From 49e8c1127fb58c501f8857179c904c03dc83a287 Mon Sep 17 00:00:00 2001 From: Mariusz B Date: Sun, 29 Mar 2020 19:32:28 +0200 Subject: [PATCH] Update Handy-BloodHound-Cypher-Queries.md --- red-teaming/Handy-BloodHound-Cypher-Queries.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/red-teaming/Handy-BloodHound-Cypher-Queries.md b/red-teaming/Handy-BloodHound-Cypher-Queries.md index c4a097f..1fc0c62 100644 --- a/red-teaming/Handy-BloodHound-Cypher-Queries.md +++ b/red-teaming/Handy-BloodHound-Cypher-Queries.md @@ -37,6 +37,11 @@ MATCH (u:User {hasspn: True}) WHERE NOT u.name starts with 'KRBTGT' RETURN u MATCH (A:User),(B:Group),p=shortestPath((A)-[*1..]->(B)) WHERE A.hasspn=true AND B.name STARTS WITH 'DOMAIN ADMINS' RETURN p ``` +- Finds owned objects that can control other computers: +``` +MATCH (m {owned: True}), (n), p=(m)-[:CanPSRemote|ExecuteDCOM|CanRDP|SQLAdmin|AdminTo]->(n) RETURN p +``` + - Return users that have PASSWORD_NOT_REQUIRED flag set in their UserAccountControl field (thus they have an empty password set) and are enabled ``` MATCH (n:User {enabled: True, passwordnotreqd: True}) RETURN n