Skip to content
Permalink
master
Switch branches/tags
Go to file
1 contributor

Users who have contributed to this file

{
"queries": [
{
"name": "Find all owned Domain Admins",
"requireNodeSelect": false,
"query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)",
"allowCollapse": false,
"props": {"name": "(?i).*DOMAIN ADMINS.*"}
},
{
"name": "Find Shortest Paths from owned node to Domain Admins",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
"queryProps": {"name":"(?i).*DOMAIN ADMINS.*"},
"onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p",
"start":"",
"end": "{}",
"allowCollapse": true,
"boxTitle": "Select domain to map..."
}
},
{
"name": "Show Wave",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
"queryProps": {},
"onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
"start": "",
"end": "",
"allowCollapse": true,
"boxTitle": "Select wave..."
}
},
{
"name": "Highlight Delta for Wave",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
"queryProps": {},
"onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
"start": "",
"end": "",
"allowCollapse": true,
"boxTitle": "Select wave to show deltas..."
}
},
{
"name": "Find Clusters of Password Reuse",
"requireNodeSelect": false,
"query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Blacklisted Nodes",
"requireNodeSelect": false,
"query": "MATCH (n) WHERE exists(n.blacklist) RETURN n",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Blacklisted Relationships",
"requireNodeSelect": false,
"query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Blacklist",
"requireNodeSelect": false,
"query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show owned Nodes",
"requireNodeSelect": false,
"query": "MATCH (n) WHERE exists(n.owned) RETURN n",
"allowCollapse": true,
"props": {}
},
{
"name": "Find Shortest Paths to DA Equivalency",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
"queryProps": {"name":"(?i).*DOMAIN CONTROLLERS.*"},
"onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p",
"start":"",
"end": "{}",
"allowCollapse": true,
"boxTitle": "Select domain to map..."
}
},
{
"name": "Find Shortest Paths to Domain Admins from Foreign User",
"requireNodeSelect": true,
"nodeSelectQuery": {
"query": "MATCH (n:Domain) RETURN n.name",
"queryProps":{},
"onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p",
"start": "{}",
"end": "",
"allowCollapse": true,
"boxTitle": "Select target domain..."
}
},
{
"name": "Show Connections over 22/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 80/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 135/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 139/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 389/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 443/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 445/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 1433/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 1521/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 3306/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 3389/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Connections over 5432/tcp",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Database Connections",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Show Web App Connections",
"requireNodeSelect": false,
"query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p",
"allowCollapse": true,
"props": {}
},
{
"name": "Find Top 10 RDP Servers",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {}
},
{
"name": "Find Top 10 SSH Servers",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {}
},
{
"name": "Find Top 10 Web Apps with most Connections",
"requireNodeSelect": false,
"query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m",
"allowCollapse": true,
"props": {}
}
]
}