Skip to content

Instantly share code, notes, and snippets.

@wikijm
Forked from seajaysec/customqueries.json
Created June 15, 2020 10:38
Show Gist options
  • Save wikijm/1a6cd635b7f68c70a51103fbb1c52745 to your computer and use it in GitHub Desktop.
Save wikijm/1a6cd635b7f68c70a51103fbb1c52745 to your computer and use it in GitHub Desktop.
bloodhound custom queries
{
"queries": [{
"name": "List all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned computers",
"queryList": [{
"final": true,
"query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List all owned groups",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
}]
},
{
"name": "List the groups of all owned users",
"queryList": [{
"final": true,
"query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
}]
},
{
"name": "Show owned Nodes with Groups",
"queryList": [{
"final": true,
"query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p",
"props": {},
"allowCollapse": true
}]
},
{
"name": "Find logged in Admins",
"queryList": [{
"final": true,
"query": "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Users with Most Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
"allowCollapse": true
}]
},
{
"name": "Find all Kerberoastable Users",
"queryList": [{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": false
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
}]
},
{
"name": "Find Kerberoastable Users with a path to DA",
"queryList": [{
"final": true,
"query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
}]
},
{
"name": "Find Kerberoastable Users with a path to High Value",
"queryList": [{
"final": true,
"query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p"
}]
},
{
"name": "Find machines Domain Users can RDP into",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
}]
},
{
"name": "Find Servers Domain Users can RDP To",
"queryList": [{
"final": true,
"query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}]
},
{
"name": "Find what groups can RDP",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
}]
},
{
"name": "Non Admin Groups with High Value Privileges",
"queryList": [{
"final": true,
"query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p",
"allowCollapse": true
}]
},
{
"name": "Find groups that can reset passwords (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
}]
},
{
"name": "Groups with Computer and User Objects",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers",
"allowCollapse": true,
"endNode": "{}"
}]
},
{
"name": "Find groups that have local admin rights (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Find all users that have local admin rights",
"queryList": [{
"final": true,
"query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
}]
},
{
"name": "Top Ten Users with Most Local Admin Rights",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Admins",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Find all active Domain Admin sessions",
"queryList": [{
"final": true,
"query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
}]
},
{
"name": "Can a user from domain ‘A ‘ do anything to any computer in domain ‘B’ (Warning: VERY Heavy)",
"queryList": [{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": false,
"title": "Select destination domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (n:User {domain: {result}}) MATCH (m:Computer {domain: {}}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Find all computers with Unconstrained Delegation",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
}]
},
{
"name": "Find all computers with unsupported operating systems",
"queryList": [{
"final": true,
"query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '.*(2000|2003|2008|xp|vista|7|me)*.' RETURN H"
}]
},
{
"name": "Find users that logged in within the last 90 days",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find users with passwords last set within the last 90 days",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Find constrained delegation",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
}]
},
{
"name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
"queryList": [{
"final": true,
"query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
}]
},
{
"name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
}]
},
{
"name": "View all GPOs",
"queryList": [{
"final": true,
"query": "Match (n:GPO) RETURN n"
}]
},
{
"name": "View all groups that contain the word 'admin'",
"queryList": [{
"final": true,
"query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
}]
},
{
"name": "Find users that can be AS-REP roasted",
"queryList": [{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
}]
},
{
"name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
"queryList": [{
"final": true,
"query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
}]
},
{
"name": "Show all high value target's groups",
"queryList": [{
"final": true,
"query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
}]
},
{
"name": "Find groups that contain both users and computers",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
}]
},
{
"name": "Shortest Path from Domain Users to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p",
"allowCollapse": true
}]
},
{
"name": "ALL Path from Domain Users to High Value Targets",
"queryList": [{
"final": true,
"query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
"allowCollapse": true
}]
},
{
"name": "Find Kerberoastable users who are members of high value groups",
"queryList": [{
"final": true,
"query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
}]
},
{
"name": "Find Kerberoastable users and where they are AdminTo",
"queryList": [{
"final": true,
"query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
}]
},
{
"name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
}]
},
{
"name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
"queryList": [{
"final": true,
"query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
}]
},
{
"name": "Find if unprivileged users have rights to add members into groups",
"queryList": [{
"final": true,
"query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
}]
},
{
"name": "Find all users a part of the VPN group",
"queryList": [{
"final": true,
"query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
}]
},
{
"name": "Paths from DU to DA without RDP",
"queryList": [{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Most Exploitable Paths to DA",
"queryList": [{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Find users that have never logged on and account is still active",
"queryList": [{
"final": true,
"query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
}]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment