Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-09-03 02:28:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Handy-BloodHound-Cypher-Queries.md updated.

Browse Source
This commit is contained in:
Mariusz B. / mgeeky
2022-04-13 16:42:31 +02:00
parent 36864d57cf
commit ad47ea57d5
5 changed files with 55 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
red-teaming/Handy-BloodHound-Cypher-Queries.md
View File

@ -25,6 +25,8 @@ MATCH (u {highvalue: true}) WHERE toLower(u.name) ENDS WITH "" RETURN
MATCH (c {hasspn: True}) RETURN c.name as name, c.allowedtodelegate as AllowedToDelegate, c.unconstraineddelegation as UnconstrainedDelegation, c.admincount as AdminCount, c.serviceprincipalnames as SPNs
```
### Principals with most Outbound Controlled objects
- Returns Top 100 **Outbound Control Rights** --> **First Degree Object Control** principals in domain:
```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
@ -59,6 +61,37 @@ ORDER BY controlled DESC
LIMIT 50
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **First Degree Object Control** controlled:
```
MATCH p=(u)-[r1]->(n) WHERE r1.isacl=true
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Group Delegated Object Control** controlled and whether that object is member of high privileged group (such a `Domain Admins` or `Domain Controllers`):
```
MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true
WITH u.name as name, LABELS(u)[1] as type, g.highvalue as highly_privileged,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, highly_privileged, controlled
ORDER BY controlled DESC
```
- Returns principals having more than 1000 **Outbound Control Rights** --> **Transitive Object Control** controlled (TAKES ENORMOUS TIME TO COMPUTE! You were warned):
```
MATCH p=shortestPath((u)-[r1:MemberOf|AddMember|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns*1..]->(n))
WHERE u<>n
WITH u.name as name, LABELS(u)[1] as type,
COUNT(DISTINCT(n)) as controlled
WHERE name IS NOT NULL AND controlled > 1000
RETURN type, name, controlled
ORDER BY controlled DESC
```
### Users
- Pulls users eligible for ASREP roasting

1
red-teaming/PackMyPayload

Submodule red-teaming/PackMyPayload deleted from 9707453f60