{ "queries": [ { "name": "Shortest Paths to High Value Targets from Owned Principles", "queryList": [ { "final": false, "title": "Select a Domain", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (n),(m),p=shortestPath((n)-[r:{}*1..]->(m)) WHERE m.domain={result} AND m.highvalue=true AND NOT m = n AND n.owned=true RETURN p", "allowCollapse": true, "endNode": "{}" } ] }, { "name": "List Computers where DOMAIN USERS are Local Admin", "queryList": [ { "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", "allowCollapse": true } ] }, { "name": "Find Workstations where DOMAIN USERS can RDP To", "queryList": [ { "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p", "allowCollapse": true } ] }, { "name": "Find Servers where DOMAIN USERS can RDP To", "queryList": [ { "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", "allowCollapse": true } ] }, { "name": "ALL Path from DOMAIN USERS to High Value Targets", "queryList": [ { "final": true, "query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p", "allowCollapse": true } ] }, { "name": "Find all other Rights DOMAIN USERS shouldn’t have", "queryList": [ { "final": true, "query": "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p", "allowCollapse": true } ] }, { "name": "DA Account Sessions", "queryList": [ { "final": true, "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' MATCH p = (c:Computer)-[:HasSession]->(n) return p", "allowCollapse": true } ] }, { "name": "DA Account Sessions to NON DC", "queryList": [ { "final": true, "query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group WHERE g.name STARTS WITH 'DOMAIN ADMINS') RETURN p", "allowCollapse": true } ] }, { "name": "Kerberoastable Accounts member of High Value Group", "queryList": [ { "final": true, "query": "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r", "allowCollapse": true } ] }, { "name": "List all Kerberoastable Accounts", "queryList": [ { "final": true, "query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", "allowCollapse": true } ] }, { "name": "Top Ten Users with Most Sessions", "queryList": [ { "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", "allowCollapse": true } ] }, { "name": "Top Ten Computers with Most Admins", "queryList": [ { "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true } ] }, { "name": "Top Ten Computers with Most Sessions", "queryList": [ { "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", "allowCollapse": true } ] }, { "name": "Top Ten Computers with Most Admin Sessions", "queryList": [ { "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m", "allowCollapse": true } ] }, { "name": "Top Ten Users with Most Local Admin Rights", "queryList": [ { "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", "allowCollapse": true } ] } ] }