{ "queries": [ { "name": "Return All Azure Users that are part of the 'Global Administrator' Role", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" }] }, { "name": "Return All On-Prem users with edges to Azure", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" }] }, { "name": "Find all paths to an Azure VM", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" }] }, { "name": "Find all paths to an Azure KeyVault", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" }] }, { "name": "Return All Azure Users and their Groups (Warning: Heavy)", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" }] }, { "name": "Return GUEST Azure Users and their Groups", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:AZMemberOf*1..]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' AND m.userprincipalname=~ '(?i).*#EXT#.*' RETURN p" }] }, { "name": "Return All Azure Users and their Admin Roles", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(n)-[:AZHasRole|AZMemberOf*1..]->(:AZRole) RETURN p" }] }, { "name": "Return All Azure Users and their owned Devices (Warning: Heavy)", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser) RETURN p" }] }, { "name": "Return All Azure Admins and their owned Devices", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(d:AZDevice)<-[r1:AZOwns]->(m:AZUser)<-[r2:AZHasRole]->(n) RETURN p" }] }, { "name": "Return All Azure AD Groups that are synchronized with On-Premise AD", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" }] }, { "name": "Find all Privileged Service Principals", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" }] }, { "name": "Find all Owners of Azure Applications", "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" }] }, { "name": "Find the Shortest path to a high value target from an owned object", "category": "Azure", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" } ] }, { "name": "Find the Shortest path to a unconstrained delegation system from an owned object", "category": "Azure", "queryList": [ { "final": true, "query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" } ] }, { "name": "Find all Certificate Templates", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n" } ] }, { "name": "Find enabled Certificate Templates", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n" } ] }, { "name": "Find Certificate Authorities", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n" } ] }, { "name": "Show Enrollment Rights for Certificate Template", "category": "Certificates", "queryList": [ { "final": false, "title": "Select a Certificate Template...", "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p", "allowCollapse": false } ] }, { "name": "Show Rights for Certificate Authority", "category": "Certificates", "queryList": [ { "final": false, "title": "Select a Certificate Authority...", "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", "allowCollapse": false } ] }, { "name": "Find Misconfigured Certificate Templates (ESC1)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" } ] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p" } ] }, { "name": "Find Misconfigured Certificate Templates (ESC2)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" } ] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p" } ] }, { "name": "Find Enrollment Agent Templates (ESC3)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" } ] }, { "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p" } ] }, { "name": "Find Certificate Authorities with User Specified SAN (ESC6)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" } ] }, { "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" } ] }, { "name": "Find users with blank passwords that are enabled", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE NOT u.userpassword IS null AND u.enabled = TRUE RETURN u.name,u.userpassword" }] }, { "name": "Find users with Temp in user title and created in the last 30 days", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) AND u.title CONTAINS 'Temp' RETURN u" }] }, { "name": "Find users created in the last 30 days", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) where u.enabled=TRUE and u.whencreated > (datetime().epochseconds - (30 * 86400)) RETURN u" }] }, { "name": "Find users' credentials in description fields", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (m:User) WHERE m.description CONTAINS 'password' RETURN m.name, m.description" }] }, { "name": "Find Server 2000 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000).*' AND H.enabled = TRUE RETURN H" }] }, { "name": "Find Server 2000 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2000).*' RETURN H" }] }, { "name": "Find Server 2003 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2003).*' AND H.enabled = TRUE RETURN H" }] }, { "name": "All computers without LAPS and the computer is enabled", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p" }] }, { "name": "Find Server 2003 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2003).*' RETURN H" }] }, { "name": "Find Server 2008 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2008).*' AND H.enabled = TRUE RETURN H" }] }, { "name": "List all owned users", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" }] }, { "name": "Kerberoastable Admins", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectsid =~ $sid WITH n MATCH p=(n)<-[MemberOf*1..]-(m {hasspn: true}) RETURN p", "allowCollapse": true, "props": { "sid": "(?i)S-1-5-.*-512" } }] }, { "name": "All Kerberoastable Users", "category": "User Information", "queryList": [{ "final": true, "requireNodeSelect": false, "query": "MATCH (n {hasspn: true}) RETURN n", "allowCollapse": true, "props": {} }] }, { "name": "Where can owned users RDP", "category": "User Information", "queryList": [{ "final": true, "requireNodeSelect": false, "query": "MATCH p=(m:User {owned: true})-[r:MemberOf|CanRDP*1..]->(n:Computer) RETURN p", "allowCollapse": true, "props": {} }] }, { "name": "Users with most local admin rights", "category": "Admin Hunter", "queryList": [{ "final": true, "requireNodeSelect": false, "query": "MATCH (U:User)-[r:MemberOf|AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) AS c RETURN n,c ORDER BY c DESC LIMIT 5", "allowCollapse": true, "props": {} }] }, { "name": "All Owned Nodes", "category": "User Information", "queryList": [{ "final": true, "requireNodeSelect": false, "query": "MATCH (n {owned: true}) RETURN n", "allowCollapse": true, "props": {} }] }, { "name": "Find computers with owned Admins", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n:User {owned:true})-[r:AdminTo|MemberOf*1..]->(c:Computer)) return p", "allowCollapse": false }] }, { "name": "Find owned Groups", "category": "User Information", "queryList": [{ "final": true, "requireNodeSelect": false, "query": "MATCH (n:User {owned: true})-[r:MemberOf]->(g:Group) RETURN g", "allowCollapse": true, "props": {} }] }, { "name": "Find owned Domain Admins", "category": "Admin Hunter", "queryList": [{ "final": true, "title": "Select a domain...", "query": "MATCH (n:Group) WHERE n.name =~ $name AND n.owned=true WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p", "props": { "name": "(?i).*DOMAIN ADMINS.*" }, "allowCollapse": false }] }, { "name": "Find Shortest Path from owned Node to Domain Admin", "category": "Admin Hunter", "queryList": [{ "final": false, "title": "Select a Domain Admin group...", "query": "MATCH (n:Group) WHERE n.name =~ $name RETURN n.name ORDER BY n.name DESC", "props": { "name": "(?i).*DOMAIN ADMINS.*" } }, { "final": true, "query": "MATCH (n:User),(m:Group {name:$result}),p=shortestPath((n {owned:true})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) RETURN p", "allowCollapse": true, "endNode": "{}" } ] }, { "name": "Shortest paths from owned objects to High Value Targets (5 hops)", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", "allowCollapse": true }] }, { "name": "Next steps (5 hops) from owned objects", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Unconstrained Delegation systems", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH (c {unconstraineddelegation:true}) return c" }] }, { "name": "Constrained Delegation systems", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH p=(u)-[:AllowedToDelegate]->(c) RETURN p" }] }, { "name": "Unconstrained Delegation systems (without domain controllers)", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" }] }, { "name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" }] }, { "name": "Shortest paths from owned principals to unconstrained delegation systems", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p" }] }, { "name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p" }] }, { "name": "Groups that contain the word 'admin'", "category": "Group Hunts", "queryList": [{ "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" }] }, { "name": "Find users that can RDP into something", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1", "allowCollapse": true } ] }, { "name": "Find users that belong to high value groups", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Find kerberoastable users", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", "allowCollapse": true } ] }, { "name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and are high value targets", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p", "allowCollapse": true } ] }, { "name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)", "category": "PlainText Password Queries", "queryList": [ { "final": true, "query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25", "allowCollapse": true } ] }, { "name": "Groups of High Value Targets", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" }] }, { "name": "Non Admin Groups with High Value Privileges", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", "allowCollapse": true }] }, { "name": "Groups with Computer and User Objects", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers", "allowCollapse": true, "endNode": "{}" }] }, { "name": "Groups that can reset passwords (Warning: Heavy)", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" }] }, { "name": "Groups that have local admin rights (Warning: Heavy)", "category": "Group Hunts", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" }] }, { "name": "Users never logged on and account still active", "category": "Password Hunts", "queryList": [{ "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " }] }, { "name": "Users logged in the last 90 days", "category": "Password Hunts", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" }] }, { "name": "Users with passwords last set in the last 90 days", "category": "Password Hunts", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find if unprivileged users have rights to add members into groups", "category": "Password Hunts", "queryList": [{ "final": true, "query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" }] }, { "name": "Find all users a part of the VPN group", "category": "Password Hunts", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" }] }, { "name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", "category": "Delegation Attacks", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" }] }, { "name": "Next steps (3 hops) from owned objects", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" }] }, { "name": "Owned users with permissions against GPOs", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Find all other Rights Domain Users shouldn't have", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p", "allowCollapse": true }] }, { "name": "Computers with administrative Domain Users", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN p" } ]}, { "name": "List all owned computers", "category": "Owned Hunter", "queryList": [{ "final": true, "query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" }] }, { "name": "List all owned groups", "category": "Owned Hunter", "queryList": [{ "final": true, "query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" }] }, { "name": "List all High Valued Targets", "category": "Owned Hunter", "queryList": [{ "final": true, "query": "MATCH (m) WHERE m.highvalue=TRUE RETURN m" }] }, { "name": "List the groups of all owned users", "category": "Owned Hunter", "queryList": [{ "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" }] }, { "name": "Find all Kerberoastable Users", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", "allowCollapse": false }] }, { "name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset " }] }, { "name": "Find Kerberoastable Users with a path to DA", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" }] }, { "name": "Find machines Domain Users can RDP into", "category": "User Information", "queryList": [{ "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" }] }, { "name": "Find what groups can RDP", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" }] }, { "name": "Find groups that can reset passwords (Warning: Heavy)", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" }] }, { "name": "Find groups that have local admin rights (Warning: Heavy)", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" }] }, { "name": "Find all users that have local admin rights (Warning Can Be Heavy)", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" }] }, { "name": "Find all users that have local admin rights or Groups (Warning Can Be Heavy)", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AdminTo|MemberOf*1..]->(n:Computer) RETURN p" }] }, { "name": "Find all active Domain Admin sessions", "category": "Admin Hunter", "queryList": [{ "final": true, "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" }] }, { "name": "Find all computers with Unconstrained Delegation", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" }] }, { "name": "Find all computers with unsupported operating systems", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' AND H.enabled = TRUE RETURN H" }] }, { "name": "Find users that logged in within the last 90 days", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find users with passwords last set within the last 90 days", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Find constrained delegation", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p" }] }, { "name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" }] }, { "name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" }] }, { "name": "View all GPOs", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "Match (n:GPO) RETURN n" }] }, { "name": "View all groups that contain the word 'admin'", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" }] }, { "name": "Find users that can be AS-REP roasted", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" }] }, { "name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" }] }, { "name": "Show all high value target's groups", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" }] }, { "name": "Find groups that contain both users and computers", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" }] }, { "name": "Find Kerberoastable users who are members of high value groups", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" }] }, { "name": "Find Kerberoastable users and where they are AdminTo", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u1" }] }, { "name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate", "category": "Domain Escalation", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c" }] }, { "name": "Find Users/Groups with direct access to GPOs", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AddMember|AddSelf|WriteSPN|AddKeyCredentialLink|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(g:GPO) RETURN p" }] }, { "name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, { "name": "Find if unprivileged users have rights to add members into groups", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" }] }, { "name": "Find all users a part of the VPN group", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" }] }, { "name": "Find users that have never logged on and account is still active", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " }] }, { "name": "Find an object in one domain that can do something to a foreign object", "category": "GPO/Group Information", "queryList": [{ "final": true, "query": "MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p" }] }, { "name": "Find all sessions a user in a specific domain has", "category": "User Information", "requireNodeSelect": true, "queryList": [{ "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" }, { "final": true, "query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:$result}) RETURN p", "startNode": "{}", "allowCollapse": false } ] }, { "name": "Find an object from domain 'A' that can do anything to a foreign object", "category": "User Information", "requireNodeSelect": true, "queryList": [{ "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" }, { "final": true, "query": "MATCH p=(n {domain:$result})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p", "startNode": "{}", "allowCollapse": false } ] }, { "name": "Find All edges any owned user has on a computer", "category": "User Information", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" }] }, { "name": "Find Un-Supported OS and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|7|me).*' AND n.enabled = true RETURN n" }] }, { "name": "Find Server 2008 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2008).*' RETURN H" }] }, { "name": "Find Windows XP and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(xp).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Windows XP with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(xp).*' RETURN H" }] }, { "name": "Find Windows 7 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(7).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Windows 7 session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(7).*' RETURN H" }] }, { "name": "Find Server 2012 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2012).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Server 2012 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2012).*' RETURN H" }] }, { "name": "Find Server 2016 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2016).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Server 2016 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2016).*' RETURN H" }] }, { "name": "Find Server 2019 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2019).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Server 2019 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2019).*' RETURN H" }] }, { "name": "Find Server 2022 and Enabled", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2022).*' AND H.enabled = true RETURN H" }] }, { "name": "Find Server 2022 with session", "category": "OS Finder", "queryList": [{ "final": true, "query": "MATCH (H:Computer)-[:HasSession]->(y) WHERE H.operatingsystem =~ '(?i).*(2022).*' RETURN H" }] }, { "name": "All Users with a homedirectory", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.homedirectory =~ '(?i).*.*' RETURN p" } ] }, { "name": "All Computers without LAPS - with session", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer)-[:HasSession]->(y) WHERE c.haslaps = false RETURN p" } ] }, { "name": "All computers without LAPS and the computer is enabled", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false AND c.enabled = true RETURN p" } ] }, { "name": "All enabled computers with a description", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*.*' RETURN p" } ] }, { "name": "All enabled computers with a description containing the word file", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.description =~ '(?i).*file.*' RETURN p" } ] }, { "name": "Locate enabled accounts with display name of admin - put anyname in you like", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.displayname =~ '(?i).*admin*' AND u.enabled = true RETURN p" } ] }, { "name": "Find all users with passwords set over 720 days ago (23 months)", "category": "Password Last Set", "queryList": [ { "final": true, "query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (720 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" } ] }, { "name": "Find all users with passwords set over 1440 days ago (47 months)", "category": "Password Last Set", "queryList": [ { "final": true, "query": "MATCH (u:User) WHERE u.enabled=true AND u.pwdlastset < (datetime().epochseconds - (1440 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" } ] }, { "name": "Find all Domain Admins (nested SID S-1-5-21-.*-512) having a session opened on a domain computer", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH (m:User)-[r:MemberOf*1..]->(n:Group) WHERE n.objectid =~ '(?i)S-1-5-.*-512' WITH m MATCH q=((m)<-[:HasSession]-(o:Computer)) RETURN q" } ] }, { "name": "Find users that have never logged on and account is still active", "category": "Password Last Set", "queryList": [ { "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " } ] }, { "name": "Find users that haven't logged on in 720 days and account is still active", "category": "Password Last Set", "queryList": [ { "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp < (datetime().epochseconds - (720 * 86400)) AND n.enabled=TRUE RETURN n " } ] }, { "name": "Search for key words in users title such as scientist or Executive - tweak as required", "category": "User Information", "queryList": [ { "final": true, "query": "MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.title =~ '(?i).*scientist*' AND u.enabled = true RETURN p" } ] } ] }