Forked from jeffmcjunkin/gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
Created
March 4, 2019 16:27
-
-
Save seajaysec/4f280a1ce191e265ee20aa969fa74fde to your computer and use it in GitHub Desktop.
Useful Cypher queries for BloodHound
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --------------- | |
| MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer | |
| RETURN u.name | |
| That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership | |
| --------------- | |
| MATCH | |
| (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
| WITH | |
| U.name as n, | |
| COUNT(DISTINCT(C)) as c | |
| RETURN n,c | |
| ORDER BY c DESC | |
| LIMIT 5 | |
| Return username and number of computers that username is admin for, for top N users | |
| --------------- | |
| MATCH | |
| (G:Group)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
| WITH | |
| G.name as n, | |
| COUNT(DISTINCT(C)) as c | |
| RETURN n,c | |
| ORDER BY c DESC | |
| LIMIT 5 | |
| Return username and number of computers that username is admin for, for top N users | |
| --------------- | |
| MATCH | |
| (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) | |
| WITH | |
| U.name as n, | |
| COUNT(DISTINCT(C)) as c | |
| WHERE c>1 | |
| RETURN n | |
| ORDER BY c DESC | |
| Show all users that are administrator on more than one machine | |
| --------------- | |
| MATCH (u:User) | |
| WITH u | |
| OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer) | |
| WITH u,COUNT(c) as expAdmin | |
| OPTIONAL MATCH (u)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c:Computer) | |
| WHERE NOT (u)-[:AdminTo]->(c) | |
| WITH u,expAdmin,COUNT(DISTINCT(c)) as unrolledAdmin | |
| RETURN u.name,expAdmin,unrolledAdmin,expAdmin + unrolledAdmin as totalAdmin | |
| ORDER BY totalAdmin ASC | |
| Show all users that are administrative on at least one machine, ranked by the number of machines they are admin on. | |
| --------------- | |
| MATCH p=((S:Computer)-[r:HasSession*1]->(T:User)) | |
| WHERE NOT S.domain = T.domain | |
| RETURN p | |
| This will return cross domain 'HasSession' relationships | |
| --------------- | |
| MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH ‘DOMAIN USERS’ RETURN p | |
| Find all other Rights Domain Users shouldn't have | |
| --------------- | |
| MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r | |
| Show Kerberoastable high value targets | |
| --------------- | |
| this will search for the paths to a target node and exclude paths that go through any node with the highvalue property set to true | |
| MATCH (n) | |
| MATCH (t {name: "<some_node>"}) | |
| MATCH p = allshortestPaths((n)-[*1..10]->(t)) | |
| WHERE NONE(node IN nodes(p) WHERE node.highvalue = true) AND NOT n = t | |
| RETURN p | |
| --------------- | |
| return all users which can rdp to any system, if they belong to adm or svr accounts | |
| MATCH (c:Computer) where c.name contains 'xxxxxx' | |
| MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.name = 'DOMAIN ADMINS@domain' | |
| optional match (g:Group)-[:CanRDP]->(c) | |
| OPTIONAL MATCH (u1:User)-[:CanRDP]->(c) where u1.enabled = true and u1.name contains 'ADM' OR u1.name contains 'SVR' | |
| OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:CanRDP]->(c) where u2.enabled = true and u2.name contains 'ADM' OR u2.name contains 'SVR' | |
| WITH COLLECT(u1) + COLLECT(u2) + collect(n) as tempVar,c | |
| UNWIND tempVar as users | |
| RETURN c.name,COLLECT(users.name) as usernames | |
| ORDER BY usernames desc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment