm RETURN p",
"allowCollapse": true
}
]
},
{
"name": "[WIP] Route from principal(s) to principal(s) with Global Administrator permissions (Required: azurehound)",
"category": "AAD",
"queryList": [
{
"final": true,
"query": "MATCH p=(ga)-[:AZGlobalAdmin|AZPrivilegedAdminRole*1..]->(:AZTenant) WHERE (ga:User OR ga:AZUser) WITH ga MATCH p=allshortestpaths((a)-[*]->(ga)) WHERE NOT a=ga RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find ALL Shortest Paths to Domain Admins",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m RETURN p",
"allowCollapse": false,
"endNode": "{}"
}
]
},
{
"name": "Find ALL Shortest Paths to Domain Admins - Network",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p,nodes(p) as nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"allowCollapse": false,
"endNode": "{}"
}
]
},
{
"name": "Find ALL Shortest Paths to Domain Admins - Filtered",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=allShortestPaths((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"allowCollapse": false,
"endNode": "{}"
}
]
},
{
"name": "Find Shortest Paths to Domain Admins - Network",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH q=((src:Computer)-[:Open]->(trgt:Computer)) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,q,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,q,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p,q",
"allowCollapse": false,
"endNode": "{}"
}
]
},
{
"name": "Find Shortest Paths to Domain Admins - Filtered",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH nodes(p) as nds,p MATCH q=((src:Computer)-[:Open]->(trgt:Computer)) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,q,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,q,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p,q",
"allowCollapse": false,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to High Value Targets - Network",
"queryList": [
{
"final": false,
"title": "Select a Domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to High Value Targets - Filtered",
"queryList": [
{
"final": false,
"title": "Select a Domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to Unconstrained Delegation Systems - Network",
"queryList": [
{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[:{}*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q"
}
]
},
{
"name": "Shortest Paths to Unconstrained Delegation Systems - Filtered",
"queryList": [
{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[:{}*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p"
}
]
},
{
"name": "Shortest Paths to Domain Admins from Kerberoastable Users - Network",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n:User {hasspn:true})-[:{}*1..]->(m:Group {name:$result})) WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to Domain Admins from Kerberoastable Users - Filtered",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n:User {hasspn:true})-[:{}*1..]->(m:Group {name:$result})) WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Path from Owned Principals - Network",
"queryList": [
{
"final": false,
"title": "Select a user",
"query": "MATCH (n) WHERE n.owned=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
},
{
"final": true,
"query": "MATCH p=shortestPath((a {name:$result})-[:{}*1..]->(b:Computer)) WHERE NOT a=b WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"startNode": "{}",
"allowCollapse": true
}
]
},
{
"name": "Shortest Path from Owned Principals - Filtered",
"queryList": [
{
"final": false,
"title": "Select a user",
"query": "MATCH (n) WHERE n.owned=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
},
{
"final": true,
"query": "MATCH p=shortestPath((a {name:$result})-[:{}*1..]->(b:Computer)) WHERE NOT a=b WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"startNode": "{}",
"allowCollapse": true
}
]
},
{
"name": "Shortest Paths to Domain Admins from Owned Principals - Network",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to Domain Admins from Owned Principals - Filtered",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to High Value Targets - Network",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH q = ((src:Computer)-[:Open]->(trgt:Computer)) WHERE src IN nds AND trgt IN nds WITH p,q,nds,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix RETURN p,q",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to High Value Targets - Filtered",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m {highvalue:true})) WHERE m<>n WITH p, nodes(p) AS nds MATCH (src:Computer)-[:Open]->(trgt:Computer) MATCH (c:Computer) WHERE src IN nds AND trgt IN nds AND c IN nds WITH p,nds,c,src,trgt,reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN src THEN i ELSE ix END ) AS srcix, reduce(ix = -1, i IN RANGE(0,SIZE(nds)-1) | CASE nds[i] WHEN trgt THEN i ELSE ix END ) AS trgtix WHERE trgtix > srcix WITH p,size(collect(DISTINCT c)) AS total_hosts, size(collect(DISTINCT trgt)) AS total_targets WHERE total_hosts = total_targets + 1 RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Kerberoastable Admins",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p",
"allowCollapse": true,
"props": {
"sid": "(?i)S-1-5-.*-512"
}
}
]
},
{
"name": "All Kerberoastable Users",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {hasspn: true}) RETURN n",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Where can owned users RDP",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Users with most local admin rights",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "All Owned Nodes",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {owned: true}) RETURN n",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Find computers with owned Admins",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p",
"allowCollapse": false
}
]
},
{
"name": "Find owned Groups",
"queryList": [
{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g",
"allowCollapse": true,
"props": {
}
}
]
},
{
"name": "Find owned Domain Admins",
"queryList": [
{
"final": true,
"title": "Select a domain...",
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
},
"allowCollapse": false
}
]
},
{
"name": "Find Shortest Path from owned Node to Domain Admin",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
}
},
{
"final": true,
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Find all other Rights Domain Users shouldn't have",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Computers with administrative Domain Users",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p"
}
]
},
{
"name": "-------------------------- Engagement-specific Queries --------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "List all high-valued nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:true}) RETURN n"
}
]
},
{
"name": "List all owned nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {owned:true}) RETURN n"
}
]
},
{
"name": "List all owned computers",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer {owned:true}) RETURN c"
}
]
},
{
"name": "List all owned groups",
"queryList": [
{
"final": true,
"query": "MATCH (g:Group {owned:true}) RETURN g"
}
]
},
{
"name": "List all owned users",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {owned:true}) RETURN u"
}
]
},
{
"name": "List the groups of all owned users",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User {owned:true})-[:MemberOf*]->(:Group) RETURN p"
}
]
},
{
"name": "Set the groups of all owned users as owned",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User {owned:true})-[:MemberOf*]->(g:Group) SET g.owned = true RETURN p"
}
]
},
{
"name": "--------------------------- High-value-specific Queries ---------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Remove inactive nodes from the list of high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:true, enabled:false}) SET n.highvalue = false, n.nothighvaluereason = 'Inactive' RETURN n"
}
]
},
{
"name": "Set DCSync principals as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH p=(n {highvalue:false})-[:MemberOf|GetChanges|GetChangesAll*]->(:Domain) SET n.highvalue = true, n.highvaluereason = 'DCSync Principal' RETURN p"
}
]
},
{
"name": "Set Local Admin or Reset Password principals as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:false})-[:AdminTo|ForceChangePassword*]->(m) SET n.highvalue = true, n.highvaluereason = 'Local Admin or Reset Password Principal' RETURN n"
}
]
},
{
"name": "Set Unconstrained Delegation principals as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:false, unconstraineddelegation:true}) SET n.highvalue = true, n.highvaluereason = 'Unconstrained Delegation Principal' RETURN n"
}
]
},
{
"name": "Set principals with privileges on Computers as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:false})-[*]->(:Computer) SET n.highvalue = true, n.highvaluereason = 'Principal with Privileges on Computers' RETURN n"
}
]
},
{
"name": "Set members of high-value groups as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:false})-[:MemberOf*]->(g:Group {highvalue:true}) SET n.highvalue = true, n.highvaluereason = 'Member of a High-Value Group' RETURN g"
}
]
},
{
"name": "Set the groups of high-value nodes as high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH (n {highvalue:true})-[:MemberOf*]->(g:Group {highvalue:false}) SET g.highvalue = true, g.highvaluereason = 'Contains High-Value Members' RETURN g"
}
]
},
{
"name": "---------------------------- Kerberos-related Queries ----------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find Kerberoastable users who have administrative rights",
"queryList": [
{
"final": true,
"query": "MATCH (u {hasspn:true})-[:AdminTo*]->(:Computer) RETURN u"
}
]
},
{
"name": "Find Kerberoastable users who are members of high-value groups",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((:User {hasspn:true})-[:MemberOf*1..]->(:Group {highvalue:true})) RETURN p"
}
]
},
{
"name": "Find Kerberoastable users with a path to Domain Admin",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((:User {hasspn:true})-[*1..]->(g:Group)) WHERE g.objectid =~ $domainAdminId RETURN p",
"props": {
"domainAdminId": "(?i)S-1-5-.*-512"
}
}
]
},
{
"name": "List all Kerberoastable users",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn: true}) RETURN u"
}
]
},
{
"name": "List all users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hassspn:true}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}
]
},
{
"name": "List all users with an SPN/List all Kerberoastable users with passwords last set more than 5 years ago",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "List users that can be AS-REP roasted",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}
]
},
{
"name": "----------------------------- Owned-related Queries -----------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find the shortest path to Domain Admins from an owned node",
"queryList": [
{
"final": false,
"query": "MATCH (g:Group) WHERE g.objectid =~ $domainAdminId RETURN g.name ORDER BY g.name DESC",
"props": {
"domainAdminId": "(?i)S-1-5-.*-512"
},
"title": "Select a Domain Admin group..."
},
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(m:Group {name:$result})) WHERE n <> m RETURN p"
}
],
"requireNodeSelect": true
},
{
"name": "Find the shortest path to a computer from an owned user",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((:User {owned:true})-[*1..]->(:Computer)) RETURN p"
}
]
},
{
"name": "Find the shortest path to a computer with Unconstrained Delegation enabled from an owned node",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(c:Computer {unconstraineddelegation: true})) WHERE n <> c RETURN p"
}
]
},
{
"name": "Find the shortest path to a high-value node from an owned node",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[*1..]->(m {highvalue:true})) WHERE n <> m RETURN p"
}
]
},
{
"name": "----------------------- Password/Session-related Queries -----------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find all active Domain Admin sessions",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[:MemberOf*]->(g:Group) WHERE g.objectid =~ $domainAdminId MATCH p=(:Computer)-[:HasSession*]->(u) RETURN p",
"props": {
"domainAdminId": "(?i)S-1-5-.*-512"
}
}
]
},
{
"name": "Find all sessions a user in a specific domain has",
"queryList": [
{
"final": false,
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name",
"title": "Select source domain..."
},
{
"final": false,
"query": "MATCH (u:User {domain:$result}) RETURN u.name ORDER BY u.name",
"title": "Select source user..."
},
{
"final": true,
"query": "MATCH p=(:User {name:$result})-[:HasSession*]->(:Computer) RETURN p"
}
],
"requireNodeSelect": true
},
{
"name": "Find all users with their password in the AD",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.userpassword IS NOT NULL RETURN u"
}
]
},
{
"name": "Find all users with the keyword \"pass\" in their description field",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.description =~ $regex RETURN u",
"props": {
"regex": "(?i).*pass.*"
}
}
]
},
{
"name": "Find users that have never logged on and account is still active",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {enabled:true}) WHERE u.lastlogontimestamp = -1.0 RETURN u"
}
]
},
{
"name": "-------------------------- Recon-related Queries (Basic) --------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}
]
},
{
"name": "Show the groups of all high-value nodes",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User)-[:MemberOf*]->(:Group {highvalue:true}) RETURN p"
}
]
},
{
"name": "View all computers (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "Match (c:Computer) RETURN c"
}
]
},
{
"name": "View all GPOs (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "Match (g:GPO) RETURN g"
}
]
},
{
"name": "View all groups (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "Match (g:Group) RETURN g"
}
]
},
{
"name": "View all users (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "Match (u:User) RETURN u"
}
]
},
{
"name": "View all groups that contain the word 'admin'",
"queryList": [
{
"final": true,
"query": "Match (g:Group) WHERE g.name CONTAINS 'ADMIN' RETURN g"
}
]
},
{
"name": "----------------------- Recon-related Queries (Advanced) -----------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "----------------------------- Computer-related Queries -----------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find all computers with unsupported Operating Systems",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE c.operatingsystem =~ $unsupportedOS RETURN c",
"props": {
"unsupportedOS": ".*(2000|2003|2008|xp|vista|7|me).*"
}
}
]
},
{
"name": "Find computers that allow Domain Users to RDP into",
"queryList": [
{
"final": true,
"query": "match p=(g:Group)-[:CanRDP*]->(c:Computer) WHERE g.objectid =~ $domainUserId return p",
"props": {
"domainUserId": "(?i)S-1-5-.*-513"
}
}
]
},
{
"name": "Find computers that allow Unconstrained Delegation that AREN’T domain controllers.",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*]->(g:Group) WHERE g.objectid =~ $domainControllerId WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2",
"props": {
"domainControllerId": "(?i)S-1-5-.*-516"
}
}
]
},
{
"name": "Find computers with constrained delegation and the corresponding nodes where they allowed to delegate",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}
]
},
{
"name": "------------------------- Domain/Forest-related Queries -------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find an node from domain 'A' that can do anything to a foreign node",
"queryList": [
{
"final": false,
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name",
"title": "Select source domain..."
},
{
"final": true,
"query": "MATCH p=(n:Domain {domain:$result})-[*]->(m:Domain) WHERE n <> m RETURN p"
}
],
"requireNodeSelect": true
},
{
"name": "Find an node in one domain that can do something to a foreign node",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:Domain)-[*]->(m:Domain) WHERE n <> m RETURN p"
}
]
},
{
"name": "------------------------------- Group-related Queries -------------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(:Group)-[:ForceChangePassword*]->(:User) RETURN p"
}
]
},
{
"name": "Find groups that can RDP",
"queryList": [
{
"final": true,
"query": "MATCH p=(:Group)-[:CanRDP*]->(:Computer) RETURN p"
}
]
},
{
"name": "Find groups that contain both users and computers",
"queryList": [
{
"final": true,
"query": "MATCH (:Computer)-[:MemberOf*]->(groupsWithComps:Group) WITH groupsWithComps MATCH (:User)-[:MemberOf*]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}
]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(:Group)-[:AdminTo*]->(:Computer) RETURN p"
}
]
},
{
"name": "Find rights that member of the Domain User group should not have on computers",
"queryList": [
{
"final": true,
"query": "MATCH p=(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword*]->(:Computer) WHERE g.objectid =~ $domainUserId RETURN p",
"props": {
"domainUserId": "(?i)S-1-5-.*-513"
}
}
]
},
{
"name": "-------------------------------- User-related Queries --------------------------------",
"queryList": [
{
"final": true,
"query": ""
}
]
},
{
"name": "Find all users that are part of the VPN group",
"queryList": [
{
"final": true,
"query": "Match p=(:User)-[:MemberOf*]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}
]
},
{
"name": "Find all users that have local admin rights",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User)-[:AdminTo*]->(:Computer) RETURN p"
}
]
},
{
"name": "Find constrained delegation",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User)-[:AllowedToDelegate*]->(:Computer) RETURN p"
}
]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User)-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*]->(:GPO) RETURN p"
}
]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((:User {admincount:False})-[:AddMember*1..]->(:Group)) RETURN p"
}
]
},
{
"name": "List all users with password not required",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {passwordnotreqd:true}) RETURN u"
}
]
},
{
"name": "List the groups of all users with password not required",
"queryList": [
{
"final": true,
"query": "MATCH p=(:User {passwordnotreqd:true})-[:MemberOf*]->(:Group) RETURN p"
}
]
},
{
"name": "Find more privileged groups",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' RETURN g"
}
]
},
{
"name": "(Warning: edits the DB) Mark more privileged groups as HVT",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' SET g.highvalue=TRUE RETURN g"
}
]
},
{
"name": "Find low value members of High Value Target Groups (1 hop)",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH p=(m {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) RETURN p"
}
]
},
{
"name": "(Warning: edits the DB) Mark low value members of High Value Target Groups as HVT (1 hop)",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH p=(o {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) SET o.highvalue=TRUE RETURN p"
}
]
},
{
"name": "Find objects containing names of some tier 0 software (SCCM, Veeam, ...)",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') RETURN o"
}
]
},
{
"name": "(Warning: edits the DB) Mark objects containing names of some tier 0 software (SCCM, Veeam, ...) as HVT",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') SET o.highvalue=TRUE RETURN o"
}
]
},
{
"name": "Find low value objects with ACLs on high value objects (1 hop, max 200, Heavy)",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') RETURN p LIMIT 200"
}
]
},
{
"name": "(Warning: edits the DB) Mark low value objects with ACLs on high value objects as HVT (1 hop, max 200, Heavy)",
"category": "High Value Targets",
"queryList": [
{
"final": true,
"query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') SET a.highvalue=TRUE RETURN p LIMIT 200"
}
]
},
{
"name": "Owned objects",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH (m) WHERE m.owned=TRUE RETURN m"
}
]
},
{
"name": "Direct groups of owned users",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p",
"props": {
},
"allowCollapse": true
}
]
},
{
"name": "Unrolled groups of owned users",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}
]
},
{
"name": "Shortest paths from owned objects to High Value Targets (5 hops)",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Most exploitable paths from owned objects to High Value Targets (5 hops)",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Next steps (5 hops) from owned objects",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p"
}
]
},
{
"name": "Next steps (3 hops) from owned objects",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p"
}
]
},
{
"name": "Owned users with permissions against GPOs",
"category": "Owned Objects",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}
]
},
{
"name": "Connections between different domains/forests",
"category": "Domains/Forests",
"queryList": [
{
"final": true,
"query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p"
}
]
},
{
"name": "Connections (ACEs only) between different domains/forests",
"category": "Domains/Forests",
"queryList": [
{
"final": true,
"query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = True RETURN p"
}
]
},
{
"name": "Can a user from domain A do anything to any computer in domain B (Warning: VERY Heavy)",
"category": "Domains/Forests",
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": false,
"title": "Select destination domain...",
"query": "MATCH (n:Domain) RETURN $result + '=>' + n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "WITH split($result, \"=>\") as selectedDomains WITH selectedDomains[0] as sourceDomain, selectedDomains[1] as destDomain MATCH (n:User {domain: sourceDomain}) MATCH (m:Computer {domain: destDomain}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) WHERE NOT n = m RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Kerberoastable users with a path to DA",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}
]
},
{
"name": "Kerberoastable users with a path to High Value",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p"
}
]
},
{
"name": " Kerberoastable users and where they are AdminTo",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "OPTIONAL MATCH (u:User) WHERE u.hasspn=true OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer) RETURN u"
}
]
},
{
"name": "Kerberoastable users who are members of high value groups",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}
]
},
{
"name": "Kerberoastable users with passwords last set > 5 years ago",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Kerberoastable Users",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}
]
},
{
"name": "AS-REProastable Users",
"category": "Roasting",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}
]
},
{
"name": "Unconstrained Delegations",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (c {unconstraineddelegation:true}) RETURN c"
}
]
},
{
"name": "Constrained Delegations (with Protocol Transition)",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true RETURN c"
}
]
},
{
"name": "Constrained Delegations (without Protocol Transition)",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false RETURN c"
}
]
},
{
"name": "Resource-Based Constrained Delegations",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH p=(u)-[:AllowedToAct]->(c) RETURN p"
}
]
},
{
"name": "Unconstrained Delegation systems (without domain controllers)",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}
]
},
{
"name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2"
}
]
},
{
"name": "Shortest paths from owned principals to unconstrained delegation systems",
"category": "Kerberos Delegations",
"queryList": [
{
"final": true,
"query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p"
}
]
},
{
"name": "Between users (1 hop, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between users (3 hops, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between computers (1 hop, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between computers (3 hops, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Find computers admin to other computers",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p"
}
]
},
{
"name": "Between enabled users and computers (1 hop, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between enabled users and computers (3 hops, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between enabled computers and users (1 hop, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Between enabled computers and users (3 hops, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200"
}
]
},
{
"name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on an enabled computer",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(g {enabled: TRUE})-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer {enabled: TRUE}) RETURN p"
}
]
},
{
"name": "Miscellaneous direct ACLs from enabled objects (1 hop, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200"
}
]
},
{
"name": "Miscellaneous direct ACLs from enabled objects (3 hops, max 200)",
"category": "Weak ACLs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates*1..3]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200"
}
]
},
{
"name": "Logged in Admins",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH p=(a:Computer {enabled: TRUE})-[r:HasSession]->(b:User {enabled: TRUE}) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Users with local admin rights",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:User {enabled: TRUE})-[r:AdminTo]->(n:Computer {enabled: TRUE}) RETURN p"
}
]
},
{
"name": "Domain admins sessions",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {enabled: TRUE})-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p"
}
]
},
{
"name": "Privileged users sessions",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p"
}
]
},
{
"name": "Users with adminCount, not sensitive for delegation, not members of Protected Users",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p"
}
]
},
{
"name": "Enabled Domain/Enterprise Administrators, not sensitive for delegation and not members of Protected Users",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) as protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers AND g2.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' RETURN p"
}
]
},
{
"name": "Enabled users, members of high value groups, not sensitive for delegation and not members of Protected Users (Heavy)",
"category": "Admins",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) as protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE NOT u2.objectid IN protectedUsers RETURN p"
}
]
},
{
"name": "Groups that contain the word 'admin'",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}
]
},
{
"name": "Groups that can change user passwords",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC"
}
]
},
{
"name": "Groups of High Value Targets",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}
]
},
{
"name": "Non Admin Groups with High Value Privileges",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Groups with Computer and User Objects",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Groups that can reset passwords (Warning: Heavy)",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}
]
},
{
"name": "Groups that have local admin rights (Warning: Heavy)",
"category": "Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}
]
},
{
"name": "Users never logged on and account still active",
"category": "Users",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}
]
},
{
"name": "Users logged in the last 90 days",
"category": "Users",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Users with passwords last set in the last 90 days",
"category": "Users",
"queryList": [
{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}
]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"category": "Users",
"queryList": [
{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}
]
},
{
"name": "Find all users a part of the VPN group",
"category": "Users",
"queryList": [
{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' RETURN p"
}
]
},
{
"name": "View all GPOs",
"category": "GPOs",
"queryList": [
{
"final": true,
"query": "MATCH (g:GPO) RETURN g"
}
]
},
{
"name": "(Warning: edits the DB) Mark all GPOs as High Value Target",
"category": "GPOs",
"queryList": [
{
"final": true,
"query": "MATCH (g:GPO) SET g.highvalue=TRUE RETURN g"
}
]
},
{
"name": "Find if any low value object has interesting permissions against a GPO (1 hop)",
"category": "GPOs",
"queryList": [
{
"final": true,
"query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) RETURN p"
}
]
},
{
"name": "(Warning: edits the DB) Mark any low value object with interesting permissions against a GPO as HVT (1 hop)",
"category": "GPOs",
"queryList": [
{
"final": true,
"query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) SET o.highvalue=TRUE RETURN p"
}
]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"category": "GPOs",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}
]
},
{
"name": "Find all computers running with Windows XP",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c"
}
]
},
{
"name": "Find all computers running with Windows 2000",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c"
}
]
},
{
"name": "Find all computers running with Windows 2003",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c"
}
]
},
{
"name": "Find all computers running with Windows 2008",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c"
}
]
},
{
"name": "Find all computers running with Windows Vista",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c"
}
]
},
{
"name": "Find all computers running with Windows 7",
"category": "Outdated OS",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c"
}
]
},
{
"name": "Top Ten Users with Most Sessions",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Sessions",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Users with Most Local Admin Rights",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Admins and their admins",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Top Ten Computers with Most Admins",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m",
"allowCollapse": true
}
]
},
{
"name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m",
"allowCollapse": true
}
]
},
{
"name": "Top 20 nodes with most first degree object controls",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH p=(u)-[r1]->(n) WHERE r1.isacl = true WITH u, count(r1) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u",
"allowCollapse": true
}
]
},
{
"name": "Top Ten nodes with most group delegated object controls",
"category": "Top Ten",
"queryList": [
{
"final": true,
"query": "MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u",
"allowCollapse": true
}
]
},
{
"name": "Find machines Domain Users can RDP into",
"category": "RDP",
"queryList": [
{
"final": true,
"query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' RETURN p"
}
]
},
{
"name": "Find Servers Domain Users can RDP To",
"category": "RDP",
"queryList": [
{
"final": true,
"query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find what groups can RDP",
"category": "RDP",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}
]
},
{
"name": "Return All Azure Users that are part of the ‘Global Administrator’ Role",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}
]
},
{
"name": "Return All Azure Users and their Groups",
"category": "Azure",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p"
}
]
},
{
"name": "Find objects with the ManageCa or ManageCertificates right on Certificate Authorities",
"category": "Certificates",
"queryList": [
{
"final": true,
"query": "MATCH p=(o)-[:ManageCa|ManageCertificates]->(c:GPO {type: 'Enrollment Service'}) RETURN p"
}
]
},
{
"name": "Show Enrollment Rights for Certificate Template",
"category": "Certificates",
"queryList": [
{
"final": false,
"title": "Select a Certificate Template...",
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Show Rights for Certificate Authority",
"category": "Certificates",
"queryList": [
{
"final": false,
"title": "Select a Certificate Authority...",
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) RETURN p",
"allowCollapse": false
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC1)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN p"
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC2)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN p"
}
]
},
{
"name": "Find Enrollment Agent Templates (ESC3)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n"
}
]
},
{
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p"
}
]
},
{
"name": "Find Certificate Authorities with User Specified SAN (ESC6)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p"
}
]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p"
}
]
},
{
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n"
}
]
},
{
"name": "Find Unsecured Certificate Templates - Domain Escalation (ESC9)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Find Unsecured Certificate Templates - PKI (ESC9)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true RETURN n"
}
]
},
{
"name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)",
"category": "AD CS Domain Escalation",
"queryList": [
{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) RETURN p"
}
]
},
{
"name": "Find users with a plaintext attribute that can RDP into something",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find users with a plaintext attribute that belong to high value groups",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find users with a plaintext attribute that are kerberoastable",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n RETURN u1 LIMIT 25",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n RETURN u1 LIMIT 25",
"allowCollapse": true
}
]
},
{
"name": "Return all Members of the 'Global Administrator' Role",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}
]
},
{
"name": "Return all Members of High Privileged Roles",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' RETURN p"
}
]
},
{
"name": "Return all Members of High Privileged Roles that are synced from OnPrem AD",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p=(n WHERE n.onpremisesyncenabled = true)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR') RETURN p"
}
]
},
{
"name": "Return all Azure Users that are synced from OnPrem AD",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZUser WHERE n.onpremisesyncenabled = true) RETURN n",
"allowCollapse": true
}
]
},
{
"name": "Return all Azure Groups that are synced from OnPrem AD",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH (g:AZGroup {onpremsyncenabled: True}) RETURN g"
}
]
},
{
"name": "Return all Owners of Azure Applications",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p"
}
]
},
{
"name": "Return all Azure Subscriptions",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZSubscription) RETURN n"
}
]
},
{
"name": "Return all Azure Subscriptions and their direct Controllers",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns|AZUserAccessAdministrator]->(g:AZSubscription) RETURN p"
}
]
},
{
"name": "Return all principals with the UserAccessAdministrator Role against Subscriptions",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p = (u)-[r:AZUserAccessAdministrator]->(n:AZSubscription) RETURN p"
}
]
},
{
"name": "Return all prinicpals with the UserAccessAdministrator Role",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH p = (u)-[r:AZUserAccessAdministrator]->(n) RETURN p"
}
]
},
{
"name": "Return all Azure Users that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH (u:AZUser) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u"
}
]
},
{
"name": "Return all Azure Principals that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"",
"category": "Azure - General",
"queryList": [
{
"final": true,
"query": "MATCH (u) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u"
}
]
},
{
"name": "Find all Azure Users with a Path to High Value Targets",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (m:AZUser),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find OnPrem synced Users with Paths to High Value Targets",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (m:AZUser WHERE m.onpremisesyncenabled = true),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths to High Value Roles",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZRole WHERE n.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR'), (m), p=shortestPath((m)-[r*1..]->(n)) WHERE NOT m=n RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Azure Applications with Paths to High Value Targets",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (m:AZApp),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= \"GetChanges\") AND NONE (r in relationships(p) WHERE type(r)=\"GetChangesAll\") AND NOT m=n RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths from Azure Users to Subscriptions",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZUser) WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZSubscription)) RETURN p"
}
]
},
{
"name": "Find all Paths to Azure VMs",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p"
}
]
},
{
"name": "Find shortest Path from Owned Azure Users to VMs",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZVM) MATCH p = shortestPath((m:AZUser{owned: true})-[*..]->(n)) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all Paths to Azure KeyVaults",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p"
}
]
},
{
"name": "Find all Paths to Azure KeyVaults from Owned Principals",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH p = ({owned: true})-[r]->(g:AZKeyVault) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths to Azure Subscriptions",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZSubscription), (m), p=shortestPath((m)-[r*1..]->(n)) WHERE NOT m=n RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find the Paths to Resources from Azure Users that DON'T hold an Azure Role but the RBAC Role \"User Access Administrator\"",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH p=(u:AZUser)-[:AZUserAccessAdministrator]->(target) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) RETURN u, p",
"allowCollapse": true
}
]
},
{
"name": "Find the Paths to Resources from Azure Principals that DON'T hold an Azure Role but the RBAC \"User Access Administrator\"",
"category": "Azure - Paths",
"queryList": [
{
"final": true,
"query": "MATCH p=(u)-[:AZUserAccessAdministrator]->(target) WHERE NOT EXISTS((u)-[:AZMemberOf|AZHasRole*1..]->(:AZRole)) RETURN u, p",
"allowCollapse": true
}
]
},
{
"name": "Return all Service Principals with MS Graph AZMGGrantAppRoles rights -> PrivEsc Path to Global Admin",
"category": "Azure - MS Graph",
"queryList": [
{
"final": true,
"query": "MATCH p=(n)-[r:AZMGGrantAppRoles]->(o:AZTenant) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return all Service Principals with MS Graph App Role Assignments",
"category": "Azure - MS Graph",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:AZServicePrincipal)-[r:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All]->(n:AZServicePrincipal) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return all direct Controllers of MS Graph",
"category": "Azure - MS Graph",
"queryList": [
{
"final": true,
"query": "MATCH p = (n)-[r:AZAddOwner|AZAddSecret|AZAppAdmin|AZCloudAppAdmin|AZMGAddOwner|AZMGAddSecret|AZOwns]->(g:AZServicePrincipal {appdisplayname: \"Microsoft Graph\"}) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths to MS Graph",
"category": "Azure - MS Graph",
"queryList": [
{
"final": true,
"query": "MATCH (n) WHERE NOT n.displayname=\"Microsoft Graph\" WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZServicePrincipal {appdisplayname: \"Microsoft Graph\"})) WHERE n<>g RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return all Azure Service Principals",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (sp:AZServicePrincipal) RETURN sp",
"allowCollapse": true
}
]
},
{
"name": "Return all PRIVILEGED Azure Service Principals",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:AZServicePrincipal)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all VMs with a tied Managed Identity",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH p=(:AZVM)-[:AZManagedIdentity]->(n) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return all Azure Service Principals that are Managed Identities",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (sp:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) RETURN sp",
"allowCollapse": true
}
]
},
{
"name": "Return all Azure Service Principals that are tied to Apps",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (sp:AZServicePrincipal {serviceprincipaltype: 'Application'}) RETURN sp",
"allowCollapse": true
}
]
},
{
"name": "Find all Azure Privileged Service Principals",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p"
}
]
},
{
"name": "Find shortest Paths from Owned Azure Users to Azure Service Principals",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (u:AZUser {owned: true}), (m:AZServicePrincipal) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths from Owned Azure Users to Azure Service Principals that are Managed Identities",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (u:AZUser {owned: true}), (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths from all Azure Users to Azure Service Principals that are Managed Identities",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (u:AZUser), (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) MATCH p = shortestPath((u)-[*..]->(m)) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all Service Principals that are Managed Identities an have a Path to an Azure Key Vault",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'})-[*]->(kv:AZKeyVault) WITH collect(m) AS managedIdentities MATCH p = (n)-[r]->(kv:AZKeyVault) WHERE n IN managedIdentities RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Paths from Managed Identities tied to a VM with a path to a Key Vault",
"category": "Azure - Service Principals",
"queryList": [
{
"final": true,
"query": "MATCH p1 = (:AZVM)-[:AZManagedIdentity]->(n) WITH collect(n) AS managedIdentities MATCH p2 = (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'})-[*]->(kv:AZKeyVault) WHERE m IN managedIdentities RETURN p2",
"allowCollapse": true
}
]
},
{
"name": "Return all Users and Azure Users possibly related to AADConnect",
"category": "Azure - AADConnect",
"queryList": [
{
"final": true,
"query": "MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*' OR u.userprincipalname =~ '(?i)^sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s",
"allowCollapse": true
}
]
},
{
"name": "Find all Sessions of possibly AADConnect related Accounts",
"category": "Azure - AADConnect",
"queryList": [
{
"final": true,
"query": "MATCH p=(m:Computer)-[:HasSession]->(n) WHERE (n:User OR n:AZUser) AND ((n.name =~ '(?i)^MSOL_|.*AADConnect.*') OR (n.userPrincipalName =~ '(?i)^sync_.*')) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find all AADConnect Servers (extracted from the SYNC_ Account names)",
"category": "Azure - AADConnect",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.*?)_(.*?)@.*' WITH n, split(n.name, '_')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern RETURN c",
"allowCollapse": true
}
]
},
{
"name": "Find shortest Paths to AADConnect Servers from Owned Users",
"category": "Azure - AADConnect",
"queryList": [
{
"final": true,
"query": "MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.*?)_(.*?)@.*' WITH n, split(n.name, '_')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern WITH collect(c) AS computers MATCH p = shortestPath((u:User)-[*]-(c:Computer)) WHERE c IN computers AND length(p) > 0 AND u.owned = true RETURN u, p",
"allowCollapse": true
}
]
},
{
"name": "Add indexes to the database",
"category": "Indexes",
"queryList": [
{
"final": false,
"title": "Add index on the property Base SamAccountName",
"query": "CREATE INDEX BaseSamAccountNameIdx IF NOT EXISTS FOR (b:Base) on (b.samaccountname)"
},
{
"final": false,
"title": "Add index on the property Computer SamAccountName",
"query": "CREATE INDEX ComputerSamAccountNameIdx IF NOT EXISTS FOR (c:Computer) on (c.samaccountname)"
},
{
"final": false,
"title": "Add index on the property User SamAccountName",
"query": "CREATE INDEX UserSamAccountNameIdx IF NOT EXISTS FOR (u:User) on (u.samaccountname)"
},
{
"final": false,
"title": "Add index on the property Computer SamAccountName",
"query": "CREATE INDEX ComputerOwnedIdx IF NOT EXISTS FOR (c:Computer) on (c.owned)"
},
{
"final": false,
"title": "Add index on the property User Owned",
"query": "CREATE INDEX UserOwnedIdx IF NOT EXISTS FOR (u:User) on (u.owned)"
},
{
"final": false,
"title": "Add index on the property Group Owned",
"query": "CREATE INDEX GroupOwnedIdx IF NOT EXISTS FOR (g:Group) on (g.owned)"
},
{
"final": false,
"title": "Add index on the property GPO Owned",
"query": "CREATE INDEX GPOOwnedIdx IF NOT EXISTS FOR (g:GPO) on (g.owned)"
},
{
"final": false,
"title": "Add index on the property Computer Highvalue",
"query": "CREATE INDEX ComputerHighValueIdx IF NOT EXISTS FOR (c:Computer) on (c.highvalue)"
},
{
"final": false,
"title": "Add index on the property User Highvalue",
"query": "CREATE INDEX UserHighValueIdx IF NOT EXISTS FOR (u:User) on (u.highvalue)"
},
{
"final": false,
"title": "Add index on the property Group Highvalue",
"query": "CREATE INDEX GroupHighValueIdx IF NOT EXISTS FOR (g:Group) on (g.highvalue)"
},
{
"final": false,
"title": "Add index on the property GPO Highvalue",
"query": "CREATE INDEX GPOHighValueIdx IF NOT EXISTS FOR (g:GPO) on (g.highvalue)"
},
{
"final": false,
"title": "Add index on the property User Sensitive",
"query": "CREATE INDEX UserSensitiveIdx IF NOT EXISTS FOR (u:User) on (u.sensitive)"
},
{
"final": false,
"title": "Add index on the property User Admincount",
"query": "CREATE INDEX UserAdminCountIdx IF NOT EXISTS FOR (u:User) on (u.admincount)"
},
{
"final": false,
"title": "Add index on the property Computer Enabled",
"query": "CREATE INDEX ComputerEnabledIdx IF NOT EXISTS FOR (c:Computer) on (c.enabled)"
},
{
"final": false,
"title": "Add index on the property User Enabled",
"query": "CREATE INDEX UserEnabledIdx IF NOT EXISTS FOR (u:User) on (u.enabled)"
},
{
"final": true,
"title": "Add index on the property GPO Enabled",
"query": "CREATE INDEX GPOEnabledIdx IF NOT EXISTS FOR (g:GPO) on (g.enabled)"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment