Custom Queries for Bloodhound AD
My set of custom queries.
via http://localhost:7474/browser/
or Neo4j Browser App.
Usefull queries which can be exported to .csv:
Check for passwords in User Description.
MATCH (u:User) return u.name, u.displayname, u.descriptionor
MATCH (u:User) WHERE NOT u.description=[] return u.name, u.displayname, u.descriptionCheck for outdated Systems; Windows 8 and 8.1 (JAN 2023)/ Server 2012 (OKT 2023).
MATCH (n:Computer) WHERE n.operatingsystem =~ "(?i).*(2000|2003|2008|2012|xp|vista|7|8|me|98|95).*" RETURN n.name, n.operatingsystemCheck for Computers without LAPS.
MATCH (c:Computer) WHERE c.haslaps=FALSE RETURN c.name, c.haslaps, c.domainor
MATCH (c:Computer) WHERE c.haslaps=FALSE RETURN c.name, c.haslaps, c.enabled, c.domainPassword Never Expires!
MATCH (m:User) WHERE m.pwdneverexpires=TRUE RETURN m.name, m.pwdneverexpiresor
MATCH (m:User) WHERE m.pwdneverexpires=TRUE RETURN m.name, m.pwdneverexpires, m.pwdlastsetCheck Users and where they are admin to.
MATCH p=(m:User)-[r:AdminTo]->(n:Computer) Return m.name, n.nameor
MATCH p=(m:User)-[r:AdminTo]->(n:Computer) where m.admincount = false Return m.name, n.nameFind All Users with an SPN. (Kerberoastable)
MATCH (n:User)WHERE n.hasspn=true RETURN n.name, n.pwdlastsetFind all Kerberoastable Users with passwords last set less than 5 years ago. Kerberoastable User and when PW last set in epochtime -> use a converter https://www.epochconverter.com/batch
MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastsetMark all Users of Domain-Admin Group as High Value (more in custom queries)
MATCH p=(n:Group)<-[:MemberOf*1..]-(m) WHERE n.objectid =~ "(?i)S-1-5-.*-512" SET m.highvalue = true RETURN mE-Mail-List from AD
MATCH (u:User) WHERE NOT u.email=[] RETURN u.name,u.emailfree passwords?
MATCH (u:User) WHERE NOT u.unixpassword=[] return u.name, u.displayname, u.unixpasswordUser never Logged in but enabled
MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n.name, n.lastlogontimestamp###AFTER Crackhound User has Plaintext and is enabled.
MATCH (u:User) where u.plaintext=True AND u.enabled=True RETURN u.name, u.plaintextpasswordManual Crackhound, Username and Domain are all capital letters. Username Hash and Password needs to be in quotes.
MATCH (u:User) where u.name="<BH_USER@DOMAIN>" set u.plaintextpassword="<S3c3t5>" set u.nthash="<HASH>" set u.owned=True set u.plaintext=True return uUser for AZURE?
MATCH (u:User) where u.plaintext=True AND u.enabled=True and not u.email = [] RETURN u.email, u.plaintextpasswordThanks to @_wald0, @CptJesus, @harmj0y, @BloodhoundAD for the tool itself and @hausec and @ly4k for his queries as template and of course certipy.