{ "queries": [ { "name": "Domains", "category": "Information Gathering", "queryList": [ { "final": true, "query": "MATCH (d:Domain) RETURN d" } ] }, { "name": "Domain Controllers", "category": "Information Gathering", "queryList": [ { "final": false, "title": "Select a Domain Controllers Group...", "query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-516\" RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(c:Computer)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p", "allowCollapse": false } ] }, { "name": "High Value Targets", "category": "Information Gathering", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(h {highvalue: true}) RETURN p", "allowCollapse": false } ] }, { "name": "Computers without LAPS", "category": "Information Gathering", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(c:Computer {haslaps: false}) RETURN p" } ] }, { "name": "Owned Principals", "category": "Information Gathering", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(o {owned: true}) RETURN p" } ] }, { "name": "Sensitive Principals by Keywords", "category": "Information Gathering", "queryList": [ { "final": true, "query": "UNWIND ['admin', 'amministratore', 'empfindlich', 'geheim', 'important', 'azure', 'MSOL', 'kennwort', 'pass', 'secret', 'sensib', 'sensitiv'] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN n" } ] }, { "name": "Users with Password in AD", "category": "Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.userpassword IS NOT NULL RETURN p" } ] }, { "name": "Users with \"Pass\" in AD Description", "category": "Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p" } ] }, { "name": "Users with Password not Required", "category": "Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {passwordnotreqd: true}) RETURN p" } ] }, { "name": "Users with Password never Expiring", "category": "Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(u:User {pwdneverexpires: True}) WHERE NOT u.name starts with 'KRBTGT' RETURN u" } ] }, { "name": "Users with with Same Name in Different Domains", "category": "Accounts", "queryList": [ { "final": true, "query": "MATCH (u1:User),(u2:User) WHERE split(u1.name,'@')[0] = split(u2.name,'@')[0] AND u1.domain <> u2.domain AND tointeger(split(u1.objectid,'-')[7]) >= 1000 RETURN u1" } ] }, { "name": "Protected Users", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Protected Users Group...", "query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-525\" RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p" } ] }, { "name": "AdminTo Relationships", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(u {domain: $result})-[r:AdminTo]->(c:Computer) RETURN p" } ] }, { "name": "Administrators", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Administrators Group...", "query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(u:User)-[:MemberOf*1..]->(n:Group {name: $result}) RETURN p" } ] }, { "name": "Computers in Administrators", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Administrators Group...", "query": "MATCH (n:Group) WHERE n.objectid ENDS WITH \"-544\" RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (c:Computer)-[r:MemberOf|HasSIDHistory*1..]->(g:Group {name: $result}) RETURN p", "endNode": "{}" } ] }, { "name": "Computers Local Admin to Another Computer", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (c1:Computer {domain: $result})-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer {domain: $result})-[r2:MemberOf|HasSIDHistory*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" } ] }, { "name": "Sessions of Administrators on non DCs Computers", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (dc:Computer {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE g1.objectid =~ \"S-1-5-.*-516\" WITH COLLECT(dc) AS exclude MATCH p = (c:Computer {domain: $result})-[n:HasSession]->(u:User)-[r2:MemberOf*1..]->(g2:Group) WHERE NOT c IN exclude and g2.objectid ENDS WITH \"-544\" RETURN p" } ] }, { "name": "DCSync Principals not Administrators", "category": "Privileged Accounts", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS exclude MATCH p=(n1)-[:MemberOf|GetChanges*0..]->(u:Domain {name: $result}) WHERE NOT n1 IN exclude and (n1:Computer or n1:User) RETURN p" } ] }, { "name": "AS-REP Roastable Principals", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {dontreqpreauth: true}) RETURN u" } ] }, { "name": "Kerberoastable Principals", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) RETURN u" } ] }, { "name": "Kerberoastable Administrators", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (admins {domain: $result})-[r1:MemberOf*0..]->(g1:Group) WHERE (g1.objectid =~ \"(?i)S-1-5-.*-512\") OR (g1.objectid =~ \"(?i)S-1-5-.*-516\") OR (g1.objectid =~ \"(?i)S-1-5-.*-518\") OR (g1.objectid =~ \"(?i)S-1-5-.*-519\") OR (g1.objectid =~ \"(?i)S-1-5-.*-520\") OR (g1.objectid =~ \"(?i)S-1-5-.*-544\") OR (g1.objectid =~ \"(?i)S-1-5-.*-548\") OR (g1.objectid =~ \"(?i)S-1-5-.*-549\") OR (g1.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(admins) AS filter MATCH (d:Domain {name: $result})-[r:Contains*1..]->(u {hasspn: true}) WHERE u IN filter RETURN u" } ] }, { "name": "Constrained Delegations", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (a {domain: $result})-[:AllowedToDelegate]->(c:Computer) RETURN p" } ] }, { "name": "Constrained Delegations with Protocol Transition (trustedToAuth)", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (a {domain: $result, trustedtoauth: true})-[:AllowedToDelegate]->(c:Computer) RETURN p" } ] }, { "name": "Computers Allowed to Delegate for Another Computer", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (c1:Computer {domain: $result})-[:AllowedToDelegate]->(c2:Computer) RETURN p" } ] }, { "name": "Unconstrained Delegation Principals", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (dca)-[r:MemberOf*0..]->(g:Group) WHERE g.objectid =~ \"S-1-5-.*-516\" OR g.objectid =~ \".*-S-1-5-32-544\" WITH COLLECT(dca) AS exclude MATCH p = (d:Domain {name: $result})-[r:Contains*1..]->(uc {unconstraineddelegation: true}) WHERE (uc:User OR uc:Computer) AND NOT uc IN exclude RETURN p" } ] }, { "name": "Resource-Based Constrained Delegation Principals", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(m)-[r:AllowedToAct]->(n) RETURN p" } ] }, { "name": "Configure Resource-Based Constrained Delegation Permissions", "category": "Kerberos", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(m)-[r:AddAllowedToAct]->(n) RETURN p" } ] }, { "name": "Interesting GPOs by Keyword", "category": "Group Policies", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "UNWIND [\"360totalsecurity\", \"access\", \"acronis\", \"adaware\", \"admin\", \"admin\", \"aegislab\", \"ahnlab\", \"alienvault\", \"altavista\", \"amsi\", \"anti-virus\", \"antivirus\", \"antiy\", \"apexone\", \"applock\", \"arcabit\", \"arcsight\", \"atm\", \"atp\", \"av\", \"avast\", \"avg\", \"avira\", \"baidu\", \"baiduspider\", \"bank\", \"barracuda\", \"bingbot\", \"bitdefender\", \"bluvector\", \"canary\", \"carbon\", \"carbonblack\", \"certificate\", \"check\", \"checkpoint\", \"citrix\", \"clamav\", \"code42\", \"comodo\", \"countercept\", \"countertack\", \"credential\", \"crowdstrike\", \"custom\", \"cyberark\", \"cybereason\", \"cylance\", \"cynet360\", \"cyren\", \"darktrace\", \"datadog\", \"defender\", \"druva\", \"drweb\", \"duckduckbot\", \"edr\", \"egambit\", \"emsisoft\", \"encase\", \"endgame\", \"ensilo\", \"escan\", \"eset\", \"exabot\", \"exception\", \"f-secure\", \"f5\", \"falcon\", \"fidelis\", \"fireeye\", \"firewall\", \"fix\", \"forcepoint\", \"forti\", \"fortigate\", \"fortil\", \"fortinet\", \"gdata\", \"gravityzone\", \"guard\", \"honey\", \"huntress\", \"identity\", \"ikarussecurity\", \"insight\", \"ivanti\", \"juniper\", \"k7antivirus\", \"k7computing\", \"kaspersky\", \"kingsoft\", \"kiosk\", \"laps\", \"lightcyber\", \"logging\", \"logrhythm\", \"lynx\", \"malwarebytes\", \"manageengine\", \"mass\", \"mcafee\", \"microsoft\", \"mj12bot\", \"msnbot\", \"nanoav\", \"nessus\", \"netwitness\", \"office365\", \"onedrive\", \"orion\", \"palo\", \"paloalto\", \"paloaltonetworks\", \"panda\", \"pass\", \"powershell\", \"proofpoint\", \"proxy\", \"qradar\", \"rdp\", \"rsa\", \"runasppl\", \"sandboxe\", \"sap\", \"scanner\", \"scanning\", \"sccm\", \"script\", \"secret\", \"secureage\", \"secureworks\", \"security\", \"sensitive\", \"sentinel\", \"sentinelone\", \"slurp\", \"smartcard\", \"sogou\", \"solarwinds\", \"sonicwall\", \"sophos\", \"splunk\", \"superantispyware\", \"symantec\", \"tachyon\", \"temporary\", \"tencent\", \"totaldefense\", \"transfer\", \"trapmine\", \"trend micro\", \"trendmicro\", \"trusteer\", \"trustlook\", \"uac\", \"vdi\", \"virusblokada\", \"virustotal\", \"virustotalcloud\", \"vpn\", \"vuln\", \"webroot\", \"whitelist\", \"wifi\", \"winrm\", \"workaround\", \"yubikey\", \"zillya\", \"zonealarm\", \"zscaler\"] as word match (n:GPO {domain: $result}) where toLower(n.name) CONTAINS toLower(word) RETURN n" } ] }, { "name": "GPO Permissions of Non-Admin Principals", "category": "Group Policies", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2:User)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) WHERE NOT u2 IN exclude RETURN p" } ] }, { "name": "LAPS Passwords Readable by Non-Admin", "category": "DACL Abuse", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (u1:user {domain: $result})-[r:MemberOf*1..]->(n:Group) WHERE (n.objectid =~ \"(?i)S-1-5-.*-512\") OR (n.objectid =~ \"(?i)S-1-5-.*-516\") OR (n.objectid =~ \"(?i)S-1-5-.*-518\") OR (n.objectid =~ \"(?i)S-1-5-.*-519\") OR (n.objectid =~ \"(?i)S-1-5-.*-520\") OR (n.objectid =~ \"(?i)S-1-5-.*-544\") OR (n.objectid =~ \"(?i)S-1-5-.*-548\") OR (n.objectid =~ \"(?i)S-1-5-.*-549\") OR (n.objectid =~ \"(?i)S-1-5-.*-551\") WITH COLLECT(u1) AS exclude MATCH p = (u2)-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) WHERE NOT u2 IN exclude RETURN p" } ] }, { "name": "LAPS Passwords Readable by Owned Principals", "category": "DACL Abuse", "queryList": [ { "final": true, "query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2:GenericAll]->(t:Computer {haslaps:true}) RETURN p" } ] }, { "name": "ACLs to Computers (excluding High Value Targets)", "category": "DACL Abuse", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p = (ucg {highvalue: false})-[r {isacl: true}]->(c:Computer {domain: $result}) WHERE (ucg:User OR ucg:Computer OR ucg:Group) RETURN p" } ] }, { "name": "Group Delegated Outbound Object Control of Owned Principals", "category": "DACL Abuse", "queryList": [ { "final": true, "query": "MATCH p = (n {owned: true})-[r1:MemberOf*1..]->(g:Group)-[r2 {isacl: true}]->(t) RETURN p" } ] }, { "name": "Dangerous Rights for Groups under Domain Users", "category": "DACL Abuse", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH p=(m:Group {domain: $result})-[r1:MemberOf*1..]->(g:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n) WHERE m.objectid ENDS WITH '-513' RETURN p" } ] }, { "name": "Set DCSync Principals as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (s)-[r:MemberOf|GetChanges*1..]->(d:Domain) WITH s, d MATCH (s)-[r:MemberOf|GetChangesAll*1..]->(d) WITH s, d MATCH p = (s)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(d) WHERE s.highvalue = false SET s.highvalue = true, s.highvaluereason = 'DCSync Principal' RETURN p" } ] }, { "name": "Set Unconstrained Delegation Principals as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(uc) WHERE (uc:User OR uc:Computer) AND uc.unconstraineddelegation = true AND uc.highvalue = false SET uc.highvalue = true, uc.highvaluereason = 'Unconstrained Delegation Principal' RETURN p" } ] }, { "name": "Set Local Admin or Reset Password Principals as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (a)-[r:AdminTo|ForceChangePassword]->(b) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Local Admin or Reset Password Principal' RETURN a" } ] }, { "name": "Set Principals with Privileges on Computers as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (a)-[r:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(n:Computer) WHERE a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on Computers' RETURN a" } ] }, { "name": "Set Principals with Privileges on Cert Publishers as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (a)-[r:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ 'S-1-5-21-.*-517' AND a.highvalue = false SET a.highvalue = true, a.highvaluereason = 'Principal with Privileges on the Cert Publisher group' RETURN a" } ] }, { "name": "Set Members of High Value Targets Groups as High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (a)-[r:MemberOf*1..]->(g:Group) WHERE a.highvalue = false AND g.highvalue = true SET a.highvalue = true, a.highvaluereason = 'Member of High Value Target Group' RETURN a" } ] }, { "name": "Remove Inactive Users and Computers from High Value Targets", "category": "Adding High-Value Targets", "queryList": [ { "final": true, "query": "MATCH (uc) WHERE uc.highvalue = true AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) SET uc.highvalue = false, uc.nothighvaluereason = 'Inactive' RETURN uc" } ] }, { "name": "Shortest Paths to Domain (including Computers)", "category": "Shortest Paths", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" }, { "final": true, "query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain {name: $result})) WHERE (uc:User OR uc:Computer) RETURN p", "endNode": "{}" } ] }, { "name": "Shortest Paths to no LAPS", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p" } ] }, { "name": "Shortest Paths from Kerberoastable Users to Computers", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p" } ] }, { "name": "Shortest Paths from Kerberoastable Users to High Value Targets", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p" } ] }, { "name": "Shortest Paths from Owned Principals (including everything)", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p" } ] }, { "name": "Shortest Paths from Owned Principals to Domain", "category": "Shortest Paths", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" }, { "final": true, "query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true AND d.name = $result RETURN p", "endNode": "{}" } ] }, { "name": "Shortest Paths from Owned Principals to High Value Targets", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p" } ] }, { "name": "Shortest Paths from Owned Principals to no LAPS", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p" } ] }, { "name": "Shortest Paths from no Signing to Domain", "category": "Shortest Paths", "queryList": [ { "final": false, "title": "Select a Domain...", "query": "MATCH (d:Domain) RETURN d.name ORDER BY d.name ASC" }, { "final": true, "query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false AND d.name = $result RETURN p", "endNode": "{}" } ] }, { "name": "Shortest Paths from no Signing to High Value Targets", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(h)) WHERE NOT c = h AND c.hassigning = false AND h.highvalue = true RETURN p" } ] }, { "name": "Shortest Paths from Domain Users and Domain Computers (including everything)", "category": "Shortest Paths", "queryList": [ { "final": true, "query": "MATCH p = allShortestPaths((g:Group)-[r:{}*1..]->(a)) WHERE (g.objectid =~ $domain_users_id OR g.objectid =~ $domain_computers_id) AND g <> a RETURN p", "props": { "domain_users_id": "S-1-5-.*-513", "domain_computers_id": "S-1-5-.*-515" } } ] } ] }