{ "queries": [ { "name": "Owned objects", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH (m) WHERE m.owned=TRUE RETURN m" }] }, { "name": "Direct groups of owned users", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p", "props": {}, "allowCollapse": true }] }, { "name": "Unrolled groups of owned users", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" }] }, { "name": "Shortest paths from owned objects to High Value Targets (5 hops)", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Next steps (5 hops) from owned objects", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Next steps (3 hops) from owned objects", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Connections between different domains/forests", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p" }] }, { "name": "Connections (ACEs only) between different domains/forests", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = True RETURN p" }] }, { "name": "Owned users with permissions against GPOs", "category": "Tigers love pepper", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Kerberoastable users with a path to DA", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" }] }, { "name": "Kerberoastable users with a path to High Value", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p" }] }, { "name": " Kerberoastable users and where they are AdminTo", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u" }] }, { "name": "Kerberoastable users who are members of high value groups", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" }] }, { "name": "Kerberoastable users with passwords last set > 5 years ago", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Kerberoastable Users", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", "allowCollapse": false }] }, { "name": "AS-REProastable Users", "category": "They hate cinnamon", "queryList": [{ "final": true, "query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" }] }, { "name": "Unconstrained Delegations", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (c {unconstraineddelegation:true}) return c" }] }, { "name": "Constrained Delegations (with Protocol Transition)", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c" }] }, { "name": "Constrained Delegations (without Protocol Transition)", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return c" }] }, { "name": "Resource-Based Constrained Delegations", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH p=(u)-[:AllowedToAct]->(c) RETURN p" }] }, { "name": "Unconstrained Delegation systems (without domain controllers)", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" }] }, { "name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" }] }, { "name": "Shortest paths from owned principals to unconstrained delegation systems", "category": "Ready to let the dogs out?", "queryList": [{ "final": true, "query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p" }] }, { "name": "Find computers admin to other computers", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" }] }, { "name": "Logged in Admins", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p", "allowCollapse": true }] }, { "name": "Users with local admin rights", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" }] }, { "name": "Domain admin sessions", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" }] }, { "name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p" }] }, { "name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on a computer", "category": "A nerdy hillbilly", "queryList": [{ "final": true, "query": "MATCH p=(g)-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer) RETURN p" }] }, { "name": "Groups that contain the word 'admin'", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" }] }, { "name": "Groups of High Value Targets", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" }] }, { "name": "Non Admin Groups with High Value Privileges", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", "allowCollapse": true }] }, { "name": "Groups with Computer and User Objects", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers", "allowCollapse": true, "endNode": "{}" }] }, { "name": "Groups that can reset passwords (Warning: Heavy)", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" }] }, { "name": "Groups that have local admin rights (Warning: Heavy)", "category": "A one-man wolf pack", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" }] }, { "name": "Users never logged on and account still active", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " }] }, { "name": "Users logged in the last 90 days", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" }] }, { "name": "Users with passwords last set in the last 90 days", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find if unprivileged users have rights to add members into groups", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" }] }, { "name": "Find all users a part of the VPN group", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" }] }, { "name": "View all GPOs", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "Match (n:GPO) RETURN n" }] }, { "name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", "category": "There are skittles in there!", "queryList": [{ "final": true, "query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Can a user from domain ‘A ‘ do anything to any computer in domain ‘B’ (Warning: VERY Heavy)", "category": "There are skittles in there!", "queryList": [{ "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": false, "title": "Select destination domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (n:User {domain: {result}}) MATCH (m:Computer {domain: {}}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p", "startNode": "{}", "allowCollapse": false } ] }, { "name": "Find all computers running with Windows XP", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" }] }, { "name": "Find all computers running with Windows 2000", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" }] }, { "name": "Find all computers running with Windows 2003", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" }] }, { "name": "Find all computers running with Windows 2008", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" }] }, { "name": "Find all computers running with Windows Vista", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" }] }, { "name": "Find all computers running with Windows 7", "category": "It’s not illegal. It’s frowned upon", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" }] }, { "name": "Top Ten Users with Most Sessions", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Sessions", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Users with Most Local Admin Rights", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Admins and their admins", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Admins", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m", "allowCollapse": true }] }, { "name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m", "allowCollapse": true }] }, { "name": "Top 20 nodes with most first degree object controls", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH p=(u)-[r1]->(n) WHERE r1.isacl = true WITH u, count(r1) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", "allowCollapse": true }] }, { "name": "Top ten nodes with most group delegated object controls", "category": "Not at the table Carlos!", "queryList": [{ "final": true, "query": "MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", "allowCollapse": true }] }, { "name": "Find machines Domain Users can RDP into", "category": "We can’t find Doug", "queryList": [{ "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" }] }, { "name": "Find Servers Domain Users can RDP To", "category": "We can’t find Doug", "queryList": [{ "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", "allowCollapse": true }] }, { "name": "Find what groups can RDP", "category": "We can’t find Doug", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" }] }, { "name": "Return All Azure Users that are part of the ‘Global Administrator’ Role", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" }] }, { "name": "Return All On-Prem users with edges to Azure", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" }] }, { "name": "Find all paths to an Azure VM", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" }] }, { "name": "Find all paths to an Azure KeyVault", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" }] }, { "name": "Return All Azure Users and their Groups", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" }] }, { "name": "Return All Azure AD Groups that are synchronized with On-Premise AD", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" }] }, { "name": "Find all Privileged Service Principals", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" }] }, { "name": "Find all Owners of Azure Applications", "category": "It's called a satchel", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" }] }, { "name": "Find all Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n" }] }, { "name": "Find enabled Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n" }] }, { "name": "Find Certificate Authorities", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n" }] }, { "name": "Show Enrollment Rights for Certificate Template", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Template...", "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p", "allowCollapse": false }] }, { "name": "Show Rights for Certificate Authority", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Authority...", "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", "allowCollapse": false }] }, { "name": "Find Misconfigured Certificate Templates (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p" }] }, { "name": "Find Misconfigured Certificate Templates (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p" }] }, { "name": "Find Enrollment Agent Templates (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p" }] }, { "name": "Find Certificate Authorities with User Specified SAN (ESC6)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" }] }, { "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" }] }, { "name": "Find users that can RDP into something", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1", "allowCollapse": true } ] }, { "name": "Find users that belong to high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Find kerberoastable users", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", "allowCollapse": true } ] } ] }