2020/06/20 |
Servers a user can RDP into |
Find servers a user can RDP into. |
Ryan Hausknecht (@haus3c) |
MATCH p=(g:Group)-[:CanRDP]->(c:Computer) WHERE g.objectid ENDS WITH '-513' AND c.operatingsystem CONTAINS 'Server' RETURN p
|
2020/06/20 |
View all GPOs that contain a keyword |
View all GPOs that contain a keyword |
Ryan Hausknecht (@haus3c) |
MATCH (n:GPO) WHERE n.name CONTAINS "DOMAIN" RETURN n
|
2020/06/20 |
Domain Users Groups with Interesting ACEs |
Find interesting privileges/ACEs that have been configured to DOMAIN USERS group |
Ryan Hausknecht (@haus3c), Roberto Rodriguez (@Cyb3rWard0g) |
MATCH (m:Group) WHERE m.name =~ 'DOMAIN USERS@CONTOSO.LOCAL' MATCH p=(m)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:Computer) RETURN p
|
2020/06/20 |
Top 10 Computers with Most Admins |
List of top 10 computers with most admins |
Walter.Legowski (@SadProcessor) |
MATCH (n:User),(m:Computer),(n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m,count(r) as rel_count ORDER BY rel_count desc LIMIT 10 MATCH (m)<-[r:AdminTo]-(n) RETURN n,r,m
|
2020/06/20 |
Map Domain Trusts |
Map domain trusts |
Walter.Legowski (@SadProcessor) |
MATCH (n:Domain) MATCH p=(n)-[r]-() RETURN p
|
2020/06/20 |
High Value Target Group |
Show all high value target group |
Ryan Hausknecht (@haus3c) |
MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p
|
2020/06/20 |
Shortest Path to DA Groups from Domain Users Groups |
Shortest paths to Domain Admins group from the Domain Users group |
Ryan Hausknecht (@haus3c) |
MATCH (g:Group) WHERE g.name =~ 'DOMAIN USERS@.*' MATCH (g1:Group) WHERE g1.name =~ 'DOMAIN ADMINS@.*' OPTIONAL MATCH p=shortestPath((g)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(g1)) RETURN p
|
2020/06/20 |
ASP-REQ Roastable Users |
Find user that doesn’t require kerberos pre-authentication (aka AS-REP Roasting) |
Ryan Hausknecht (@haus3c) |
MATCH (u:User {dontreqpreauth: true}) RETURN u
|
2020/06/20 |
Unprivileged Users with Rights to Add Members to Groups |
Find if unprivileged users have rights to add members into groups |
Ryan Hausknecht (@haus3c) |
MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p
|
2020/06/20 |
Users that Logged in ithin Threshold |
Find users that logged in within the last 90 days. Change 90 to whatever threshold you want. |
Ryan Hausknecht (@haus3c) |
MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u.name
|
2020/06/20 |
Shortest Path to DA Groups from Non-Privileged Domain Users |
Shortest paths to Domain Admins group from non privileged users (AdminCount=false) |
Ryan Hausknecht (@haus3c) |
MATCH (n:User {admincount:false}),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p
|
2020/06/20 |
Unsupported OSs |
Find unsupported OSs |
Ryan Hausknecht (@haus3c) |
MATCH (H:Computer) WHERE H.operatingsystem =~ '.*(2000|2003|2008|xp|vista|7|me)*.' RETURN H.name
|
2020/06/20 |
Top 10 Users with Most Sessions |
List Top 10 Users with Most Sessions |
Walter.Legowski (@SadProcessor) |
MATCH (n:User),(m:Computer),(n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (m)-[r:HasSession]->(n) RETURN n,r,m
|
2020/06/20 |
Users with Passwords Last Set withing Threshold |
Find users with passwords last set thin the last 90 days. Change 90 to whatever threshold you want. |
Ryan Hausknecht (@haus3c) |
MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u.name
|
2020/06/20 |
Shortest Path to DA Groups from Computers |
Shortest paths to Domain Admins group from computers |
Ryan Hausknecht (@haus3c), Roberto Rodriguez (@Cyb3rWard0g) |
MATCH (n:Computer),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p
|
2020/06/20 |
All Domain Users CanRDP Edges Against all Computers |
Find only the CanRDP privileges (edges) of the domain users against the domain computers |
Ryan Hausknecht (@haus3c) |
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(u1)-[:CanRDP*1..]->(c:Computer) RETURN p2
|
2020/06/20 |
All Domain Users AdminTo Edges Against all Computers |
Find only the AdminTo privileges (edges) of the domain users against the domain computers |
Ryan Hausknecht (@haus3c) |
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(u1)-[:AdminTo*1..]->(c:Computer) RETURN p2
|
2020/06/20 |
Active Users Sessions in all Domain Computers |
Find the active user sessions on all domain computers |
Ryan Hausknecht (@haus3c) |
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(c:Computer)-[*1]->(u1) RETURN p2
|
2020/06/20 |
Kerberoastable Users with a path to DA |
Find Kerberoastable Users with a path to DA |
Ryan Hausknecht (@haus3c) |
MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.name CONTAINS 'DOMAIN ADMINS' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p
|
2020/06/20 |
Kerberoastable Users |
Find All Users with an SPN/Find all Kerberoastable Users |
Ryan Hausknecht (@haus3c) |
MATCH (n:User)WHERE n.hasspn=true RETURN n.name
|
2020/06/20 |
Specific Users Edges to All Nodes |
Find all Edges that a specific user has against all the nodes (HasSession is not calculated, as it is an edge that comes from computer to user, not from user to computer) |
Ryan Hausknecht (@haus3c) |
MATCH (n:User) WHERE n.name =~ 'JEFFMCJUNKIN@CONTOSO.LOCAL' MATCH (m) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p LIMIT 10
|
2020/06/20 |
Shortest Path to DA Groups from Domain Groups |
Shortest paths to Domain Admins group from all domain groups |
Ryan Hausknecht (@haus3c) |
MATCH (n:Group) WHERE NOT n.name = 'DOMAIN ADMINS@CONTOSO.LOCAL' MATCH (m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p
|
2020/06/20 |
Shortest Path to DA Groups from Non-Privileged Domain Groups |
Shortest paths to Domain Admins group from non-privileged groups (AdminCount=false) |
Ryan Hausknecht (@haus3c) |
MATCH (n:Group {admincount:false}),(m:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p
|
2020/06/20 |
Shortest Path to DA Groups from Computers Excluding DCs |
Shortest paths to Domain Admins group from computers excluding potential DCs (based on ldap/ and GC/ spns) |
Ryan Hausknecht (@haus3c) |
WITH '(?i)ldap/.*' as regex_one WITH '(?i)gc/.*' as regex_two MATCH (n:Computer) WHERE NOT ANY(item IN n.serviceprincipalnames WHERE item =~ regex_two OR item =~ regex_two ) MATCH(m:Group {name:"DOMAIN ADMINS@CONTOSO.LOCAL"}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p
|
2020/06/20 |
Unprivileged Users Edges to All Nodes |
Find all the Edges that any UNPRIVILEGED user (based on the admincount:False) has against all the nodes |
Ryan Hausknecht (@haus3c) |
MATCH (n:User {admincount:False}) MATCH (m) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p LIMIT 10
|
2020/06/20 |
Unprivileged Users ACL abusing other Users |
Find interesting edges related to “ACL Abuse” that uprivileged users have against other users |
Ryan Hausknecht (@haus3c) |
MATCH (n:User {admincount:False}) MATCH (m:User) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(m)) RETURN p
|
2020/06/20 |
Workstations a user can RDP into |
Find workstations a user can RDP into. |
Ryan Hausknecht (@haus3c) |
MATCH p=(g:Group)-[:CanRDP]->(c:Computer) WHERE g.objectid ENDS WITH '-513' AND NOT c.operatingsystem CONTAINS 'Server' RETURN p
|
2020/06/20 |
All Domain Users Edges Against all Computers |
Find all the privileges (edges) of the domain users against the domain computers (e.g. CanRDP, AdminTo etc. HasSession edge is not included) |
Ryan Hausknecht (@haus3c) |
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(u1)-[*1]->(c:Computer) RETURN p2
|
2020/06/20 |
All Logged In Admins |
List of all logged in administrators |
Walter.Legowski (@SadProcessor) |
MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN b,a,r
|
2020/06/20 |
All Domain Admins |
List of all domain admins |
Walter.Legowski (@SadProcessor) |
MATCH (n:Group) WHERE n.name =~ "(?i).*DOMAIN ADMINS.*" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m
|
2020/06/20 |
Computers with Unconstrained Delegation |
Find all computers with Unconstrained Delegation |
Ryan Hausknecht (@haus3c) |
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
|
2020/06/20 |
Unprivileged Users ACL abusing Computers |
Find interesting edges related to “ACL Abuse” that unprivileged users have against computers |
Ryan Hausknecht (@haus3c) |
MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer)) RETURN p
|
2020/06/20 |
User Sessions in a Specific Domain |
Find all sessions any user in a specific domain has. |
Ryan Hausknecht (@haus3c) |
MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain: "CONTOSO.LOCAL"}) RETURN p
|
2020/06/20 |
Top 10 Users with Most Local Admin Rights |
List of top 10 users with most local admin rights |
Walter.Legowski (@SadProcessor) |
MATCH (n:User),(m:Computer),(n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count ORDER BY rel_count desc LIMIT 10 MATCH (m)<-[r:AdminTo]-(n) RETURN n,r,m
|
2020/06/20 |
View all GPOs |
View all GPOs |
Ryan Hausknecht (@haus3c) |
MATCH (n:GPO) RETURN n
|
2020/06/20 |
SPNs with keywords |
Find SPNs with keywords (swap SQL with whatever) |
Ryan Hausknecht (@haus3c) |
MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL') RETURN u.name
|
2020/06/20 |
Group with keywords |
Find a group with keywords. E.g. SQL ADMINS or SQL 2017 ADMINS |
Ryan Hausknecht (@haus3c) |
MATCH (g:Group) WHERE g.name =~ '(?i).SQL.ADMIN.*' RETURN g
|
2020/06/20 |
Kerberoastable Users with passwords last set > 5 years |
Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago |
Ryan Hausknecht (@haus3c) |
MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset
|
2020/06/20 |
DA sessions not on a certain group |
DA sessions not on a certain group (e.g. domain controllers). |
Ryan Hausknecht (@haus3c) |
OPTIONAL MATCH (c:Computer)-[:MemberOf]->(t:Group) WHERE NOT t.name = 'DOMAIN CONTROLLERS@CONTOSO.LOCAL' WITH c as NonDC MATCH p=(NonDC)-[:HasSession]->(n:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@CONTOSO.LOCAL'}) RETURN DISTINCT (n.name) as Username, COUNT(DISTINCT(NonDC)) as Connexions ORDER BY COUNT(DISTINCT(NonDC)) DESC
|
