Last active
February 21, 2022 22:02
-
-
Save ricardojba/0b03665cd842537128496f4401356151 to your computer and use it in GitHub Desktop.
BloodHound customqueries.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"queries": [{ | |
"name": "--https://github.com/ZephrFish/Bloodhound-CustomQueries/--", | |
"queryList": [{ | |
"final": true, | |
"query": "" | |
}] | |
}, | |
{ | |
"name": "Return All Azure Users that are part of the 'Global Administrator' Role", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All On-Prem users with edges to Azure", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all paths to an Azure VM", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all paths to an Azure KeyVault", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All Azure Users and their Groups", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find all Privileged Service Principals", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all Owners of Azure Applications", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find the Shortest path to a high value target from an owned object", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" | |
}] | |
}, | |
{ | |
"name": "Find the Shortest path to a unconstrained delegation system from an owned object", | |
"category": "Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all Certificate Templates", | |
"category": "Certificates", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find enabled Certificate Templates", | |
"category": "Certificates", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find Certificate Authorities", | |
"category": "Certificates", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Show Enrollment Rights for Certificate Template", | |
"category": "Certificates", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Certificate Template...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Show Rights for Certificate Authority", | |
"category": "Certificates", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Certificate Authority...", | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC1)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p" | |
}] | |
}, | |
{ | |
"name": "Find Misconfigured Certificate Templates (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p" | |
}] | |
}, | |
{ | |
"name": "Find Enrollment Agent Templates (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p" | |
}] | |
}, | |
{ | |
"name": "Find Certificate Authorities with User Specified SAN (ESC6)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find users with blank passwords that are enabled", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword" | |
}] | |
}, | |
{ | |
"name": "Find users' credentials in description fields", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.description CONTAINS 'password' RETURN m.name, m.description" | |
}] | |
}, | |
{ | |
"name": "Find Server 2000", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2000 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2003", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "All computers without LAPS and the computer is enabled", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find Server 2003 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2008", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "List all owned users", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "Kerberoastable Admins", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p", | |
"allowCollapse": true, | |
"props": { | |
"sid": "(?i)S-1-5-.*-512" | |
} | |
}] | |
}, | |
{ | |
"name": "All Kerberoastable Users", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {hasspn: true}) RETURN n", | |
"allowCollapse": true, | |
"props": {} | |
}] | |
}, | |
{ | |
"name": "Where can owned users RDP", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p", | |
"allowCollapse": true, | |
"props": {} | |
}] | |
}, | |
{ | |
"name": "Users with most local admin rights", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5", | |
"allowCollapse": true, | |
"props": {} | |
}] | |
}, | |
{ | |
"name": "All Owned Nodes", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n {owned: true}) RETURN n", | |
"allowCollapse": true, | |
"props": {} | |
}] | |
}, | |
{ | |
"name": "Find computers with owned Admins", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p", | |
"allowCollapse": false | |
}] | |
}, | |
{ | |
"name": "Find owned Groups", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"requireNodeSelect": false, | |
"query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g", | |
"allowCollapse": true, | |
"props": {} | |
}] | |
}, | |
{ | |
"name": "Find owned Domain Admins", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"title": "Select a domain...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
}, | |
"allowCollapse": false | |
}] | |
}, | |
{ | |
"name": "Find Shortest Path from owned Node to Domain Admin", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain Admin group...", | |
"query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC", | |
"props": { | |
"name": "(?i).*DOMAIN ADMINS.*" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "Find all other Rights Domain Users shouldn't have", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Computers with administrative Domain Users", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p" | |
}] | |
}, | |
{ | |
"name": "List all owned computers", | |
"category": "Owned Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all owned groups", | |
"category": "Owned Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all High Valued Targets", | |
"category": "Owned Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List the groups of all owned users", | |
"category": "Owned Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all Kerberoastable Users", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": false | |
}] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable Users with a path to DA", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find machines Domain Users can RDP into", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" | |
}] | |
}, | |
{ | |
"name": "Find what groups can RDP", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that can reset passwords (Warning: Heavy)", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that have local admin rights (Warning: Heavy)", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all users that have local admin rights (Warning Can Be Heavy)", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all active Domain Admin sessions", | |
"category": "Admin Hunter", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" | |
}] | |
}, | |
{ | |
"name": "Find all computers with Unconstrained Delegation", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" | |
}] | |
}, | |
{ | |
"name": "Find all computers with unsupported operating systems", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find users that logged in within the last 90 days", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find users with passwords last set within the last 90 days", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find constrained delegation", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
}] | |
}, | |
{ | |
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" | |
}] | |
}, | |
{ | |
"name": "View all GPOs", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "Match (n:GPO) RETURN n" | |
}] | |
}, | |
{ | |
"name": "View all groups that contain the word 'admin'", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find users that can be AS-REP roasted", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Show all high value target's groups", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that contain both users and computers", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable users who are members of high value groups", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable users and where they are AdminTo", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", | |
"category": "Domain Escalation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
}] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
}] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
}] | |
}, | |
{ | |
"name": "Find an object in one domain that can do something to a foreign object", | |
"category": "GPO/Group Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all sessions a user in a specific domain has", | |
"category": "User Information", | |
"requireNodeSelect": true, | |
"queryList": [{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:$result}) RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find an object from domain 'A' that can do anything to a foreign object", | |
"category": "User Information", | |
"requireNodeSelect": true, | |
"queryList": [{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {domain:$result})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All edges any owned user has on a computer", | |
"category": "User Information", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find Server 2008 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Windows XP", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Windows XP with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Windows 7", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Windows 7 session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2012", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2012 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2016", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2016 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2019", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find Server 2019 with session", | |
"category": "OS Finder", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "--https://github.com/CompassSecurity/BloodHoundQueries/--", | |
"queryList": [{ | |
"final": true, | |
"query": "" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths to Domain (including Computers)", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain {name: $result})) WHERE (uc:User OR uc:Computer) RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "All Shortest Paths to no LAPS", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Kerberoastable Users to Computers", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Kerberoastable Users to High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Owned Principals (including everything)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Owned Principals to Domain", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true AND d.name = $result RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "All Shortest Paths from Owned Principals to High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Owned Principals to no LAPS", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from no Signing to Domain", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain...", | |
"query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false AND d.name = $result RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "All Shortest Paths from no Signing to High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(h)) WHERE NOT c = h AND c.hassigning = false AND h.highvalue = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Shortest Paths from Domain Users and Domain Computers (including everything)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = allShortestPaths((g:Group)-[r:{}*1..]->(a)) WHERE (g.objectid =~ $domain_users_id OR g.objectid =~ $domain_computers_id) AND g <> a RETURN p", | |
"props": { | |
"domain_users_id": "S-1-5-.*-513", | |
"domain_computers_id": "S-1-5-.*-515" | |
} | |
}] | |
}, | |
{ | |
"name": "All Unconstrained Delegation Principals (excluding Domain Controllers and Administrators)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (dca)-[r:MemberOf*0..]->(g:Group) WHERE g.objectid =~ $domain_controllers_id OR g.objectid =~ $administrators_id WITH COLLECT(dca) AS exclude MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND NOT uc IN exclude RETURN p", | |
"props": { | |
"domain_controllers_id": "S-1-5-.*-516", | |
"administrators_id": ".*-S-1-5-32-544" | |
} | |
}] | |
}, | |
{ | |
"name": "All Constrained Delegations", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Computers Allowed to Delegate for Another Computer", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (c1:Computer)-[:AllowedToDelegate]->(c2:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "All ACLs to Computers (excluding High Value Targets)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (ucg)-[r]->(c:Computer) WHERE (ucg:User OR ucg:Computer OR ucg:Group) AND ucg.highvalue = false AND r.isacl = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Computers in Domain Admins", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain Admins group...", | |
"query": "MATCH (g:Group) WHERE g.objectid =~ $domain_admins_id RETURN g.name ORDER BY g.name ASC", | |
"props": { | |
"domain_admins_id": "S-1-5-.*-512" | |
} | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p = (c:Computer)-[r:MemberOf|HasSIDHistory*1..]->(g:Group) WHERE g.name = $result RETURN p", | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "All Computers Local Admin to Another Computer", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf|HasSIDHistory*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Computers without LAPS", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false RETURN p" | |
}] | |
}, | |
{ | |
"name": "All High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(h) WHERE h.highvalue = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Owned Principals", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(o) WHERE o.owned = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "LAPS Passwords Readable by Owned Principals", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Group Delegated Outbound Object Control of Owned Principals", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2 {isacl: true}]->(t) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find Dangerous Rights for Groups under Domain Users", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r1:MemberOf*1..]->(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Users with Password in AD", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.userpassword IS NOT NULL RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Users with \"Pass\" in AD Description", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Users with Password not Required", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.passwordnotreqd = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "All Users with with Same Name in Different Domains", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u1:User),(u2:User) WHERE split(u1.name,'@')[0] = split(u2.name,'@')[0] AND u1.domain <> u2.domain AND tointeger(split(u1.objectid,'-')[7]) >= 1000 RETURN u1" | |
}] | |
}, | |
{ | |
"name": "Set DCSync Principals as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (s)-[r:MemberOf|GetChanges*1..]->(d:Domain) WITH s, d MATCH (s)-[r:MemberOf|GetChangesAll*1..]->(d) WITH s, d MATCH p = (s)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(d) AND a.highvalue = false SET s.highvalue = true, s.highvaluereason = 'DCSync Principal' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Set Unconstrained Delegation Principals as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND a.highvalue = false SET uc.highvalue = true, uc.highvaluereason = 'Unconstrained Delegation Principal' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Set Local Admin or Reset Password Principals as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (a)-[r:AdminTo|ForceChangePassword]->(b) AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Local Admin or Reset Password Principal' RETURN a" | |
}] | |
}, | |
{ | |
"name": "Set Principals with Privileges on Computers as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (a)-[r:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(n:Computer) AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on Computers' RETURN a" | |
}] | |
}, | |
{ | |
"name": "Set Principals with Privileges on Cert Publishers as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (a)-[r:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ 'S-1-5-21-.*-517' AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on the Cert Publisher group' RETURN a" | |
}] | |
}, | |
{ | |
"name": "Set Members of High Value Targets Groups as High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (a)-[r:MemberOf*1..]->(g:Group) WHERE a.highvalue = false AND g.highvalue = true SET a.highvalue = true, a.highvaluereason = 'Member of High Value Target Group' RETURN a" | |
}] | |
}, | |
{ | |
"name": "Remove Inactive Users and Computers from High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (uc) WHERE uc.highvalue = true AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) SET uc.highvalue = false, uc.nothighvaluereason = 'Inactive' RETURN uc" | |
}] | |
}, | |
{ | |
"name": "--https://github.com/hausec/Bloodhound-Custom-Queries/--", | |
"queryList": [{ | |
"final": true, | |
"query": "" | |
}] | |
}, | |
{ | |
"name": "List all owned users", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all owned computers", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all owned groups", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List all High Valued Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m" | |
}] | |
}, | |
{ | |
"name": "List the groups of all owned users", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find the Shortest path to a high value target from an owned object", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" | |
}] | |
}, | |
{ | |
"name": "Find the Shortest path to a unconstrained delegation system from an owned object", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all Kerberoastable Users", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": false | |
}] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable Users with a path to DA", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find machines Domain Users can RDP into", | |
"queryList": [{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" | |
}] | |
}, | |
{ | |
"name": "Find what groups can RDP", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that can reset passwords (Warning: Heavy)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that have local admin rights (Warning: Heavy)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all users that have local admin rights", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all active Domain Admin sessions", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" | |
}] | |
}, | |
{ | |
"name": "Find all computers with Unconstrained Delegation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" | |
}] | |
}, | |
{ | |
"name": "Find all computers with unsupported operating systems", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H" | |
}] | |
}, | |
{ | |
"name": "Find users that logged in within the last 90 days", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find users with passwords last set within the last 90 days", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find constrained delegation", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" | |
}] | |
}, | |
{ | |
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" | |
}] | |
}, | |
{ | |
"name": "View all GPOs", | |
"queryList": [{ | |
"final": true, | |
"query": "Match (n:GPO) RETURN n" | |
}] | |
}, | |
{ | |
"name": "View all groups that contain the word 'admin'", | |
"queryList": [{ | |
"final": true, | |
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find users that can be AS-REP roasted", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" | |
}] | |
}, | |
{ | |
"name": "Show all high value target's groups", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find groups that contain both users and computers", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable users who are members of high value groups", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find Kerberoastable users and where they are AdminTo", | |
"queryList": [{ | |
"final": true, | |
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u" | |
}] | |
}, | |
{ | |
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" | |
}] | |
}, | |
{ | |
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find if unprivileged users have rights to add members into groups", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all users a part of the VPN group", | |
"queryList": [{ | |
"final": true, | |
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" | |
}] | |
}, | |
{ | |
"name": "Find users that have never logged on and account is still active", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " | |
}] | |
}, | |
{ | |
"name": "Find an object in one domain that can do something to a foreign object", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all sessions a user in a specific domain has", | |
"requireNodeSelect": true, | |
"queryList": [{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find an object from domain 'A' that can do anything to a foreign object", | |
"requireNodeSelect": true, | |
"queryList": [{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH p=(n {domain:{result}})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p", | |
"startNode": "{}", | |
"allowCollapse": false | |
} | |
] | |
}, | |
{ | |
"name": "Find All edges any owned user has on a computer", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" | |
}] | |
}, | |
{ | |
"name": "----------------------------------------AZURE QUERIES----------------------------------", | |
"queryList": [{ | |
"final": true, | |
"query": "" | |
}] | |
}, | |
{ | |
"name": "Return All Azure Users that are part of the 'Global Administrator' Role", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All On-Prem users with edges to Azure", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all paths to an Azure VM", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all paths to an Azure KeyVault", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All Azure Users and their Groups", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" | |
}] | |
}, | |
{ | |
"name": "Return All Azure AD Groups that are synchronized with On-Premise AD", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" | |
}] | |
}, | |
{ | |
"name": "Find all Privileged Service Principals", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" | |
}] | |
}, | |
{ | |
"name": "Find all Owners of Azure Applications", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" | |
}] | |
}, | |
{ | |
"name": "--https://github.com/awsmhacks/awsmBloodhoundCustomQueries/--", | |
"queryList": [{ | |
"final": true, | |
"query": "" | |
}] | |
}, | |
{ | |
"name": "Shortest Paths to High Value Targets from Owned Principles", | |
"queryList": [{ | |
"final": false, | |
"title": "Select a Domain", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, | |
"query": "MATCH (n),(m),p=shortestPath((n)-[r:{}*1..]->(m)) WHERE m.domain={result} AND m.highvalue=true AND NOT m = n AND n.owned=true RETURN p", | |
"allowCollapse": true, | |
"endNode": "{}" | |
} | |
] | |
}, | |
{ | |
"name": "List Computers where DOMAIN USERS are Local Admin", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Find Workstations where DOMAIN USERS can RDP To", | |
"queryList": [{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Find Servers where DOMAIN USERS can RDP To", | |
"queryList": [{ | |
"final": true, | |
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "ALL Path from DOMAIN USERS to High Value Targets", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Find all other Rights DOMAIN USERS shouldn’t have", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "DA Account Sessions", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' MATCH p = (c:Computer)-[:HasSession]->(n) return p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "DA Account Sessions to NON DC", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group WHERE g.name STARTS WITH 'DOMAIN ADMINS') RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Kerberoastable Accounts member of High Value Group", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "List all Kerberoastable Accounts", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Top Ten Users with Most Sessions", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admins", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Sessions", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Top Ten Computers with Most Admin Sessions", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", | |
"allowCollapse": true | |
}] | |
}, | |
{ | |
"name": "Top Ten Users with Most Local Admin Rights", | |
"queryList": [{ | |
"final": true, | |
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", | |
"allowCollapse": true | |
}] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment