Skip to content
Permalink
master
Go to file
6 contributors

Users who have contributed to this file

@rvazarkar @Scoubi @cnotin @Beercow @andyrobbins @Hackndo
349 lines (349 sloc) 13.7 KB
{
"queries": [
{
"name": "Find all Domain Admins",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:Group)<-[:MemberOf*1..]-(m) WHERE n.objectid =~ $name RETURN p",
"props": {
"name": "(?i)S-1-5-.*-512"
},
"allowCollapse": false
}
]
},
{
"name": "Find Shortest Paths to Domain Admins",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Find Principals with DCSync Rights",
"queryList": [
{
"final": false,
"title": "Select a Domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: $result}) WITH n1,u MATCH (n1)-[:MemberOf|GetChangesAll*1..]->(u) WITH n1,u MATCH p = (n1)-[:MemberOf|GetChanges|GetChangesAll*1..]->(u) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Users with Foreign Domain Group Membership",
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(n:User)-[:MemberOf]->(m:Group) WHERE n.domain=$result AND m.domain<>n.domain RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Groups with Foreign Domain Group Membership",
"queryList": [
{
"final": false,
"title": "Select source domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(n:Group {domain:$result})-[:MemberOf]->(m:Group) WHERE m.domain<>n.domain AND n.name<>m.name RETURN p",
"startNode": "{}",
"allowCollapse": false
}
]
},
{
"name": "Map Domain Trusts",
"queryList": [
{
"final": true,
"query": "MATCH p=(n:Domain)-->(m:Domain) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Shortest Paths to Unconstrained Delegation Systems",
"queryList": [
{
"final": true,
"query": "MATCH (n) MATCH p=shortestPath((n)-[:{}*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p"
}
]
},
{
"name": "Shortest Paths from Kerberoastable Users",
"queryList": [
{
"final": false,
"title": "Select a domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": false,
"title": "Select a user",
"query": "MATCH (n:User) WHERE n.domain=$result AND n.hasspn=true RETURN n.name, n.pwdlastset ORDER BY n.pwdlastset ASC"
},
{
"final": true,
"query": "MATCH p=shortestPath((a:User {name:$result})-[:{}*1..]->(b:Computer)) RETURN p",
"startNode": "{}",
"allowCollapse": true
}
]
},
{
"name": "Shortest Paths to Domain Admins from Kerberoastable Users",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n:User {hasspn:true})-[:{}*1..]->(m:Group {name:$result})) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Path from Owned Principals",
"queryList": [
{
"final": false,
"title": "Select a domain...",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": false,
"title": "Select a user",
"query": "MATCH (n) WHERE n.domain=$result AND n.owned=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
},
{
"final": true,
"query": "MATCH p=shortestPath((a {name:$result})-[:{}*1..]->(b:Computer)) WHERE NOT a=b RETURN p",
"startNode": "{}",
"allowCollapse": true
}
]
},
{
"name": "Shortest Paths to Domain Admins from Owned Principals",
"queryList": [
{
"final": false,
"title": "Select a Domain Admin group...",
"query": "MATCH (n:Group) WHERE n.objectid =~ $name RETURN n.name ORDER BY n.name DESC",
"props": {
"name": "(?i)S-1-5-.*-512"
}
},
{
"final": true,
"query": "MATCH p=shortestPath((n {owned:true})-[:{}*1..]->(m:Group {name:$result})) WHERE NOT n=m RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Shortest Paths to High Value Targets",
"queryList": [
{
"final": false,
"title": "Select a Domain",
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((n)-[*1..]->(m {highvalue:true})) WHERE m.domain=$result AND m<>n RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
},
{
"name": "Find Computers where Domain Users are Local Admin",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m:Group {name:$result})-[:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Shortest Paths from Domain Users to High Value Targets",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((g:Group {name:$result})-[*1..]->(n {highvalue:true})) WHERE g.objectid ENDS WITH '-513' AND g<>n return p",
"allowCollapse": true
}
]
},
{
"name": "Find All Paths from Domain Users to High Value Targets",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=shortestPath((g:Group {name:$result})-[*1..]->(n {highvalue:true})) WHERE g<>n return p",
"allowCollapse": true
}
]
},
{
"name": "Find Workstations where Domain Users can RDP",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "match p=(g:Group {name:$result})-[:CanRDP]->(c:Computer) where NOT c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": true
}
]
},
{
"name": "Find Servers where Domain Users can RDP",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(g:Group {name:$result})-[:CanRDP]->(c:Computer) WHERE c.operatingsystem CONTAINS 'Server' return p",
"allowCollapse": false
}
]
},
{
"name": "Find Dangerous Rights for Domain Users Groups",
"queryList": [
{
"final": false,
"title": "Select a Domain Users Group...",
"query": "MATCH (n:Group) WHERE n.objectid ENDS WITH '-513' RETURN n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH p=(m:Group)-[:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) WHERE m.objectid ENDS WITH '-513' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Kerberoastable Members of High Value Groups",
"queryList": [
{
"final": true,
"query": "MATCH p=shortestPath((n:User)-[r:MemberOf]->(g:Group)) WHERE g.highvalue=true AND n.hasspn=true RETURN p",
"allowCollapse": true
}
]
},
{
"name": "List all Kerberoastable Accounts",
"queryList": [
{
"final": true,
"query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
"allowCollapse": true
}
]
},
{
"name": "Find Kerberoastable Users with most privileges",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {hasspn:true}) OPTIONAL MATCH (u)-[:AdminTo]->(c1:Computer) OPTIONAL MATCH (u)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c2:Computer) WITH u,COLLECT(c1) + COLLECT(c2) AS tempVar UNWIND tempVar AS comps RETURN u.name,COUNT(DISTINCT(comps)) ORDER BY COUNT(DISTINCT(comps)) DESC",
"allowCollapse": true
}
]
},
{
"name": "Find Domain Admin Logons to non-Domain Controllers",
"queryList": [
{
"final": true,
"query": "MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name STARTS WITH 'DOMAIN CONTROLLERS' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]-> (g:Group) WHERE g.name STARTS WITH 'DOMAIN ADMINS' RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Find Computers with Unsupported Operating Systems",
"queryList": [
{
"final": true,
"query": "MATCH (n:Computer) WHERE n.operatingsystem =~ '(?i).*\\\\b(2000|2003|2008|xp|vista|7|me)\\\\b.*' RETURN n",
"allowCollapse": true
}
]
},
{
"name": "Find AS-REP Roastable Users (DontReqPreAuth)",
"queryList": [
{
"final": true,
"query": "MATCH (u:User {dontreqpreauth: true}) RETURN u",
"allowCollapse": true
}
]
}
]
}
You can’t perform that action at this time.