Bloodhound Cypher Queries

Return all users

MATCH (u:User) RETURN u

Return all computers

MATCH (c:Computer) RETURN c

Return the users with the name containing "ADMIN"

MATCH (u:User) WHERE u.name =~ ".ADMIN." RETURN u.name

Return all the users and the computer they are admin to

MATCH p = (u:User)-[:AdminTo]->(c:Computer) RETURN p

Return the users with the name containing "ADMIN" and the computer they are admin to

MATCH p = (u:User)-[:AdminTo]->(c:Computer) WHERE u.name =~ ".ADMIN." RETURN p 
MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p 
MATCH p=shortestPath((u {highvalue: false})-[1..]->(g:Group {name: 'DOMAIN [email protected]'})) WHERE NOT (u)-[:MemberOf1..]->(:Group {highvalue: true}) RETURN p

List all owned users

MATCH (m:User) WHERE m.owned=TRUE RETURN m

List all owned computers

MATCH (m:Computer) WHERE m.owned=TRUE RETURN m

List all owned groups

MATCH (m.Group) WHERE m.owned=TRUE RETURN m

List all high value targets

MATCH (m) WHERE m.highvalue=TRUE RETURN M

List the groups of all owned users

MATCH (m.User) WHERE m.owned=TRUE WITH m MATCH p=(m) - [:MemberOf*1..] - > (n:Group) RETURN p

Find all Kerberostable Users

MATCH (n:User) WHERE n.hasspn=true RETURN n

Find all users with an SPN/find all kerberostable users with passwords last set less than 5 years ago

MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset

Find kerberostable users with a path to DA

MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p=shortestPath( (u)-[*1..]->(g) ) RETURN p

Find machines Domain Users can RDP into

match p(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p

PreviousBloodhound NextImpacket-install

Last updated 2 years ago