{ "queries": [ { "name": "Find more privileged groups", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' RETURN g" }] }, { "name": "(Warning: edits the DB) Mark more privileged groups as HVT", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' SET g.highvalue=TRUE RETURN g" }] }, { "name": "Find low value members of High Value Target Groups (1 hop)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=(m {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) RETURN p" }] }, { "name": "(Warning: edits the DB) Mark low value members of High Value Target Groups as HVT (1 hop)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) SET o.highvalue=TRUE RETURN p" }] }, { "name": "Find enabled objects containing names/descriptions of some tier 0 software (Azure, SCCM, Veeam, ...)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "WITH '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*' AS keyword MATCH (o {enabled: TRUE}) WHERE o.samaccountname =~ keyword OR o.description =~ keyword OR o.name =~ keyword RETURN o" }] }, { "name": "(Warning: edits the DB) Mark enabled objects containing names/descriptions of some tier 0 software (Azure, SCCM, Veeam, ...) as HVT", "category": "High Value Targets", "queryList": [{ "final": true, "query": "WITH '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*' AS keyword MATCH (o {enabled: TRUE}) WHERE o.samaccountname =~ keyword OR o.description =~ keyword OR o.name =~ keyword SET o.highvalue=TRUE RETURN o" }] }, { "name": "Find enabled computers containing SPNs with some tier 0 software (Azure, SCCM, Veeam, ...) as HVT", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE SIZE(c.serviceprincipalnames) > 0 UNWIND [s IN c.serviceprincipalnames WHERE s =~ '(?i).*(?:azure|sccm|mecm|veeam|acronis|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*'] AS spn WITH c, spn WHERE SIZE(spn) > 0 return c" }] }, { "name": "Find low value objects with ACLs on high value objects (1 hop, max 200, Heavy)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') RETURN p LIMIT 200" }] }, { "name": "(Warning: edits the DB) Mark low value objects with ACLs on high value objects as HVT (1 hop, max 200, Heavy)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') SET a.highvalue=TRUE RETURN p LIMIT 200" }] }, { "name": "Owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH (o {owned: TRUE}) RETURN o" }] }, { "name": "Direct groups of owned users", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[:MemberOf]->(g:Group) RETURN p", "props": {}, "allowCollapse": true }] }, { "name": "Unrolled groups of owned users", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[:MemberOf*1..]->(g:Group) RETURN p" }] }, { "name": "Shortest paths from owned objects to High Value Targets (5 hops)", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n {owned: TRUE})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue: TRUE})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((n {owned: TRUE})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Next steps (5 hops) from owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: TRUE})-[*1..5]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Next steps (3 hops) from owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: TRUE})-[*1..3]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Owned users with permissions against GPOs", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Connections between different domains/forests", "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p" }] }, { "name": "Connections (ACEs only) between different domains/forests", "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = TRUE RETURN p" }] }, { "name": "Can a user from domain A do anything to any computer in domain B (Warning: VERY Heavy)", "category": "Domains/Forests", "queryList": [{ "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": false, "title": "Select destination domain...", "query": "MATCH (n:Domain) RETURN $result + '=>' + n.name ORDER BY n.name DESC" }, { "final": true, "query": "WITH split($result, \"=>\") AS selectedDomains WITH selectedDomains[0] AS sourceDomain, selectedDomains[1] AS destDomain MATCH (n:User {domain: sourceDomain}) MATCH (m:Computer {domain: destDomain}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) WHERE NOT n = m RETURN p", "startNode": "{}", "allowCollapse": false }] }, { "name": "Kerberoastable enabled users", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, hasspn: TRUE}) RETURN u", "allowCollapse": false }] }, { "name": "AS-REProastable enabled users", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, dontreqpreauth: TRUE}) RETURN u" }] }, { "name": "Kerberoastable users with a path to DA", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath( (u:User {enabled: TRUE, hasspn: TRUE})-[*1..]->(g:Group) ) WHERE g.objectid ENDS WITH '-512' RETURN p" }] }, { "name": "Kerberoastable enabled users with a path to High Value", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath( (u:User {enabled: TRUE, hasspn: TRUE})-[*1..]->(n {highvalue: TRUE}) ) RETURN p" }] }, { "name": "Kerberoastable enabled users and where they are AdminTo", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath((u:User {enabled: TRUE, hasspn:TRUE})-[:AdminTo]->(c:Computer {enabled: TRUE})) RETURN p" }] }, { "name": "Kerberoastable enabled users who are members of high value groups", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath((u:User {enabled: TRUE, hasspn: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE})) RETURN p" }] }, { "name": "Kerberoastable enabled users with passwords last set > 5 years ago", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, hasspn: TRUE}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Unconstrained Delegations for enabled computers", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c {enabled: TRUE, unconstraineddelegation: TRUE}) RETURN c" }] }, { "name": "Constrained Delegations (with Protocol Transition)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=TRUE RETURN c" }] }, { "name": "Constrained Delegations (without Protocol Transition)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=FALSE RETURN c" }] }, { "name": "Resource-Based Constrained Delegations", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE})-[:AllowedToAct]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name": "Unconstrained Delegation systems (without domain controllers)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" }] }, { "name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" }] }, { "name": "Shortest paths from owned principals to unconstrained delegation systems", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((o {owned: TRUE})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: TRUE})) WHERE NOT o=m RETURN p" }] }, { "name":"Between users (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between users (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between computers (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between computers (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name": "Find computers admin to other computers", "category": "Weak ACLs", "queryList": [{ "final": true, "query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" }] }, { "name":"Between enabled users and computers (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled users and computers (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled computers and users (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled computers and users (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on an enabled computer", "category": "Weak ACLs", "queryList": [{ "final": true, "query": "MATCH p=(g {enabled: TRUE})-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name":"Miscellaneous direct ACLs from enabled objects (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" } ] }, { "name":"Miscellaneous direct ACLs from enabled objects (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates*1..3]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" } ] }, { "name": "Logged in Admins", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH shortestPath((u:User {enabled: TRUE})-[:AdminTo|MemberOf*1..]->(c:Computer {enabled: TRUE})) MATCH p=(c)-[:HasSession]->(u) RETURN p", "allowCollapse": true }] }, { "name": "Enabled users (not Domain/Enterprise Admins) with local admin rights", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH p=shortestPath((u2:User {enabled: TRUE})-[:MemberOf|AdminTo*1..]->(c:Computer {enabled: TRUE})) WHERE NOT u2.objectid IN domainAdmins AND NOT u2.name STARTS WITH 'ANONYMOUS LOGON' AND NOT u2.name='' RETURN p" }] }, { "name": "Enabled users (not Domain/Enterprise Admins) with ReadLAPSPassword rights", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH shortestPath((u2:User {enabled: TRUE})-[:MemberOf|ReadLAPSPassword*1..]->(c:Computer {enabled: TRUE})) WHERE NOT u2.objectid IN domainAdmins AND NOT u2.name STARTS WITH 'ANONYMOUS LOGON' AND NOT u2.name='' RETURN u2" }] }, { "name": "Administrators and Domain/Entreprise Admins with sessions", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH p = (c2:Computer {enabled: TRUE})-[:HasSession]->(u2:User {enabled: TRUE}) WHERE u2.objectid IN domainAdmins RETURN p" }] }, { "name": "Administrators and Domain/Entreprise Admins with sessions not on domain controllers", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (c:Computer {enabled: TRUE})-[:MemberOf*1..]->(g2:Group) WHERE g2.objectid =~ '.*-(516|(?i)S-1-5-9)$' WITH COLLECT(c.objectid) AS domainControllers, domainAdmins MATCH p = (c2:Computer {enabled: TRUE})-[:HasSession]->(u2:User {enabled: TRUE}) WHERE u2.objectid IN domainAdmins AND NOT c2.objectid IN domainControllers RETURN p" }] }, { "name": "High Value users sessions", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (n:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p" }] }, { "name": "Enabled users with adminCount, not sensitive for delegation, not members of Protected Users (3 hops)", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled:TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '(?i)S-1-5-.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled:TRUE, admincount:TRUE, sensitive:FALSE})-[:MemberOf*1..3]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers RETURN p" }] }, { "name": "Enabled Domain/Enterprise Administrators, not sensitive for delegation and not members of Protected Users", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers AND g2.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' RETURN p" }] }, { "name": "Enabled users, members of high value groups, not sensitive for delegation and not members of Protected Users (Heavy)", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE NOT u2.objectid IN protectedUsers RETURN p" }] }, { "name": "Groups that contain the word 'admin'", "category": "Groups", "queryList": [{ "final": true, "query": "Match (g:Group) WHERE g.name CONTAINS 'ADMIN' RETURN g" }] }, { "name": "Groups that can change user passwords", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:ForceChangePassword]->(u:User) RETURN DISTINCT g.name, COUNT(g.name) ORDER BY COUNT(g.name) DESC" }] }, { "name": "Groups of High Value Targets", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(u:User)-[:MemberOf*1..]->(g:Group {highvalue:TRUE}) RETURN p" }] }, { "name": "Non Admin Groups with High Value Privileges", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", "allowCollapse": true }] }, { "name": "Groups with Computer and User Objects", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) AS groupsWithCompsAndUsers", "allowCollapse": true, "endNode": "{}" }] }, { "name": "Groups that can reset passwords of enabled users (Warning: Heavy)", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:ForceChangePassword]->(u:User {enabled: TRUE}) RETURN p" }] }, { "name": "Groups that have local admin rights on enabled computers (Warning: Heavy)", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:AdminTo]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name": "Users never logged on and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, lastlogontimestamp:-1.0}) RETURN u" }] }, { "name": "Users logged in the last 90 days and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE}) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" }] }, { "name": "Users with passwords last set in the last 90 days and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE}) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find if unprivileged users have rights to add members into groups (3 hops)", "category": "Users", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AddMember*1..3]->(m:Group) RETURN p" }] }, { "name": "Find all users a part of the VPN group", "category": "Users", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' RETURN p" }] }, { "name": "View all GPOs", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH (g:GPO) RETURN g" }] }, { "name": "(Warning: edits the DB) Mark all GPOs as High Value Target", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH (g:GPO) SET g.highvalue=TRUE RETURN g" }] }, { "name": "Find if any low value object has interesting permissions against a GPO (1 hop)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) RETURN p" }] }, { "name": "(Warning: edits the DB) Mark any low value object with interesting permissions against a GPO as HVT (1 hop)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) SET o.highvalue=TRUE RETURN p" }] }, { "name": "Find if any enabled unprivileged domain user has interesting permissions against a GPO (3 hops, limit 200)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..3]->(g:GPO) RETURN p LIMIT 200" }] }, { "name": "Find if any enabled unprivileged domain user has interesting permissions against a GPO (5 hops, limit 200, Warning: Heavy)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..5]->(g:GPO) RETURN p LIMIT 200" }] }, { "name": "Find all computers running with Windows XP", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" }] }, { "name": "Find all computers running with Windows 2000", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" }] }, { "name": "Find all computers running with Windows 2003", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" }] }, { "name": "Find all computers running with Windows 2008", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" }] }, { "name": "Find all computers running with Windows Vista", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" }] }, { "name": "Find all computers running with Windows 7", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" }] }, { "name": "Top Ten Users with Most Sessions", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Sessions", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Users (not Domain Admins or Entreprise Admins) with most local admin rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(n)-[:AdminTo]->(m:Computer {enabled: TRUE}) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with most local admin rights (not Domain Admins or Entreprise Admins) and their admins", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)<-[:AdminTo]-(n:User {enabled: TRUE}) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with most admins (not Domain Admins or Entreprise Admins)", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) RETURN m", "allowCollapse": true }] }, { "name": "(Warning: edits the DB) Mark Top Ten Computers with most admins (not Domain Admins or Entreprise Admins) as HVT", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) SET m.highvalue = true RETURN m", "allowCollapse": true }] }, { "name": "Top 20 nodes, 5 nested max, not DA, not HVT, most group deleg rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (daGroup:Group)<-[:MemberOf*1..]-(domainAdmin) WHERE daGroup.objectid ENDS WITH '-512' WITH COLLECT(domainAdmin) AS domainAdmins MATCH (admGroup:Group)<-[:MemberOf*1..]-(domainAdm) WHERE admGroup.objectid ENDS WITH '-544' WITH domainAdmins, COLLECT(domainAdm) AS domainAdms MATCH p=(u)-[r1:MemberOf*1..5]->(g:Group)-[r2]->(n) WHERE r2.isacl=true AND NOT u IN domainAdmins AND NOT u IN domainAdms AND NOT u.highvalue=true WITH u, COUNT(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", "allowCollapse": true }] }, { "name": "Top 10 computers, 5 nested max, not DC, most group deleg rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (dcGroup:Group)<-[:MemberOf*1..]-(domainControllers) WHERE dcGroup.objectid ENDS WITH '-516' WITH COLLECT(domainControllers) AS domainControllers MATCH p=(u:Computer)-[r1:MemberOf*1..5]->(g:Group)-[r2]->(n) WHERE r2.isacl=true AND NOT u IN domainControllers WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 10 RETURN u", "allowCollapse": true }] }, { "name": "Find enabled machines Domain Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' RETURN p" }] }, { "name": "Find enabled servers Domain Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p", "allowCollapse": true }] }, { "name": "Find enabled computers Authenticated Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' RETURN p", "allowCollapse": true }] }, { "name": "Find enabled servers Authenticated Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g:Group)-[:CanRDP|MemberOf*1..]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p", "allowCollapse": true }] }, { "name": "Find what groups can RDP", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:CanRDP]->(c:Computer) RETURN p" }] }, { "name": "Return All Azure Users that are part of the ‘Global Administrator’ Role", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" }] }, { "name": "Return All On-Prem users with edges to Azure", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" }] }, { "name": "Find all paths to an Azure VM", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" }] }, { "name": "Find all paths to an Azure KeyVault", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" }] }, { "name": "Return All Azure Users and their Groups", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" }] }, { "name": "Return All Azure AD Groups that are synchronized with On-Premise AD", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" }] }, { "name": "Find all Privileged Service Principals", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" }] }, { "name": "Find all Owners of Azure Applications", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" }] }, { "name": "Find all Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template'}) RETURN n" }] }, { "name": "Find enabled Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {Enabled: TRUE, type: 'Certificate Template'}) RETURN n" }] }, { "name": "Find Certificate Authorities", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service'}) RETURN n" }] }, { "name": "Find objects with the ManageCa or ManageCertificates right on Certificate Authorities", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH p=(o)-[:ManageCa|ManageCertificates]->(c:GPO {type: 'Enrollment Service'}) RETURN p" }] }, { "name": "Show Enrollment Rights for Certificate Template", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Template...", "query": "MATCH (n:GPO {type: 'Certificate Template'}) RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {type: 'Certificate Template', name:$result}) RETURN p", "allowCollapse": false }] }, { "name": "Show Rights for Certificate Authority", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Authority...", "query": "MATCH (n:GPO {type: 'Enrollment Service'}) RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) RETURN p", "allowCollapse": false }] }, { "name": "Find Misconfigured Certificate Templates (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE}) RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE})) WHERE g<>n RETURN p" }] }, { "name": "Find Misconfigured Certificate Templates (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage`) RETURN p" }] }, { "name": "Find Enrollment Agent Templates (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage` OR 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage` OR 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND NONE(x IN relationships(p) WHERE type(x) = 'Enroll' OR type(x) = 'AutoEnroll') RETURN p" }] }, { "name": "Find Certificate Authorities with User Specified SAN (ESC6)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service', `User Specified SAN`:'Enabled'}) RETURN n" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO {type: 'Enrollment Service'})) WHERE g<>n RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type:'Enrollment Service'})) WHERE g<>n AND NONE(x IN relationships(p) WHERE type(x) = 'Enroll' OR type(x) = 'AutoEnroll') RETURN p" }] }, { "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service', `Web Enrollment`:'Enabled'}) RETURN n" }] }, { "name": "Find insecure Certificate Templates - Domain Escalation (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE}) RETURN n" } ] }, { "name": "Find insecure Certificate Templates - PKI (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE 'NoSecurityExtension' IN n.`Enrollment Flag` RETURN n" } ] }, { "name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[r*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND 'NoSecurityExtension' IN n.`Enrollment Flag` AND NONE(rel IN r WHERE type(rel) IN ['EnabledBy','Read','ManageCa','ManageCertificates']) RETURN p" } ] }, { "name": "Find enabled users with a plaintext attribute that can RDP into something", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:CanRDP*1..]->(c:Computer) RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a plaintext attribute that belong to high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) RETURN p", "allowCollapse": true } ] }, { "name": "Find enabled users with a plaintext attribute that are kerberoastable", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u:User {enabled: TRUE, plaintext: TRUE, hasspn: TRUE}) RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:AdminTo]->(n:Computer) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' RETURN p", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((u:User {enabled: TRUE, plaintext: TRUE})-[*1..]->(n {highvalue: TRUE})) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' AND u<>n RETURN u LIMIT 25", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and are members of high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:MemberOf*1..]->(m:Group {highvalue: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:AdminTo]->(c:Computer {enabled: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((u:User {enabled: TRUE, plaintext: TRUE})-[*1..]->(o {highvalue: TRUE})) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN p LIMIT 25", "allowCollapse": true } ] }, { "name": "Add indexes to the database", "category": "Indexes", "queryList": [{ "final": false, "title": "Add index on the property Base SamAccountName", "query": "CREATE INDEX BaseSamAccountNameIdx IF NOT EXISTS FOR (b:Base) on (b.samaccountname)" }, { "final": false, "title": "Add index on the property Computer SamAccountName", "query": "CREATE INDEX ComputerSamAccountNameIdx IF NOT EXISTS FOR (c:Computer) on (c.samaccountname)" }, { "final": false, "title": "Add index on the property User SamAccountName", "query": "CREATE INDEX UserSamAccountNameIdx IF NOT EXISTS FOR (u:User) on (u.samaccountname)" }, { "final": false, "title": "Add index on the property Computer SamAccountName", "query": "CREATE INDEX ComputerOwnedIdx IF NOT EXISTS FOR (c:Computer) on (c.owned)" }, { "final": false, "title": "Add index on the property User Owned", "query": "CREATE INDEX UserOwnedIdx IF NOT EXISTS FOR (u:User) on (u.owned)" }, { "final": false, "title": "Add index on the property Group Owned", "query": "CREATE INDEX GroupOwnedIdx IF NOT EXISTS FOR (g:Group) on (g.owned)" }, { "final": false, "title": "Add index on the property GPO Owned", "query": "CREATE INDEX GPOOwnedIdx IF NOT EXISTS FOR (g:GPO) on (g.owned)" }, { "final": false, "title": "Add index on the property Computer Highvalue", "query": "CREATE INDEX ComputerHighValueIdx IF NOT EXISTS FOR (c:Computer) on (c.highvalue)" }, { "final": false, "title": "Add index on the property User Highvalue", "query": "CREATE INDEX UserHighValueIdx IF NOT EXISTS FOR (u:User) on (u.highvalue)" }, { "final": false, "title": "Add index on the property Group Highvalue", "query": "CREATE INDEX GroupHighValueIdx IF NOT EXISTS FOR (g:Group) on (g.highvalue)" }, { "final": false, "title": "Add index on the property GPO Highvalue", "query": "CREATE INDEX GPOHighValueIdx IF NOT EXISTS FOR (g:GPO) on (g.highvalue)" }, { "final": false, "title": "Add index on the property User Sensitive", "query": "CREATE INDEX UserSensitiveIdx IF NOT EXISTS FOR (u:User) on (u.sensitive)" }, { "final": false, "title": "Add index on the property User Admincount", "query": "CREATE INDEX UserAdminCountIdx IF NOT EXISTS FOR (u:User) on (u.admincount)" }, { "final": false, "title": "Add index on the property User Plaintext", "query": "CREATE INDEX UserPlaintextIdx IF NOT EXISTS FOR (u:User) on (u.plaintext)" }, { "final": false, "title": "Add index on the property Computer Enabled", "query": "CREATE INDEX ComputerEnabledIdx IF NOT EXISTS FOR (c:Computer) on (c.enabled)" }, { "final": false, "title": "Add index on the property User Enabled", "query": "CREATE INDEX UserEnabledIdx IF NOT EXISTS FOR (u:User) on (u.enabled)" }, { "final": false, "title": "Add index on the property User HasSPN", "query": "CREATE INDEX UserHasSPNIdx IF NOT EXISTS FOR (u:User) on (u.hasspn)" }, { "final": false, "title": "Add index on the property GPO Type", "query": "CREATE INDEX GPOTypeIdx IF NOT EXISTS FOR (g:GPO) on (g.type)" }, { "final": true, "title": "Add index on the property GPO Enabled", "query": "CREATE INDEX GPOEnabledIdx IF NOT EXISTS FOR (g:GPO) on (g.enabled)" } ] } ] }