Skip to content

Instantly share code, notes, and snippets.

@ricardojba

ricardojba/customqueries.json

Last active February 21, 2022 22:02
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ricardojba/0b03665cd842537128496f4401356151 to your computer and use it in GitHub Desktop.
Save ricardojba/0b03665cd842537128496f4401356151 to your computer and use it in GitHub Desktop.
Download ZIP
BloodHound customqueries.json
Raw
customqueries.json
{
"queries": [{
"name": "--https://github.com/ZephrFish/Bloodhound-CustomQueries/--",
"queryList": [{
"final": true,
"query": ""
}]
},
{
"name": "Return All Azure Users that are part of the 'Global Administrator' Role",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}]
},
{
"name": "Return All On-Prem users with edges to Azure",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p"
}]
},
{
"name": "Find all paths to an Azure VM",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p"
}]
},
{
"name": "Find all paths to an Azure KeyVault",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p"
}]
},
{
"name": "Return All Azure Users and their Groups",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p"
}]
},
{
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n"
}]
},
{
"name": "Find all Privileged Service Principals",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p"
}]
},
{
"name": "Find all Owners of Azure Applications",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p"
}]
},
{
"name": "Find the Shortest path to a high value target from an owned object",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p"
}]
},
{
"name": "Find the Shortest path to a unconstrained delegation system from an owned object",
"category": "Azure",
"queryList": [{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p"
}]
},
{
"name": "Find all Certificate Templates",
"category": "Certificates",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n"
}]
},
{
"name": "Find enabled Certificate Templates",
"category": "Certificates",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n"
}]
},
{
"name": "Find Certificate Authorities",
"category": "Certificates",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n"
}]
},
{
"name": "Show Enrollment Rights for Certificate Template",
"category": "Certificates",
"queryList": [{
"final": false,
"title": "Select a Certificate Template...",
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p",
"allowCollapse": false
}
]
},
{
"name": "Show Rights for Certificate Authority",
"category": "Certificates",
"queryList": [{
"final": false,
"title": "Select a Certificate Authority...",
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name"
},
{
"final": true,
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p",
"allowCollapse": false
}
]
},
{
"name": "Find Misconfigured Certificate Templates (ESC1)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n"
}]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p"
}]
},
{
"name": "Find Misconfigured Certificate Templates (ESC2)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n"
}]
},
{
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p"
}]
},
{
"name": "Find Enrollment Agent Templates (ESC3)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n"
}]
},
{
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p"
}]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p"
}]
},
{
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p"
}]
},
{
"name": "Find Certificate Authorities with User Specified SAN (ESC6)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n"
}]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p"
}]
},
{
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p"
}]
},
{
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n"
}]
},
{
"name": "Find users with blank passwords that are enabled",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword"
}]
},
{
"name": "Find users' credentials in description fields",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.description CONTAINS 'password' RETURN m.name, m.description"
}]
},
{
"name": "Find Server 2000",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H"
}]
},
{
"name": "Find Server 2000 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H"
}]
},
{
"name": "Find Server 2003",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H"
}]
},
{
"name": "All computers without LAPS and the computer is enabled",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p"
}]
},
{
"name": "Find Server 2003 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H"
}]
},
{
"name": "Find Server 2008",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H"
}]
},
{
"name": "List all owned users",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "Kerberoastable Admins",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p",
"allowCollapse": true,
"props": {
"sid": "(?i)S-1-5-.*-512"
}
}]
},
{
"name": "All Kerberoastable Users",
"category": "User Information",
"queryList": [{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {hasspn: true}) RETURN n",
"allowCollapse": true,
"props": {}
}]
},
{
"name": "Where can owned users RDP",
"category": "User Information",
"queryList": [{
"final": true,
"requireNodeSelect": false,
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p",
"allowCollapse": true,
"props": {}
}]
},
{
"name": "Users with most local admin rights",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5",
"allowCollapse": true,
"props": {}
}]
},
{
"name": "All Owned Nodes",
"category": "User Information",
"queryList": [{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n {owned: true}) RETURN n",
"allowCollapse": true,
"props": {}
}]
},
{
"name": "Find computers with owned Admins",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p",
"allowCollapse": false
}]
},
{
"name": "Find owned Groups",
"category": "User Information",
"queryList": [{
"final": true,
"requireNodeSelect": false,
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g",
"allowCollapse": true,
"props": {}
}]
},
{
"name": "Find owned Domain Admins",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"title": "Select a domain...",
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
},
"allowCollapse": false
}]
},
{
"name": "Find Shortest Path from owned Node to Domain Admin",
"category": "Admin Hunter",
"queryList": [{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i).*DOMAIN ADMINS.*"
}
},
{
"final": true,
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Find all other Rights Domain Users shouldn't have",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p",
"allowCollapse": true
}]
},
{
"name": "Computers with administrative Domain Users",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p"
}]
},
{
"name": "List all owned computers",
"category": "Owned Hunter",
"queryList": [{
"final": true,
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned groups",
"category": "Owned Hunter",
"queryList": [{
"final": true,
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all High Valued Targets",
"category": "Owned Hunter",
"queryList": [{
"final": true,
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m"
}]
},
{
"name": "List the groups of all owned users",
"category": "Owned Hunter",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}]
},
{
"name": "Find all Kerberoastable Users",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}]
},
{
"name": "Find Kerberoastable Users with a path to DA",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}]
},
{
"name": "Find machines Domain Users can RDP into",
"category": "User Information",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
}]
},
{
"name": "Find what groups can RDP",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Find all users that have local admin rights (Warning Can Be Heavy)",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Find all active Domain Admin sessions",
"category": "Admin Hunter",
"queryList": [{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
}]
},
{
"name": "Find all computers with Unconstrained Delegation",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
}]
},
{
"name": "Find all computers with unsupported operating systems",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H"
}]
},
{
"name": "Find users that logged in within the last 90 days",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find users with passwords last set within the last 90 days",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find constrained delegation",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}]
},
{
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}]
},
{
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}]
},
{
"name": "View all GPOs",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "Match (n:GPO) RETURN n"
}]
},
{
"name": "View all groups that contain the word 'admin'",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}]
},
{
"name": "Find users that can be AS-REP roasted",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Show all high value target's groups",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}]
},
{
"name": "Find groups that contain both users and computers",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}]
},
{
"name": "Find Kerberoastable users who are members of high value groups",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}]
},
{
"name": "Find Kerberoastable users and where they are AdminTo",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
}]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"category": "Domain Escalation",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}]
},
{
"name": "Find all users a part of the VPN group",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}]
},
{
"name": "Find users that have never logged on and account is still active",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}]
},
{
"name": "Find an object in one domain that can do something to a foreign object",
"category": "GPO/Group Information",
"queryList": [{
"final": true,
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p"
}]
},
{
"name": "Find all sessions a user in a specific domain has",
"category": "User Information",
"requireNodeSelect": true,
"queryList": [{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:$result}) RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find an object from domain 'A' that can do anything to a foreign object",
"category": "User Information",
"requireNodeSelect": true,
"queryList": [{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {domain:$result})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find All edges any owned user has on a computer",
"category": "User Information",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p"
}]
},
{
"name": "Find Server 2008 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H"
}]
},
{
"name": "Find Windows XP",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H"
}]
},
{
"name": "Find Windows XP with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H"
}]
},
{
"name": "Find Windows 7",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H"
}]
},
{
"name": "Find Windows 7 session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H"
}]
},
{
"name": "Find Server 2012",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H"
}]
},
{
"name": "Find Server 2012 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H"
}]
},
{
"name": "Find Server 2016",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H"
}]
},
{
"name": "Find Server 2016 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H"
}]
},
{
"name": "Find Server 2019",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H"
}]
},
{
"name": "Find Server 2019 with session",
"category": "OS Finder",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H"
}]
},
{
"name": "--https://github.com/CompassSecurity/BloodHoundQueries/--",
"queryList": [{
"final": true,
"query": ""
}]
},
{
"name": "All Shortest Paths to Domain (including Computers)",
"queryList": [{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain {name: $result})) WHERE (uc:User OR uc:Computer) RETURN p",
"endNode": "{}"
}
]
},
{
"name": "All Shortest Paths to no LAPS",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p"
}]
},
{
"name": "All Shortest Paths from Kerberoastable Users to Computers",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p"
}]
},
{
"name": "All Shortest Paths from Kerberoastable Users to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p"
}]
},
{
"name": "All Shortest Paths from Owned Principals (including everything)",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p"
}]
},
{
"name": "All Shortest Paths from Owned Principals to Domain",
"queryList": [{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true AND d.name = $result RETURN p",
"endNode": "{}"
}
]
},
{
"name": "All Shortest Paths from Owned Principals to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p"
}]
},
{
"name": "All Shortest Paths from Owned Principals to no LAPS",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p"
}]
},
{
"name": "All Shortest Paths from no Signing to Domain",
"queryList": [{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC"
},
{
"final": true,
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false AND d.name = $result RETURN p",
"endNode": "{}"
}
]
},
{
"name": "All Shortest Paths from no Signing to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(h)) WHERE NOT c = h AND c.hassigning = false AND h.highvalue = true RETURN p"
}]
},
{
"name": "All Shortest Paths from Domain Users and Domain Computers (including everything)",
"queryList": [{
"final": true,
"query": "MATCH p = allShortestPaths((g:Group)-[r:{}*1..]->(a)) WHERE (g.objectid =~ $domain_users_id OR g.objectid =~ $domain_computers_id) AND g <> a RETURN p",
"props": {
"domain_users_id": "S-1-5-.*-513",
"domain_computers_id": "S-1-5-.*-515"
}
}]
},
{
"name": "All Unconstrained Delegation Principals (excluding Domain Controllers and Administrators)",
"queryList": [{
"final": true,
"query": "MATCH (dca)-[r:MemberOf*0..]->(g:Group) WHERE g.objectid =~ $domain_controllers_id OR g.objectid =~ $administrators_id WITH COLLECT(dca) AS exclude MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND NOT uc IN exclude RETURN p",
"props": {
"domain_controllers_id": "S-1-5-.*-516",
"administrators_id": ".*-S-1-5-32-544"
}
}]
},
{
"name": "All Constrained Delegations",
"queryList": [{
"final": true,
"query": "MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}]
},
{
"name": "All Computers Allowed to Delegate for Another Computer",
"queryList": [{
"final": true,
"query": "MATCH p = (c1:Computer)-[:AllowedToDelegate]->(c2:Computer) RETURN p"
}]
},
{
"name": "All ACLs to Computers (excluding High Value Targets)",
"queryList": [{
"final": true,
"query": "MATCH p = (ucg)-[r]->(c:Computer) WHERE (ucg:User OR ucg:Computer OR ucg:Group) AND ucg.highvalue = false AND r.isacl = true RETURN p"
}]
},
{
"name": "All Computers in Domain Admins",
"queryList": [{
"final": false,
"title": "Select a Domain Admins group...",
"query": "MATCH (g:Group) WHERE g.objectid =~ $domain_admins_id RETURN g.name ORDER BY g.name ASC",
"props": {
"domain_admins_id": "S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p = (c:Computer)-[r:MemberOf|HasSIDHistory*1..]->(g:Group) WHERE g.name = $result RETURN p",
"endNode": "{}"
}
]
},
{
"name": "All Computers Local Admin to Another Computer",
"queryList": [{
"final": true,
"query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf|HasSIDHistory*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p"
}]
},
{
"name": "All Computers without LAPS",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false RETURN p"
}]
},
{
"name": "All High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(h) WHERE h.highvalue = true RETURN p"
}]
},
{
"name": "All Owned Principals",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(o) WHERE o.owned = true RETURN p"
}]
},
{
"name": "LAPS Passwords Readable by Owned Principals",
"queryList": [{
"final": true,
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) RETURN p"
}]
},
{
"name": "Group Delegated Outbound Object Control of Owned Principals",
"queryList": [{
"final": true,
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2 {isacl: true}]->(t) RETURN p"
}]
},
{
"name": "Find Dangerous Rights for Groups under Domain Users",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r1:MemberOf*1..]->(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' RETURN p"
}]
},
{
"name": "All Users with Password in AD",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.userpassword IS NOT NULL RETURN p"
}]
},
{
"name": "All Users with \"Pass\" in AD Description",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p"
}]
},
{
"name": "All Users with Password not Required",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.passwordnotreqd = true RETURN p"
}]
},
{
"name": "All Users with with Same Name in Different Domains",
"queryList": [{
"final": true,
"query": "MATCH (u1:User),(u2:User) WHERE split(u1.name,'@')[0] = split(u2.name,'@')[0] AND u1.domain <> u2.domain AND tointeger(split(u1.objectid,'-')[7]) >= 1000 RETURN u1"
}]
},
{
"name": "Set DCSync Principals as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (s)-[r:MemberOf|GetChanges*1..]->(d:Domain) WITH s, d MATCH (s)-[r:MemberOf|GetChangesAll*1..]->(d) WITH s, d MATCH p = (s)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(d) AND a.highvalue = false SET s.highvalue = true, s.highvaluereason = 'DCSync Principal' RETURN p"
}]
},
{
"name": "Set Unconstrained Delegation Principals as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND a.highvalue = false SET uc.highvalue = true, uc.highvaluereason = 'Unconstrained Delegation Principal' RETURN p"
}]
},
{
"name": "Set Local Admin or Reset Password Principals as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (a)-[r:AdminTo|ForceChangePassword]->(b) AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Local Admin or Reset Password Principal' RETURN a"
}]
},
{
"name": "Set Principals with Privileges on Computers as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (a)-[r:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(n:Computer) AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on Computers' RETURN a"
}]
},
{
"name": "Set Principals with Privileges on Cert Publishers as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (a)-[r:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ 'S-1-5-21-.*-517' AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on the Cert Publisher group' RETURN a"
}]
},
{
"name": "Set Members of High Value Targets Groups as High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (a)-[r:MemberOf*1..]->(g:Group) WHERE a.highvalue = false AND g.highvalue = true SET a.highvalue = true, a.highvaluereason = 'Member of High Value Target Group' RETURN a"
}]
},
{
"name": "Remove Inactive Users and Computers from High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (uc) WHERE uc.highvalue = true AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) SET uc.highvalue = false, uc.nothighvaluereason = 'Inactive' RETURN uc"
}]
},
{
"name": "--https://github.com/hausec/Bloodhound-Custom-Queries/--",
"queryList": [{
"final": true,
"query": ""
}]
},
{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
"queryList": [{
"final": true,
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned groups",
"queryList": [{
"final": true,
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all High Valued Targets",
"queryList": [{
"final": true,
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m"
}]
},
{
"name": "List the groups of all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}]
},
{
"name": "Find the Shortest path to a high value target from an owned object",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p"
}]
},
{
"name": "Find the Shortest path to a unconstrained delegation system from an owned object",
"queryList": [{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p"
}]
},
{
"name": "Find all Kerberoastable Users",
"queryList": [{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}]
},
{
"name": "Find Kerberoastable Users with a path to DA",
"queryList": [{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}]
},
{
"name": "Find machines Domain Users can RDP into",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
}]
},
{
"name": "Find what groups can RDP",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Find all users that have local admin rights",
"queryList": [{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Find all active Domain Admin sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
}]
},
{
"name": "Find all computers with Unconstrained Delegation",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
}]
},
{
"name": "Find all computers with unsupported operating systems",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H"
}]
},
{
"name": "Find users that logged in within the last 90 days",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find users with passwords last set within the last 90 days",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find constrained delegation",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}]
},
{
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
"queryList": [{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}]
},
{
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}]
},
{
"name": "View all GPOs",
"queryList": [{
"final": true,
"query": "Match (n:GPO) RETURN n"
}]
},
{
"name": "View all groups that contain the word 'admin'",
"queryList": [{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}]
},
{
"name": "Find users that can be AS-REP roasted",
"queryList": [{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Show all high value target's groups",
"queryList": [{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}]
},
{
"name": "Find groups that contain both users and computers",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}]
},
{
"name": "Find Kerberoastable users who are members of high value groups",
"queryList": [{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}]
},
{
"name": "Find Kerberoastable users and where they are AdminTo",
"queryList": [{
"final": true,
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
}]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"queryList": [{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}]
},
{
"name": "Find all users a part of the VPN group",
"queryList": [{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}]
},
{
"name": "Find users that have never logged on and account is still active",
"queryList": [{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}]
},
{
"name": "Find an object in one domain that can do something to a foreign object",
"queryList": [{
"final": true,
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p"
}]
},
{
"name": "Find all sessions a user in a specific domain has",
"requireNodeSelect": true,
"queryList": [{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find an object from domain 'A' that can do anything to a foreign object",
"requireNodeSelect": true,
"queryList": [{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
},
{
"final": true,
"query": "MATCH p=(n {domain:{result}})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find All edges any owned user has on a computer",
"queryList": [{
"final": true,
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p"
}]
},
{
"name": "----------------------------------------AZURE QUERIES----------------------------------",
"queryList": [{
"final": true,
"query": ""
}]
},
{
"name": "Return All Azure Users that are part of the 'Global Administrator' Role",
"queryList": [{
"final": true,
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p"
}]
},
{
"name": "Return All On-Prem users with edges to Azure",
"queryList": [{
"final": true,
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p"
}]
},
{
"name": "Find all paths to an Azure VM",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p"
}]
},
{
"name": "Find all paths to an Azure KeyVault",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p"
}]
},
{
"name": "Return All Azure Users and their Groups",
"queryList": [{
"final": true,
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p"
}]
},
{
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD",
"queryList": [{
"final": true,
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n"
}]
},
{
"name": "Find all Privileged Service Principals",
"queryList": [{
"final": true,
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p"
}]
},
{
"name": "Find all Owners of Azure Applications",
"queryList": [{
"final": true,
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p"
}]
},
{
"name": "--https://github.com/awsmhacks/awsmBloodhoundCustomQueries/--",
"queryList": [{
"final": true,
"query": ""
}]
},
{
"name": "Shortest Paths to High Value Targets from Owned Principles",
"queryList": [{
"final": false,
"title": "Select a Domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (n),(m),p=shortestPath((n)-[r:{}*1..]->(m)) WHERE m.domain={result} AND m.highvalue=true AND NOT m = n AND n.owned=true RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "List Computers where DOMAIN USERS are Local Admin",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
"allowCollapse": true
}]
},
{
"name": "Find Workstations where DOMAIN USERS can RDP To",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}]
},
{
"name": "Find Servers where DOMAIN USERS can RDP To",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}]
},
{
"name": "ALL Path from DOMAIN USERS to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
"allowCollapse": true
}]
},
{
"name": "Find all other Rights DOMAIN USERS shouldn’t have",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
"allowCollapse": true
}]
},
{
"name": "DA Account Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' MATCH p = (c:Computer)-[:HasSession]->(n) return p",
"allowCollapse": true
}]
},
{
"name": "DA Account Sessions to NON DC",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group WHERE g.name STARTS WITH 'DOMAIN ADMINS') RETURN p",
"allowCollapse": true
}]
},
{
"name": "Kerberoastable Accounts member of High Value Group",
"queryList": [{
"final": true,
"query": "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r",
"allowCollapse": true
}]
},
{
"name": "List all Kerberoastable Accounts",
"queryList": [{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": true
}]
},
{
"name": "Top Ten Users with Most Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Admins",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Admin Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
"allowCollapse": true
}]
},
{
"name": "Top Ten Users with Most Local Admin Rights",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment