From b22d7a5c792b99eba81f501d91c5d5a3da24bd50 Mon Sep 17 00:00:00 2001
From: "Mariusz B. / mgeeky" <mb@binary-offensive.com>
Date: Sat, 24 Sep 2022 23:58:37 +0200
Subject: [PATCH] Updated Handy-BloodHound-Cypher-Queries

---
 red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md b/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
index fea31a4..86f8573 100644
--- a/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
+++ b/red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md
@@ -370,6 +370,12 @@ MATCH (u1:Computer)-[:AdminTo]->(c1:Computer {signing: false}) RETURN u1.name, c
 MATCH (u2)-[:MemberOf*1..]->(g:Group)-[:AdminTo]->(c2 {signing: false}) RETURN u2.name, c2.name
 ```
 
+- PrivExchange audit: Finds computers that are members of "Exchange Trusted Subsystem" group, which has admin rights over all its members. This way, we could execute authentication coercion attack against one exchange server and relay it to another, thus obtaining SYSTEM over that another Exchange server:
+```
+MATCH p=(c:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p
+```
+
+
 ### GPOs
 
 - Print GPO names and their container paths: