Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Anonymous" to the "dangerous" groups for ACL (along Domain Users, Everyone, etc.) #12

Closed
wants to merge 1 commit into from
Closed

Add "Anonymous" to the "dangerous" groups for ACL (along Domain Users, Everyone, etc.) #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cypheroth.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ declare -a queries=(
"Users that are admin on 1+ machines, sorted by admin count;MATCH (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer) WITH U.name as n, COUNT(DISTINCT(C)) as c WHERE c>0 RETURN n AS UserName, c ORDER BY c DESC;UserAdminCount.csv"
"Users with Description field populated;MATCH (u:User) WHERE NOT u.description IS null RETURN u.name AS UserName ,u.description AS Description;userDescriptions.csv"
"Users with paths to Domain Controllers;MATCH (u:User), (g:Group {name: 'DOMAIN ADMINS@TESTLAB.LOCAL'}), p=shortestPath((u)-[*1..]->(g)) RETURN u.name AS UserName,u.displayname AS DisplayName, length(p) AS Hops ORDER BY Hops;UsersWithPathsToDCs.csv"
"What permissions does Everyone/Authenticated users/Domain users/Domain computers have;MATCH p=(m:Group)- [r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' RETURN m.name,TYPE(r),t.name,t.enabled;interestingPermissions.csv"
"What permissions does Everyone/Anonymous/Authenticated users/Domain users/Domain computers have;MATCH p=(m:Group)- [r:AddMember|AdminTo|AllExtendedRights|AllowedToDelegate|CanRDP|Contains|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|GetChanges|GetChangesAll|HasSession|Owns|ReadLAPSPassword|SQLAdmin|TrustedBy|WriteDACL|WriteOwner|AddAllowedToAct|AllowedToAct]->(t) WHERE m.objectsid ENDS WITH '-513' OR m.objectsid ENDS WITH '-515' OR m.objectsid ENDS WITH 'S-1-5-11' OR m.objectsid ENDS WITH 'S-1-1-0' OR m.name STARTS WITH "ANONYMOUS@" RETURN m.name,TYPE(r),t.name,t.enabled;interestingPermissions.csv"
"Every computer account that has local admin rights on other computers;MATCH (c1:Computer) OPTIONAL MATCH (c1)-[:AdminTo]->(c2:Computer) OPTIONAL MATCH (c1)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c3:Computer) WITH COLLECT(c2) + COLLECT(c3) AS tempVar,c1 UNWIND tempVar AS computers RETURN c1.name AS Owner,computers.name AS Ownee;compOwners.csv"
"Find which domain Groups are Admins to what computers;MATCH (g:Group) OPTIONAL MATCH (g)-[:AdminTo]->(c1:Computer) OPTIONAL MATCH (g)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c2:Computer) WITH g, COLLECT(c1) + COLLECT(c2) AS tempVar UNWIND tempVar AS computers RETURN g.name,g.highvalue,computers.name,computers.highvalue;groupsAdminningComputers.csv"
"Computer names where each domain user has derivative Admin privileges to;MATCH (u:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c:Computer) RETURN DISTINCT(c.name) AS COMPUTER, u.name AS USER ORDER BY u.name;unrolledUserAdminPrivs.csv"
Expand Down