{ "queries": [ { "name": "Find more privileged groups", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' RETURN g" }] }, { "name": "(Warning: edits the DB) Mark more privileged groups as HVT", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (g:Group) WHERE g.objectid =~ '.*-(512|517|518|519|520|521|522|526|527|(?i)S-1-5-32-(544|547|548|549|550|551|552|556|557|580)|(?i)S-1-5-9)$' OR toUpper(g.samaccountname) = 'DNSADMINS' SET g.highvalue=TRUE RETURN g" }] }, { "name": "Find low value members of High Value Target Groups (1 hop)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=(m {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) RETURN p" }] }, { "name": "(Warning: edits the DB) Mark low value members of High Value Target Groups as HVT (1 hop)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:MemberOf]->(g:Group {highvalue: TRUE}) SET o.highvalue=TRUE RETURN p" }] }, { "name": "Find objects containing names of some tier 0 software (SCCM, Veeam, ...)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') RETURN o" }] }, { "name": "(Warning: edits the DB) Mark objects containing names of some tier 0 software (SCCM, Veeam, ...) as HVT", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH (o) WHERE (o.samaccountname =~ '(?i).*(?:sccm|veeam|boomgar|tivoli|altiris|varonis|vcenter|vsphere|esx).*') SET o.highvalue=TRUE RETURN o" }] }, { "name": "Find low value objects with ACLs on high value objects (1 hop, max 200, Heavy)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') RETURN p LIMIT 200" }] }, { "name": "(Warning: edits the DB) Mark low value objects with ACLs on high value objects as HVT (1 hop, max 200, Heavy)", "category": "High Value Targets", "queryList": [{ "final": true, "query": "MATCH p=((a {highvalue: FALSE})-[r]->(b {highvalue: TRUE})) WHERE NOT (type(r) = 'Contains') SET a.highvalue=TRUE RETURN p LIMIT 200" }] }, { "name": "Owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH (o {owned: TRUE}) RETURN o" }] }, { "name": "Direct groups of owned users", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[:MemberOf]->(g:Group) RETURN p", "props": {}, "allowCollapse": true }] }, { "name": "Unrolled groups of owned users", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[:MemberOf*1..]->(g:Group) RETURN p" }] }, { "name": "Shortest paths from owned objects to High Value Targets (5 hops)", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n {owned: TRUE})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue: TRUE})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((n {owned: TRUE})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Next steps (5 hops) from owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: TRUE})-[*1..5]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Next steps (3 hops) from owned objects", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: TRUE})-[*1..3]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Owned users with permissions against GPOs", "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned: TRUE})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Connections between different domains/forests", "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p" }] }, { "name": "Connections (ACEs only) between different domains/forests", "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = TRUE RETURN p" }] }, { "name": "Can a user from domain A do anything to any computer in domain B (Warning: VERY Heavy)", "category": "Domains/Forests", "queryList": [{ "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": false, "title": "Select destination domain...", "query": "MATCH (n:Domain) RETURN $result + '=>' + n.name ORDER BY n.name DESC" }, { "final": true, "query": "WITH split($result, \"=>\") AS selectedDomains WITH selectedDomains[0] AS sourceDomain, selectedDomains[1] AS destDomain MATCH (n:User {domain: sourceDomain}) MATCH (m:Computer {domain: destDomain}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) WHERE NOT n = m RETURN p", "startNode": "{}", "allowCollapse": false }] }, { "name": "Kerberoastable enabled users", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, hasspn: TRUE}) RETURN u", "allowCollapse": false }] }, { "name": "AS-REProastable enabled users", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, dontreqpreauth: TRUE}) RETURN u" }] }, { "name": "Kerberoastable users with a path to DA", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath( (u:User {enabled: TRUE, hasspn: TRUE})-[*1..]->(g:Group) ) WHERE g.objectid ENDS WITH '-512' RETURN p" }] }, { "name": "Kerberoastable enabled users with a path to High Value", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath( (u:User {enabled: TRUE, hasspn: TRUE})-[*1..]->(n {highvalue: TRUE}) ) RETURN p" }] }, { "name": "Kerberoastable enabled users and where they are AdminTo", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath((u:User {enabled: TRUE, hasspn:TRUE})-[:AdminTo]->(c:Computer {enabled: TRUE})) RETURN p" }] }, { "name": "Kerberoastable enabled users who are members of high value groups", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH p = shortestPath((u:User {enabled: TRUE, hasspn: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE})) RETURN p" }] }, { "name": "Kerberoastable enabled users with passwords last set > 5 years ago", "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, hasspn: TRUE}) WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Unconstrained Delegations for enabled computers", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c {enabled: TRUE, unconstraineddelegation: TRUE}) RETURN c" }] }, { "name": "Constrained Delegations (with Protocol Transition)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=TRUE RETURN c" }] }, { "name": "Constrained Delegations (without Protocol Transition)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=FALSE RETURN c" }] }, { "name": "Resource-Based Constrained Delegations", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE})-[:AllowedToAct]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name": "Unconstrained Delegation systems (without domain controllers)", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" }] }, { "name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" }] }, { "name": "Shortest paths from owned principals to unconstrained delegation systems", "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((o {owned: TRUE})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: TRUE})) WHERE NOT o=m RETURN p" }] }, { "name":"Between users (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between users (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1:User { enabled: TRUE } )-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u2:User) WHERE NOT(u1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between computers (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between computers (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c1:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c2:Computer) WHERE NOT(c1.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name": "Find computers admin to other computers", "category": "Weak ACLs", "queryList": [{ "final": true, "query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" }] }, { "name":"Between enabled users and computers (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled users and computers (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u:User {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(c:Computer) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled computers and users (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name":"Between enabled computers and users (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(c:Computer {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink*1..3]->(u:User) WHERE NOT(u.name STARTS WITH 'MSOL_') RETURN p LIMIT 200" } ] }, { "name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on an enabled computer", "category": "Weak ACLs", "queryList": [{ "final": true, "query": "MATCH p=(g {enabled: TRUE})-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name":"Miscellaneous direct ACLs from enabled objects (1 hop, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" } ] }, { "name":"Miscellaneous direct ACLs from enabled objects (3 hops, max 200)", "category":"Weak ACLs", "queryList":[ { "final":true, "query":"MATCH p=(u1 {enabled: TRUE})-[:AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AddSelf|WriteSPN|AddKeyCredentialLink|Enroll|ManageCa|ManageCertificates*1..3]->(u2) WHERE NOT(u1.name STARTS WITH 'MSOL_') AND NOT(u2.name STARTS WITH 'MSOL_') AND NOT(u1.name CONTAINS 'ADMIN') AND NOT(u2.name CONTAINS 'ADMIN') RETURN p LIMIT 200" } ] }, { "name": "Logged in Admins", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p=(c:Computer {enabled: TRUE})-[:HasSession]->(u:User {enabled: TRUE}) WITH c,u MATCH p=shortestPath((u)-[:AdminTo|MemberOf*1..]->(c)) RETURN p", "allowCollapse": true }] }, { "name": "Users with local admin rights", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p=(m:User {enabled: TRUE})-[:AdminTo]->(n:Computer {enabled: TRUE}) RETURN p" }] }, { "name": "Administrators and Domain/Entreprise Admins with sessions", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH p = (c2:Computer {enabled: TRUE})-[:HasSession]->(u2:User {enabled: TRUE}) WHERE u2.objectid IN domainAdmins RETURN p" }] }, { "name": "Administrators and Domain/Entreprise Admins with sessions not on domain controllers", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (c:Computer {enabled: TRUE})-[:MemberOf*1..]->(g2:Group) WHERE g2.objectid =~ '.*-(516|(?i)S-1-5-9)$' WITH COLLECT(c.objectid) AS domainControllers, domainAdmins MATCH p = (c2:Computer {enabled: TRUE})-[:HasSession]->(u2:User {enabled: TRUE}) WHERE u2.objectid IN domainAdmins AND NOT c2.objectid IN domainControllers RETURN p" }] }, { "name": "High Value users sessions", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (n:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) MATCH p = (c:Computer {enabled: TRUE})-[:HasSession]->(n) RETURN p" }] }, { "name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled:TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '(?i)S-1-5-.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled:TRUE, admincount:TRUE, sensitive:FALSE})-[:MemberOf*1..3]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers RETURN p" }] }, { "name": "Enabled Domain/Enterprise Administrators, not sensitive for delegation and not members of Protected Users", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers AND g2.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' RETURN p" }] }, { "name": "Enabled users, members of high value groups, not sensitive for delegation and not members of Protected Users (Heavy)", "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE NOT u2.objectid IN protectedUsers RETURN p" }] }, { "name": "Groups that contain the word 'admin'", "category": "Groups", "queryList": [{ "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" }] }, { "name": "Groups that can change user passwords", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC" }] }, { "name": "Groups of High Value Targets", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(n:User)-[:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" }] }, { "name": "Non Admin Groups with High Value Privileges", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", "allowCollapse": true }] }, { "name": "Groups with Computer and User Objects", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) AS groupsWithCompsAndUsers", "allowCollapse": true, "endNode": "{}" }] }, { "name": "Groups that can reset passwords of enabled users (Warning: Heavy)", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:ForceChangePassword]->(u:User {enabled: TRUE}) RETURN p" }] }, { "name": "Groups that have local admin rights on enabled computers (Warning: Heavy)", "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[:AdminTo]->(c:Computer {enabled: TRUE}) RETURN p" }] }, { "name": "Users never logged on and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE, lastlogontimestamp:-1.0}) RETURN u" }] }, { "name": "Users logged in the last 90 days and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE}) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" }] }, { "name": "Users with passwords last set in the last 90 days and account still active", "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User {enabled: TRUE}) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find if unprivileged users have rights to add members into groups (3 hops)", "category": "Users", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AddMember*1..3]->(m:Group) RETURN p" }] }, { "name": "Find all users a part of the VPN group", "category": "Users", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' RETURN p" }] }, { "name": "View all GPOs", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH (g:GPO) RETURN g" }] }, { "name": "(Warning: edits the DB) Mark all GPOs as High Value Target", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH (g:GPO) SET g.highvalue=TRUE RETURN g" }] }, { "name": "Find if any low value object has interesting permissions against a GPO (1 hop)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) RETURN p" }] }, { "name": "(Warning: edits the DB) Mark any low value object with interesting permissions against a GPO as HVT (1 hop)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(o {highvalue: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink]->(g:GPO) SET o.highvalue=TRUE RETURN p" }] }, { "name": "Find if any enabled unprivileged domain user has interesting permissions against a GPO (3 hops, limit 200)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..3]->(g:GPO) RETURN p LIMIT 200" }] }, { "name": "Find if any enabled unprivileged domain user has interesting permissions against a GPO (5 hops, limit 200, Warning: Heavy)", "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(u:User {enabled: TRUE, admincount: FALSE})-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..5]->(g:GPO) RETURN p LIMIT 200" }] }, { "name": "Find all computers running with Windows XP", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" }] }, { "name": "Find all computers running with Windows 2000", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" }] }, { "name": "Find all computers running with Windows 2003", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" }] }, { "name": "Find all computers running with Windows 2008", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" }] }, { "name": "Find all computers running with Windows Vista", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" }] }, { "name": "Find all computers running with Windows 7", "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" }] }, { "name": "Top Ten Users with Most Sessions", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Sessions", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Users with Most Local Admin Rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Admins and their admins", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true }] }, { "name": "Top Ten Computers with Most Admins", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m", "allowCollapse": true }] }, { "name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m", "allowCollapse": true }] }, { "name": "Top 20 nodes, 5 nested max, not DA, not HVT, most group deleg rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (daGroup:Group)<-[:MemberOf*1..]-(domainAdmin) WHERE daGroup.objectid ENDS WITH '-512' WITH COLLECT(domainAdmin) AS domainAdmins MATCH (admGroup:Group)<-[:MemberOf*1..]-(domainAdm) WHERE admGroup.objectid ENDS WITH '-544' WITH domainAdmins, COLLECT(domainAdm) AS domainAdms MATCH p=(u)-[r1:MemberOf*1..5]->(g:Group)-[r2]->(n) WHERE r2.isacl=true AND NOT u IN domainAdmins AND NOT u IN domainAdms AND NOT u.highvalue=true WITH u, COUNT(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", "allowCollapse": true }] }, { "name": "Top 10 computers, 5 nested max, not DC, most group deleg rights", "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (dcGroup:Group)<-[:MemberOf*1..]-(domainControllers) WHERE dcGroup.objectid ENDS WITH '-516' WITH COLLECT(domainControllers) AS domainControllers MATCH p=(u:Computer)-[r1:MemberOf*1..5]->(g:Group)-[r2]->(n) WHERE r2.isacl=true AND NOT u IN domainControllers WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 10 RETURN u", "allowCollapse": true }] }, { "name": "Find enabled machines Domain Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid ENDS WITH '-513' RETURN p2 AS path" }] }, { "name": "Find enabled servers Domain Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid ENDS WITH '-513' AND c2.operatingsystem =~ '(?i).*Server.*' RETURN p2 AS path", "allowCollapse": true }] }, { "name": "Find enabled machines Authenticated Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid =~ '(?i).*S-1-5-11$' RETURN p2 AS path", "allowCollapse": true }] }, { "name": "Find enabled servers Authenticated Users can RDP to", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=((g:Group)-[:CanRDP]->(c:Computer {enabled: TRUE})) WHERE g.objectid =~ '(?i).*S-1-5-11$' AND c.operatingsystem =~ '(?i).*Server.*' RETURN p AS path UNION MATCH p2=((g2:Group)-[:MemberOf*1..]->(g3:Group)-[:CanRDP]->(c2:Computer {enabled: TRUE})) WHERE g2.objectid =~ '(?i).*S-1-5-11$' AND c2.operatingsystem =~ '(?i).*Server.*' RETURN p2 AS path", "allowCollapse": true }] }, { "name": "Find what groups can RDP", "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" }] }, { "name": "Return All Azure Users that are part of the ‘Global Administrator’ Role", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" }] }, { "name": "Return All On-Prem users with edges to Azure", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" }] }, { "name": "Find all paths to an Azure VM", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" }] }, { "name": "Find all paths to an Azure KeyVault", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" }] }, { "name": "Return All Azure Users and their Groups", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" }] }, { "name": "Return All Azure AD Groups that are synchronized with On-Premise AD", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" }] }, { "name": "Find all Privileged Service Principals", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" }] }, { "name": "Find all Owners of Azure Applications", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" }] }, { "name": "Find all Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template'}) RETURN n" }] }, { "name": "Find enabled Certificate Templates", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {Enabled: TRUE, type: 'Certificate Template'}) RETURN n" }] }, { "name": "Find Certificate Authorities", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service'}) RETURN n" }] }, { "name": "Find objects with the ManageCa or ManageCertificates right on Certificate Authorities", "category": "Certificates", "queryList": [{ "final": true, "query": "MATCH p=(o)-[:ManageCa|ManageCertificates]->(c:GPO {type: 'Enrollment Service'}) RETURN p" }] }, { "name": "Show Enrollment Rights for Certificate Template", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Template...", "query": "MATCH (n:GPO {type: 'Certificate Template'}) RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {type: 'Certificate Template', name:$result}) RETURN p", "allowCollapse": false }] }, { "name": "Show Rights for Certificate Authority", "category": "Certificates", "queryList": [{ "final": false, "title": "Select a Certificate Authority...", "query": "MATCH (n:GPO {type: 'Enrollment Service'}) RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) RETURN p", "allowCollapse": false }] }, { "name": "Find Misconfigured Certificate Templates (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE}) RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE})) WHERE g<>n RETURN p" }] }, { "name": "Find Misconfigured Certificate Templates (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage`) RETURN p" }] }, { "name": "Find Enrollment Agent Templates (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage` OR 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" }] }, { "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND (n.`Extended Key Usage` = [] OR 'Any Purpose' IN n.`Extended Key Usage` OR 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND NONE(x IN relationships(p) WHERE type(x) = 'Enroll' OR type(x) = 'AutoEnroll') RETURN p" }] }, { "name": "Find Certificate Authorities with User Specified SAN (ESC6)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service', `User Specified SAN`:'Enabled'}) RETURN n" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO {type: 'Enrollment Service'})) WHERE g<>n RETURN p" }] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[*1..]->(n:GPO {type:'Enrollment Service'})) WHERE g<>n AND NONE(x IN relationships(p) WHERE type(x) = 'Enroll' OR type(x) = 'AutoEnroll') RETURN p" }] }, { "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", "category": "AD CS Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (n:GPO {type: 'Enrollment Service', `Web Enrollment`:'Enabled'}) RETURN n" }] }, { "name": "Find Unsecured Certificate Templates - Domain Escalation (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enrollee Supplies Subject`: TRUE, `Client Authentication`: TRUE, `Enabled`: TRUE}) RETURN n" } ] }, { "name": "Find Unsecured Certificate Templates - PKI (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO {type: 'Certificate Template', `Enabled`: TRUE}) WHERE 'NoSecurityExtension' IN n.`Enrollment Flag` RETURN n" } ] }, { "name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)", "category": "AD CS Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned: TRUE})-[r*1..]->(n:GPO {type: 'Certificate Template', `Enabled`: TRUE})) WHERE g<>n AND 'NoSecurityExtension' IN n.`Enrollment Flag` AND NONE(rel IN r WHERE type(rel) IN ['EnabledBy','Read','ManageCa','ManageCertificates']) RETURN p" } ] }, { "name": "Find enabled users with a plaintext attribute that can RDP into something", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:CanRDP*1..]->(c:Computer) RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a plaintext attribute that belong to high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled, TRUE, plaintext: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) RETURN p", "allowCollapse": true } ] }, { "name": "Find enabled users with a plaintext attribute that are kerberoastable", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u:User {enabled: TRUE, plaintext: TRUE, hasspn: TRUE}) RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:MemberOf*1..]->(g:Group {highvalue: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:AdminTo]->(n:Computer) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' RETURN p", "allowCollapse": true } ] }, { "name": "Find enabled users with seasons in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((u:User {enabled: TRUE, plaintext: TRUE})-[*1..]->(n {highvalue: TRUE})) WHERE u.plaintextpassword =~ '(?i).*(?:winter|spring|summer|fall).*' AND u<>n RETURN u LIMIT 25", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and are members of high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:MemberOf*1..]->(m:Group {highvalue: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User {enabled: TRUE, plaintext: TRUE})-[:AdminTo]->(c:Computer {enabled: TRUE}) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN u", "allowCollapse": true } ] }, { "name": "Find enabled users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((u:User {enabled: TRUE, plaintext: TRUE})-[*1..]->(o {highvalue: TRUE})) WHERE u.plaintextpassword =~ '(?i).*(?:password).*' RETURN p LIMIT 25", "allowCollapse": true } ] }, { "name": "Add indexes to the database", "category": "Indexes", "queryList": [{ "final": false, "title": "Add index on the property Base SamAccountName", "query": "CREATE INDEX BaseSamAccountNameIdx IF NOT EXISTS FOR (b:Base) on (b.samaccountname)" }, { "final": false, "title": "Add index on the property Computer SamAccountName", "query": "CREATE INDEX ComputerSamAccountNameIdx IF NOT EXISTS FOR (c:Computer) on (c.samaccountname)" }, { "final": false, "title": "Add index on the property User SamAccountName", "query": "CREATE INDEX UserSamAccountNameIdx IF NOT EXISTS FOR (u:User) on (u.samaccountname)" }, { "final": false, "title": "Add index on the property Computer SamAccountName", "query": "CREATE INDEX ComputerOwnedIdx IF NOT EXISTS FOR (c:Computer) on (c.owned)" }, { "final": false, "title": "Add index on the property User Owned", "query": "CREATE INDEX UserOwnedIdx IF NOT EXISTS FOR (u:User) on (u.owned)" }, { "final": false, "title": "Add index on the property Group Owned", "query": "CREATE INDEX GroupOwnedIdx IF NOT EXISTS FOR (g:Group) on (g.owned)" }, { "final": false, "title": "Add index on the property GPO Owned", "query": "CREATE INDEX GPOOwnedIdx IF NOT EXISTS FOR (g:GPO) on (g.owned)" }, { "final": false, "title": "Add index on the property Computer Highvalue", "query": "CREATE INDEX ComputerHighValueIdx IF NOT EXISTS FOR (c:Computer) on (c.highvalue)" }, { "final": false, "title": "Add index on the property User Highvalue", "query": "CREATE INDEX UserHighValueIdx IF NOT EXISTS FOR (u:User) on (u.highvalue)" }, { "final": false, "title": "Add index on the property Group Highvalue", "query": "CREATE INDEX GroupHighValueIdx IF NOT EXISTS FOR (g:Group) on (g.highvalue)" }, { "final": false, "title": "Add index on the property GPO Highvalue", "query": "CREATE INDEX GPOHighValueIdx IF NOT EXISTS FOR (g:GPO) on (g.highvalue)" }, { "final": false, "title": "Add index on the property User Sensitive", "query": "CREATE INDEX UserSensitiveIdx IF NOT EXISTS FOR (u:User) on (u.sensitive)" }, { "final": false, "title": "Add index on the property User Admincount", "query": "CREATE INDEX UserAdminCountIdx IF NOT EXISTS FOR (u:User) on (u.admincount)" }, { "final": false, "title": "Add index on the property User Plaintext", "query": "CREATE INDEX UserPlaintextIdx IF NOT EXISTS FOR (u:User) on (u.plaintext)" }, { "final": false, "title": "Add index on the property Computer Enabled", "query": "CREATE INDEX ComputerEnabledIdx IF NOT EXISTS FOR (c:Computer) on (c.enabled)" }, { "final": false, "title": "Add index on the property User Enabled", "query": "CREATE INDEX UserEnabledIdx IF NOT EXISTS FOR (u:User) on (u.enabled)" }, { "final": false, "title": "Add index on the property User HasSPN", "query": "CREATE INDEX UserHasSPNIdx IF NOT EXISTS FOR (u:User) on (u.hasspn)" }, { "final": false, "title": "Add index on the property GPO Type", "query": "CREATE INDEX GPOTypeIdx IF NOT EXISTS FOR (g:GPO) on (g.type)" }, { "final": true, "title": "Add index on the property GPO Enabled", "query": "CREATE INDEX GPOEnabledIdx IF NOT EXISTS FOR (g:GPO) on (g.enabled)" } ] } ] }