Bloodhound Cypher Queries
Return all users
MATCH (u:User) RETURN u Return all computers
MATCH (c:Computer) RETURN cReturn the users with the name containing "ADMIN"
MATCH (u:User) WHERE u.name =~ ".ADMIN." RETURN u.nameReturn all the users and the computer they are admin to
MATCH p = (u:User)-[:AdminTo]->(c:Computer) RETURN pReturn the users with the name containing "ADMIN" and the computer they are admin to
MATCH p = (u:User)-[:AdminTo]->(c:Computer) WHERE u.name =~ ".ADMIN." RETURN p
MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p
MATCH p=shortestPath((u {highvalue: false})-[1..]->(g:Group {name: 'DOMAIN [email protected]'})) WHERE NOT (u)-[:MemberOf1..]->(:Group {highvalue: true}) RETURN pList all owned users
MATCH (m:User) WHERE m.owned=TRUE RETURN mList all owned computers
MATCH (m:Computer) WHERE m.owned=TRUE RETURN mList all owned groups
MATCH (m.Group) WHERE m.owned=TRUE RETURN mList all high value targets
MATCH (m) WHERE m.highvalue=TRUE RETURN MList the groups of all owned users
MATCH (m.User) WHERE m.owned=TRUE WITH m MATCH p=(m) - [:MemberOf*1..] - > (n:Group) RETURN pFind all Kerberostable Users
MATCH (n:User) WHERE n.hasspn=true RETURN nFind all users with an SPN/find all kerberostable users with passwords last set less than 5 years ago
MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastsetFind kerberostable users with a path to DA
MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p=shortestPath( (u)-[*1..]->(g) ) RETURN pFind machines Domain Users can RDP into
match p(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return pLast updated