{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Queries Notebook" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "* **Author**: Roberto Rodriguez (@Cyb3rWard0g)\n", "* **Project**: Infosec Jupyter Book\n", "* **Public Organization**: [Open Threat Research](https://github.com/OTRF)\n", "* **License**: [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/)\n", " " ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import Libraries" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from py2neo import Graph" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize Graph Variable" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "graph = Graph(password='wardog')" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Community Cypher Queries" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Servers a user can RDP into\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find servers a user can RDP into.\n" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p=(g:Group)-[:CanRDP]->(c:Computer)\n", "WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem CONTAINS 'Server'\n", "RETURN p \n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## View all GPOs that contain a keyword\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** View all GPOs that contain a keyword\n" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_10:Base:GPO {distinguishedname: 'CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', gpcpath: '\\\\\\\\contoso.local\\\\sysvol\\\\contoso.local\\\\Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}', highvalue: false, name: 'DEFAULT DOMAIN CONTROLLERS POLICY@CONTOSO.LOCAL', objectid: '6930F38E-81B5-497F-B18B-E770DF862D89'})},\n", " {'n': (_120:Base:GPO {distinguishedname: 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', gpcpath: '\\\\\\\\contoso.local\\\\sysvol\\\\contoso.local\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}', highvalue: false, name: 'DEFAULT DOMAIN POLICY@CONTOSO.LOCAL', objectid: '5E11EF13-E6EE-4600-9EF7-BD5220CCE469'})}]" ] }, "execution_count": 4, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:GPO)\n", "WHERE n.name CONTAINS \"DOMAIN\"\n", "RETURN n\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Domain Users Groups with Interesting ACEs\n", "**Author:** Ryan Hausknecht (@haus3c), Roberto Rodriguez (@Cyb3rWard0g)\n", "\n", "**Description:** Find interesting privileges/ACEs that have been configured to DOMAIN USERS group\n" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (m:Group)\n", "WHERE m.name =~ 'DOMAIN USERS@CONTOSO.LOCAL'\n", "MATCH p=(m)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer)\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Top 10 Computers with Most Admins\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** List of top 10 computers with most admins\n" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_11:Base:User {admincount: true, description: 'Built-in account for administering the computer/domain', distinguishedname: 'CN=Administrator,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1586793173.0, lastlogontimestamp: 1586738080.0, name: 'ADMINISTRATOR@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-500', owned: false, passwordnotreqd: false, pwdlastset: 1560189819.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false}),\n", " 'r': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL),\n", " 'm': (_41:Base:Computer {distinguishedname: 'CN=DC-2016-001,OU=Domain Controllers,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586550660.0, name: 'DC-2016-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1000', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1586379557.0, serviceprincipalnames: ['Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/ForestDnsZones.contoso.local', 'ldap/DC-2016-001.contoso.local/DomainDnsZones.contoso.local', 'DNS/DC-2016-001.contoso.local', 'GC/DC-2016-001.contoso.local/contoso.local', 'RestrictedKrbHost/DC-2016-001.contoso.local', 'RestrictedKrbHost/DC-2016-001', 'RPC/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'HOST/DC-2016-001/CONTOSO', 'HOST/DC-2016-001.contoso.local/CONTOSO', 'HOST/DC-2016-001', 'HOST/DC-2016-001.contoso.local', 'HOST/DC-2016-001.contoso.local/contoso.local', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/163efdab-a02f-4b72-8de1-b45b21b62341/contoso.local', 'ldap/DC-2016-001/CONTOSO', 'ldap/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'ldap/DC-2016-001.contoso.local/CONTOSO', 'ldap/DC-2016-001', 'ldap/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/contoso.local'], unconstraineddelegation: true})},\n", " {'n': (_98:Base:Group {admincount: true, description: 'All domain users', distinguishedname: 'CN=Domain Users,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', highvalue: false, name: 'DOMAIN USERS@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-513'}),\n", " 'r': (DOMAIN USERS@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL),\n", " 'm': (_41:Base:Computer {distinguishedname: 'CN=DC-2016-001,OU=Domain Controllers,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586550660.0, name: 'DC-2016-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1000', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1586379557.0, serviceprincipalnames: ['Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/ForestDnsZones.contoso.local', 'ldap/DC-2016-001.contoso.local/DomainDnsZones.contoso.local', 'DNS/DC-2016-001.contoso.local', 'GC/DC-2016-001.contoso.local/contoso.local', 'RestrictedKrbHost/DC-2016-001.contoso.local', 'RestrictedKrbHost/DC-2016-001', 'RPC/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'HOST/DC-2016-001/CONTOSO', 'HOST/DC-2016-001.contoso.local/CONTOSO', 'HOST/DC-2016-001', 'HOST/DC-2016-001.contoso.local', 'HOST/DC-2016-001.contoso.local/contoso.local', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/163efdab-a02f-4b72-8de1-b45b21b62341/contoso.local', 'ldap/DC-2016-001/CONTOSO', 'ldap/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'ldap/DC-2016-001.contoso.local/CONTOSO', 'ldap/DC-2016-001', 'ldap/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/contoso.local'], unconstraineddelegation: true})}]" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User),(m:Computer),(n)-[r:AdminTo]->(m)\n", "WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m,count(r) as rel_count \n", "ORDER BY rel_count desc \n", "LIMIT 10 \n", "MATCH (m)<-[r:AdminTo]-(n) \n", "RETURN n,r,m\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Map Domain Trusts\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** Map domain trusts\n" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(RESEARCH AND DEVELOPMENT@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(ACCOUNTING@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GpLink {enforced: false, isacl: false}]-(DEFAULT DOMAIN POLICY@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(CONTOSO USERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(SQLUSERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(PCI ENCLAVE@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(OU-CONTROL@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(WIN-2016-001.CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(DESKTOP-4AMBQF0.CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(WIN10-001.CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(KRBTGT@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(DEFAULTACCOUNT@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(GUEST@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(GMSA-SQL01@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)-[:Contains {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GetChangesAll {isacl: true, isinherited: false}]-(DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GetChangesAll {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GetChanges {isacl: true, isinherited: false}]-(ENTERPRISE DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GetChanges {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GetChanges {isacl: true, isinherited: false}]-(ENTERPRISE READ-ONLY DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:GenericAll {isacl: true, isinherited: false}]-(ENTERPRISE ADMINS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:AllExtendedRights {isacl: true, isinherited: false}]-(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:AllExtendedRights {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:WriteOwner {isacl: true, isinherited: false}]-(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:WriteOwner {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:WriteDacl {isacl: true, isinherited: false}]-(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:WriteDacl {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (CONTOSO.LOCAL)<-[:Owns {isacl: true, isinherited: false}]-(ADMINISTRATORS@CONTOSO.LOCAL)}]" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:Domain) MATCH p=(n)-[r]-() RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## High Value Target Group\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Show all high value target group\n" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)},\n", " {'p': (ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)},\n", " {'p': (SQL01@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (DAVID.MCGUIRE@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (JPRAGER@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SQL2016@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (DAVID.MCGUIRE@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (BOB.ACCOUNTING@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (DEFAULTACCOUNT@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SQL2014@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (DPOLOJAC@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (JEFF.DIMMOCK@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (KRBTGT@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SVC_SHARPHOUND@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SAMECN1@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SAMECN2@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (LPAINE@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (GPOADMIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (SQL2017@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (DHOHNSTEIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (JBUI@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (MMERRILL@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (BADAMS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (BSCULLION@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (BREITZ@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (JGOODGION@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (WSCHROEDER@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (LCHRISTENSEN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (JATKINSON@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)},\n", " {'p': (ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(GROUP POLICY CREATOR OWNERS@CONTOSO.LOCAL)}]" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true})\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Domain Users Groups\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Shortest paths to Domain Admins group from the Domain Users group\n" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (g:Group)\n", "WHERE g.name =~ 'DOMAIN USERS@.*'\n", "MATCH (g1:Group)\n", "WHERE g1.name =~ 'DOMAIN ADMINS@.*'\n", "OPTIONAL MATCH p=shortestPath((g)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(g1))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## ASP-REQ Roastable Users\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find user that doesn’t require kerberos pre-authentication (aka AS-REP Roasting)\n" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 10, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User {dontreqpreauth: true})\n", "RETURN u\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Unprivileged Users with Rights to Add Members to Groups\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find if unprivileged users have rights to add members into groups\n" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User {admincount:False})\n", "MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Users that Logged in ithin Threshold\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find users that logged in within the last 90 days. Change 90 to whatever threshold you want.\n" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'u.name': 'JEFFMCJUNKIN@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2014@CONTOSO.LOCAL'},\n", " {'u.name': 'JBUI@CONTOSO.LOCAL'},\n", " {'u.name': 'BOB.ACCOUNTING@CONTOSO.LOCAL'},\n", " {'u.name': 'DPOLOJAC@CONTOSO.LOCAL'},\n", " {'u.name': 'DHOHNSTEIN@CONTOSO.LOCAL'},\n", " {'u.name': 'LPAINE@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2016@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2017@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL01@CONTOSO.LOCAL'}]" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User)\n", "WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0]\n", "RETURN u.name\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Non-Privileged Domain Users\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Shortest paths to Domain Admins group from non privileged users (AdminCount=false)\n" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User {admincount:false}),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Unsupported OSs\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find unsupported OSs\n" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'H.name': 'PCI-SERVER-001.CONTOSO.LOCAL'},\n", " {'H.name': 'DC-2016-001.CONTOSO.LOCAL'},\n", " {'H.name': 'WIN-2016-001.CONTOSO.LOCAL'},\n", " {'H.name': 'DESKTOP-4AMBQF0.CONTOSO.LOCAL'},\n", " {'H.name': 'WIN10-001.CONTOSO.LOCAL'}]" ] }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (H:Computer) WHERE H.operatingsystem =~ '.*(2000|2003|2008|xp|vista|7|me)*.'\n", "RETURN H.name\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Top 10 Users with Most Sessions\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** List Top 10 Users with Most Sessions\n" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_165:Base:User {admincount: true, displayname: 'Andrew Chiles', distinguishedname: 'CN=Andrew Chiles,OU=PCI Admins,OU=PCI Enclave,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: -1.0, lastlogontimestamp: -1.0, name: 'ACHILES@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-125934', owned: false, passwordnotreqd: false, pwdlastset: 1586797965.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false}),\n", " 'r': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL),\n", " 'm': (_175:Base:Computer {distinguishedname: 'CN=RD-WIN10-001,OU=R&D Computers,OU=Research and Development,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: -1.0, name: 'RD-WIN10-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-125944', owned: false, pwdlastset: 1586798704.0, serviceprincipalnames: [], unconstraineddelegation: false})},\n", " {'n': (_11:Base:User {admincount: true, description: 'Built-in account for administering the computer/domain', distinguishedname: 'CN=Administrator,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1586793173.0, lastlogontimestamp: 1586738080.0, name: 'ADMINISTRATOR@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-500', owned: false, passwordnotreqd: false, pwdlastset: 1560189819.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false}),\n", " 'r': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL),\n", " 'm': (_40:Base:Computer {distinguishedname: 'CN=PCI-SERVER-001,OU=PCI Computers,OU=PCI Enclave,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586551062.0, name: 'PCI-SERVER-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1617', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1585683416.0, serviceprincipalnames: ['WSMAN/PCI-SERVER-001', 'WSMAN/PCI-SERVER-001.contoso.local', 'RestrictedKrbHost/PCI-SERVER-001', 'HOST/PCI-SERVER-001', 'RestrictedKrbHost/PCI-SERVER-001.contoso.local', 'HOST/PCI-SERVER-001.contoso.local'], unconstraineddelegation: false})}]" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User),(m:Computer),(n)<-[r:HasSession]-(m) \n", "WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' \n", "AND NOT n.name='' WITH n, \n", "count(r) as rel_count \n", "order by rel_count desc \n", "LIMIT 10 \n", "MATCH (m)-[r:HasSession]->(n) \n", "RETURN n,r,m\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Users with Passwords Last Set withing Threshold\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find users with passwords last set thin the last 90 days. Change 90 to whatever threshold you want.\n" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'u.name': 'JEFFMCJUNKIN@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2014@CONTOSO.LOCAL'},\n", " {'u.name': 'JBUI@CONTOSO.LOCAL'},\n", " {'u.name': 'BOB.ACCOUNTING@CONTOSO.LOCAL'},\n", " {'u.name': 'DPOLOJAC@CONTOSO.LOCAL'},\n", " {'u.name': 'DHOHNSTEIN@CONTOSO.LOCAL'},\n", " {'u.name': 'LPAINE@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2016@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL2017@CONTOSO.LOCAL'},\n", " {'u.name': 'SQL01@CONTOSO.LOCAL'}]" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User)\n", "WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0]\n", "RETURN u.name\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Computers\n", "**Author:** Ryan Hausknecht (@haus3c), Roberto Rodriguez (@Cyb3rWard0g)\n", "\n", "**Description:** Shortest paths to Domain Admins group from computers\n" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 17, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:Computer),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## All Domain Users CanRDP Edges Against all Computers\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find only the CanRDP privileges (edges) of the domain users against the domain computers\n" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group)))\n", "MATCH p2=(u1)-[:CanRDP*1..]->(c:Computer)\n", "RETURN p2\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## All Domain Users AdminTo Edges Against all Computers\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find only the AdminTo privileges (edges) of the domain users against the domain computers\n" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)}]" ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group)))\n", "MATCH p2=(u1)-[:AdminTo*1..]->(c:Computer)\n", "RETURN p2\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Active Users Sessions in all Domain Computers\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find the active user sessions on all domain computers\n" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)},\n", " {'p2': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)}]" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group)))\n", "MATCH p2=(c:Computer)-[*1]->(u1)\n", "RETURN p2\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Kerberoastable Users with a path to DA\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find Kerberoastable Users with a path to DA\n" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (KRBTGT@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (SQL2014@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 21, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User {hasspn:true})\n", "MATCH (g:Group)\n", "WHERE g.name CONTAINS 'DOMAIN ADMINS' MATCH p = shortestPath( (u)-[*1..]->(g) )\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Kerberoastable Users\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find All Users with an SPN/Find all Kerberoastable Users\n" ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n.name': 'KRBTGT@CONTOSO.LOCAL'}, {'n.name': 'SQL2014@CONTOSO.LOCAL'}]" ] }, "execution_count": 22, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User)WHERE n.hasspn=true\n", "RETURN n.name\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Specific Users Edges to All Nodes\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find all Edges that a specific user has against all the nodes (HasSession is not calculated, as it is an edge that comes from computer to user, not from user to computer)\n" ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: false}]->(CONTOSO USERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: true}]->(SQLUSERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteOwner {isacl: true, isinherited: true}]->(SQLUSERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: true}]->(PCI ENCLAVE@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteOwner {isacl: true, isinherited: true}]->(PCI ENCLAVE@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: true}]->(PCI COMPUTERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteOwner {isacl: true, isinherited: true}]->(PCI COMPUTERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteOwner {isacl: true, isinherited: true}]->(DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: true}]->(DOMAIN CONTROLLERS@CONTOSO.LOCAL)},\n", " {'p': (JEFFMCJUNKIN@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteOwner {isacl: true, isinherited: true}]->(OU-CONTROL@CONTOSO.LOCAL)}]" ] }, "execution_count": 23, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User)\n", "WHERE n.name =~ 'JEFFMCJUNKIN@CONTOSO.LOCAL'\n", "MATCH (m)\n", "WHERE NOT m.name = n.name\n", "MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m))\n", "RETURN p\n", "LIMIT 10\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Domain Groups\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Shortest paths to Domain Admins group from all domain groups\n" ] }, { "cell_type": "code", "execution_count": 24, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (ACCOUNT OPERATORS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: false}]->(PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (TERMINAL SERVER LICENSE SERVERS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: true}]->(SVC_SHARPHOUND@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 24, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:Group)\n", "WHERE NOT n.name = 'DOMAIN ADMINS@CONTOSO.LOCAL'\n", "MATCH (m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Non-Privileged Domain Groups\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Shortest paths to Domain Admins group from non-privileged groups (AdminCount=false)\n" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (TERMINAL SERVER LICENSE SERVERS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: true}]->(SVC_SHARPHOUND@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ADMINISTRATORS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 25, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:Group {admincount:false}),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Shortest Path to DA Groups from Computers Excluding DCs\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Shortest paths to Domain Admins group from computers excluding potential DCs (based on ldap/ and GC/ spns)\n" ] }, { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)},\n", " {'p': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:WriteDacl {isacl: true, isinherited: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)}]" ] }, "execution_count": 26, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "WITH '(?i)ldap/.*' as regex_one WITH '(?i)gc/.*' as regex_two\n", "MATCH (n:Computer)\n", "WHERE NOT ANY(item IN n.serviceprincipalnames WHERE item =~ regex_two OR item =~ regex_two )\n", "MATCH(m:Group {name:\"DOMAIN ADMINS@CONTOSO.LOCAL\"}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Unprivileged Users Edges to All Nodes\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find all the Edges that any UNPRIVILEGED user (based on the admincount:False) has against all the nodes\n" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (GUEST@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(GUESTS@CONTOSO.LOCAL)},\n", " {'p': (GUEST@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN GUESTS@CONTOSO.LOCAL)},\n", " {'p': (SQL_HQ_PRIMARY@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN COMPUTERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(AUTHENTICATED USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(USERS@CONTOSO.LOCAL)},\n", " {'p': (SQL_HQ_PRIMARY@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN COMPUTERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(AUTHENTICATED USERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(PRE-WINDOWS 2000 COMPATIBLE ACCESS@CONTOSO.LOCAL)},\n", " {'p': (SQL_HQ_PRIMARY@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN COMPUTERS@CONTOSO.LOCAL)},\n", " {'p': (SQL_HQ_PRIMARY@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN COMPUTERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(EVERYONE@CONTOSO.LOCAL)},\n", " {'p': (SQL_HQ_PRIMARY@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN COMPUTERS@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(AUTHENTICATED USERS@CONTOSO.LOCAL)},\n", " {'p': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: true}]->(CONTOSO USERS@CONTOSO.LOCAL)},\n", " {'p': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: true}]->(SQLUSERS@CONTOSO.LOCAL)},\n", " {'p': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(ENTERPRISE ADMINS@CONTOSO.LOCAL)-[:GenericAll {isacl: true, isinherited: true}]->(PCI ENCLAVE@CONTOSO.LOCAL)}]" ] }, "execution_count": 27, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User {admincount:False})\n", "MATCH (m)\n", "WHERE NOT m.name = n.name\n", "MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m))\n", "RETURN p\n", "LIMIT 10\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Unprivileged Users ACL abusing other Users\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find interesting edges related to “ACL Abuse” that uprivileged users have against other users\n" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 28, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User {admincount:False})\n", "MATCH (m:User)\n", "WHERE NOT m.name = n.name\n", "MATCH p=allShortestPaths((n)-[r:AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(m))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Workstations a user can RDP into\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find workstations a user can RDP into.\n" ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 29, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p=(g:Group)-[:CanRDP]->(c:Computer)\n", "WHERE g.objectid ENDS WITH '-513' AND NOT c.operatingsystem CONTAINS 'Server'\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## All Domain Users Edges Against all Computers\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find all the privileges (edges) of the domain users against the domain computers (e.g. CanRDP, AdminTo etc. HasSession edge is not included)\n" ] }, { "cell_type": "code", "execution_count": 30, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL)},\n", " {'p2': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)},\n", " {'p2': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)},\n", " {'p2': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)},\n", " {'p2': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)},\n", " {'p2': (GMSA-SQL01@CONTOSO.LOCAL)-[:SQLAdmin {isacl: false, port: 1433}]->(RD-WIN10-001.CONTOSO.LOCAL)}]" ] }, "execution_count": 30, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group)))\n", "MATCH p2=(u1)-[*1]->(c:Computer)\n", "RETURN p2\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## All Logged In Admins\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** List of all logged in administrators\n" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'b': (_11:Base:User {admincount: true, description: 'Built-in account for administering the computer/domain', distinguishedname: 'CN=Administrator,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1586793173.0, lastlogontimestamp: 1586738080.0, name: 'ADMINISTRATOR@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-500', owned: false, passwordnotreqd: false, pwdlastset: 1560189819.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false}),\n", " 'a': (_40:Base:Computer {distinguishedname: 'CN=PCI-SERVER-001,OU=PCI Computers,OU=PCI Enclave,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586551062.0, name: 'PCI-SERVER-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1617', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1585683416.0, serviceprincipalnames: ['WSMAN/PCI-SERVER-001', 'WSMAN/PCI-SERVER-001.contoso.local', 'RestrictedKrbHost/PCI-SERVER-001', 'HOST/PCI-SERVER-001', 'RestrictedKrbHost/PCI-SERVER-001.contoso.local', 'HOST/PCI-SERVER-001.contoso.local'], unconstraineddelegation: false}),\n", " 'r': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)}]" ] }, "execution_count": 31, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH \n", "p=(a:Computer)-[r:HasSession]->(b:User) \n", "WITH a,b,r \n", "MATCH \n", "p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) \n", "RETURN b,a,r\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## All Domain Admins\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** List of all domain admins\n" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_20:Base:Group {admincount: true, description: 'Designated administrators of the domain', distinguishedname: 'CN=Domain Admins,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', highvalue: true, name: 'DOMAIN ADMINS@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-512'}),\n", " 'r': [(SQL01@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)],\n", " 'm': (_38:Base:User {admincount: true, distinguishedname: 'CN=SQL01,OU=SQLUsers,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1581142464.0, lastlogontimestamp: 1580846712.0, name: 'SQL01@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1606', owned: false, passwordnotreqd: false, pwdlastset: 1580169201.0, pwdneverexpires: false, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false})},\n", " {'n': (_20:Base:Group {admincount: true, description: 'Designated administrators of the domain', distinguishedname: 'CN=Domain Admins,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', highvalue: true, name: 'DOMAIN ADMINS@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-512'}),\n", " 'r': [(DAVID.MCGUIRE@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)],\n", " 'm': (_27:Base:User {admincount: true, displayname: 'David McGuire', distinguishedname: 'CN=David McGuire,OU=Contoso Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1585764232.0, lastlogontimestamp: 1585670785.0, name: 'DAVID.MCGUIRE@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1613', owned: false, passwordnotreqd: false, pwdlastset: 1584460898.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false})},\n", " {'n': (_20:Base:Group {admincount: true, description: 'Designated administrators of the domain', distinguishedname: 'CN=Domain Admins,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', highvalue: true, name: 'DOMAIN ADMINS@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-512'}),\n", " 'r': [(ADMINISTRATOR@CONTOSO.LOCAL)-[:MemberOf {isacl: false}]->(DOMAIN ADMINS@CONTOSO.LOCAL)],\n", " 'm': (_11:Base:User {admincount: true, description: 'Built-in account for administering the computer/domain', distinguishedname: 'CN=Administrator,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1586793173.0, lastlogontimestamp: 1586738080.0, name: 'ADMINISTRATOR@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-500', owned: false, passwordnotreqd: false, pwdlastset: 1560189819.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false})}]" ] }, "execution_count": 32, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:Group) WHERE n.name =~ \"(?i).*DOMAIN ADMINS.*\"\n", "WITH n \n", "MATCH (n)<-[r:MemberOf*1..]-(m) \n", "RETURN n,r,m\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Computers with Unconstrained Delegation\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find all computers with Unconstrained Delegation\n" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'c': (_41:Base:Computer {distinguishedname: 'CN=DC-2016-001,OU=Domain Controllers,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586550660.0, name: 'DC-2016-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1000', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1586379557.0, serviceprincipalnames: ['Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/ForestDnsZones.contoso.local', 'ldap/DC-2016-001.contoso.local/DomainDnsZones.contoso.local', 'DNS/DC-2016-001.contoso.local', 'GC/DC-2016-001.contoso.local/contoso.local', 'RestrictedKrbHost/DC-2016-001.contoso.local', 'RestrictedKrbHost/DC-2016-001', 'RPC/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'HOST/DC-2016-001/CONTOSO', 'HOST/DC-2016-001.contoso.local/CONTOSO', 'HOST/DC-2016-001', 'HOST/DC-2016-001.contoso.local', 'HOST/DC-2016-001.contoso.local/contoso.local', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/163efdab-a02f-4b72-8de1-b45b21b62341/contoso.local', 'ldap/DC-2016-001/CONTOSO', 'ldap/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'ldap/DC-2016-001.contoso.local/CONTOSO', 'ldap/DC-2016-001', 'ldap/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/contoso.local'], unconstraineddelegation: true})}]" ] }, "execution_count": 33, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (c:Computer {unconstraineddelegation:true})\n", "RETURN c\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Unprivileged Users ACL abusing Computers\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find interesting edges related to “ACL Abuse” that unprivileged users have against computers\n" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 34, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User {admincount:False})\n", "MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer))\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## User Sessions in a Specific Domain\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find all sessions any user in a specific domain has.\n" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'p': (PCI-SERVER-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ADMINISTRATOR@CONTOSO.LOCAL)},\n", " {'p': (RD-WIN10-001.CONTOSO.LOCAL)-[:HasSession {isacl: false}]->(ACHILES@CONTOSO.LOCAL)}]" ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain: \"CONTOSO.LOCAL\"})\n", "RETURN p\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Top 10 Users with Most Local Admin Rights\n", "**Author:** Walter.Legowski (@SadProcessor)\n", "\n", "**Description:** List of top 10 users with most local admin rights\n" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_11:Base:User {admincount: true, description: 'Built-in account for administering the computer/domain', distinguishedname: 'CN=Administrator,CN=Users,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', dontreqpreauth: false, enabled: true, hasspn: false, highvalue: false, lastlogon: 1586793173.0, lastlogontimestamp: 1586738080.0, name: 'ADMINISTRATOR@CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-500', owned: false, passwordnotreqd: false, pwdlastset: 1560189819.0, pwdneverexpires: true, sensitive: false, serviceprincipalnames: [], sidhistory: [], unconstraineddelegation: false}),\n", " 'r': (ADMINISTRATOR@CONTOSO.LOCAL)-[:AdminTo {fromgpo: false, isacl: false}]->(DC-2016-001.CONTOSO.LOCAL),\n", " 'm': (_41:Base:Computer {distinguishedname: 'CN=DC-2016-001,OU=Domain Controllers,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', enabled: true, haslaps: false, highvalue: false, lastlogontimestamp: 1586550660.0, name: 'DC-2016-001.CONTOSO.LOCAL', objectid: 'S-1-5-21-153951712-174133717-528793688-1000', operatingsystem: 'Windows Server 2016 Standard', owned: false, pwdlastset: 1586379557.0, serviceprincipalnames: ['Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/ForestDnsZones.contoso.local', 'ldap/DC-2016-001.contoso.local/DomainDnsZones.contoso.local', 'DNS/DC-2016-001.contoso.local', 'GC/DC-2016-001.contoso.local/contoso.local', 'RestrictedKrbHost/DC-2016-001.contoso.local', 'RestrictedKrbHost/DC-2016-001', 'RPC/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'HOST/DC-2016-001/CONTOSO', 'HOST/DC-2016-001.contoso.local/CONTOSO', 'HOST/DC-2016-001', 'HOST/DC-2016-001.contoso.local', 'HOST/DC-2016-001.contoso.local/contoso.local', 'E3514235-4B06-11D1-AB04-00C04FC2DCD2/163efdab-a02f-4b72-8de1-b45b21b62341/contoso.local', 'ldap/DC-2016-001/CONTOSO', 'ldap/163efdab-a02f-4b72-8de1-b45b21b62341._msdcs.contoso.local', 'ldap/DC-2016-001.contoso.local/CONTOSO', 'ldap/DC-2016-001', 'ldap/DC-2016-001.contoso.local', 'ldap/DC-2016-001.contoso.local/contoso.local'], unconstraineddelegation: true})}]" ] }, "execution_count": 36, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:User),(m:Computer),(n)-[r:AdminTo]->(m)\n", "WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count\n", "ORDER BY rel_count desc \n", "LIMIT 10 \n", "MATCH (m)<-[r:AdminTo]-(n) \n", "RETURN n,r,m \n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## View all GPOs\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** View all GPOs\n" ] }, { "cell_type": "code", "execution_count": 37, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'n': (_9:Base:GPO {distinguishedname: 'CN={AC4ACFC1-0578-4251-9BBD-E1D0352A5CAF},CN=Policies,CN=System,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', gpcpath: '\\\\\\\\contoso.local\\\\SysVol\\\\contoso.local\\\\Policies\\\\{AC4ACFC1-0578-4251-9BBD-E1D0352A5CAF}', highvalue: false, name: 'PROTECT PCL ENCLAVE@CONTOSO.LOCAL', objectid: 'F9F3C61B-D37D-41EA-A064-71B26119E448'})},\n", " {'n': (_10:Base:GPO {distinguishedname: 'CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', gpcpath: '\\\\\\\\contoso.local\\\\sysvol\\\\contoso.local\\\\Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}', highvalue: false, name: 'DEFAULT DOMAIN CONTROLLERS POLICY@CONTOSO.LOCAL', objectid: '6930F38E-81B5-497F-B18B-E770DF862D89'})},\n", " {'n': (_120:Base:GPO {distinguishedname: 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=local', domain: 'CONTOSO.LOCAL', gpcpath: '\\\\\\\\contoso.local\\\\sysvol\\\\contoso.local\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}', highvalue: false, name: 'DEFAULT DOMAIN POLICY@CONTOSO.LOCAL', objectid: '5E11EF13-E6EE-4600-9EF7-BD5220CCE469'})}]" ] }, "execution_count": 37, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (n:GPO)\n", "RETURN n\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## SPNs with keywords\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find SPNs with keywords (swap SQL with whatever)\n" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'u.name': 'SQL2014@CONTOSO.LOCAL'}]" ] }, "execution_count": 38, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User)\n", "WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')\n", "RETURN u.name\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Group with keywords\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find a group with keywords. E.g. SQL ADMINS or SQL 2017 ADMINS\n" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 39, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (g:Group)\n", "WHERE g.name =~ '(?i).SQL.ADMIN.*'\n", "RETURN g\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Kerberoastable Users with passwords last set > 5 years\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago\n" ] }, { "cell_type": "code", "execution_count": 40, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[]" ] }, "execution_count": 40, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "MATCH (u:User)\n", "WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0]\n", "RETURN u.name, u.pwdlastset order by u.pwdlastset\n", "'''\n", ").data()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## DA sessions not on a certain group\n", "**Author:** Ryan Hausknecht (@haus3c)\n", "\n", "**Description:** DA sessions not on a certain group (e.g. domain controllers).\n" ] }, { "cell_type": "code", "execution_count": 41, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[{'Username': 'ADMINISTRATOR@CONTOSO.LOCAL', 'Connexions': 1}]" ] }, "execution_count": 41, "metadata": {}, "output_type": "execute_result" } ], "source": [ "graph.run(\n", "'''\n", "OPTIONAL MATCH (c:Computer)-[:MemberOf]->(t:Group)\n", "WHERE NOT t.name = 'DOMAIN CONTROLLERS@CONTOSO.LOCAL' WITH c as NonDC\n", "MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'})\n", "RETURN DISTINCT (n.name) as Username, COUNT(DISTINCT(NonDC)) as Connexions\n", "ORDER BY COUNT(DISTINCT(NonDC)) DESC \n", "'''\n", ").data()" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.3" } }, "nbformat": 4, "nbformat_minor": 4 }