Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to csv.
This is a bash script that automates running cypher queries against Bloodhound data stored in a Neo4j database.
I found myself re-running the same queries through the Neo4j web interface on multiple assessments and figured there must be an easier way. 😅
The list of cypher queries to run is fully extensible. The formatting example below shows how to add your own.
Please share any additional useful queries so I can add them to this project!
- The
cypher-shellcommand comes bundled with Neo4j, and is required for this script to function- If Neo4j is installed and
cypher-shellis not found, you may have an outdated version of Neo4j - The latest version can always be found at this location
- On Kali, upgrade to the latest version using Neo4j's Debian repository
- If Neo4j is installed and
- Optional: If the
ssconvertcommand is present, the script will combine all .csv output to sheets within a .xls file- Install the gnumeric toolset with apt or brew to gain access to ssconvert
The current query set requests the following information:
- Full User Property List
- Full Computer Property List
- Full Domain Property List
- Full OU Property List
- Full GPO Property List
- Full Group Property List
- Computers with Admins
- Computers without Admins
- Groups with Computers and Admins
- Group Admin Info
- Users that are not AdminCount 1, have generic all, and no local admin
- Users that are admin on 1+ machines, sorted by admin count
- Kerberoastable users sorted by total machine admin count
- Kerberoastable users and computers where they are admins
- Computers that members of the Domain Users group can RDP to
- Computers where users which can Return, if they belong to adm or svr accounts
- Computer names where each domain user has derivative Admin privileges to
- Users with paths to High Value groups
- Every computer account that has local admin rights on other computers
- Find which domain Groups are Admins to what computers
- What permissions does Everyone/Authenticated users/Domain users/Domain computers have
- All users with SPN in Domain Admin group, with enabled status and unconstrained delegation status displayed
To add additional queries, edit queries.txt and add a line using the following format:
Description;Cypher Query;Output File
Example: All Usernames;MATCH (u:User) RETURN u.name;usernames.csv
If you are running an oudated version of cypher-shell you may receive the following error:
DateTime is not supported as a return type in Bolt protocol version 1.
Please make sure driver supports at least protocol version 2.
Driver upgrade is most likely required.
To fix, update Neo4j to the latest version.
Chris Farrell (@seajay)
- This tool wouldn't exist without BloodHound - developed by @_wald0, @CptJesus, and @harmj0y.
- Shoutout to the Bloodhound Slack
#cypher_querieschannel for assistance - Big ups to @TinkerSec - the bones of this project were straight up copy/pasted from his procdump script 🙃
- Many thanks to @awsmhacks and @haus3c for collecting useful cypher queries (here and here)
