From b44a6888f844af38b205ed170576e910ee7b66fe Mon Sep 17 00:00:00 2001 From: mgeeky Date: Mon, 11 Apr 2022 12:59:09 +0200 Subject: [PATCH] Handy BloodHound Cypher Queries updated. --- red-teaming/Handy-BloodHound-Cypher-Queries.md | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/red-teaming/Handy-BloodHound-Cypher-Queries.md b/red-teaming/Handy-BloodHound-Cypher-Queries.md index 0ad1db6..6e4dc7b 100644 --- a/red-teaming/Handy-BloodHound-Cypher-Queries.md +++ b/red-teaming/Handy-BloodHound-Cypher-Queries.md @@ -311,21 +311,9 @@ MATCH (o:OU)-[:Contains]->(c) RETURN o.name,o.guid, COUNT(c) ORDER BY COUNT(c) D ### Other -- Retrieves nodes having particular juicy keywords in their description properties: +- Retrieves nodes having particular juicy keywords in their name or description properties: ``` -MATCH (n) WHERE n.description CONTAINS 'pass' RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'secret' RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'admin' RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'sensitive' RETURN n.name, n.description -``` - -- Show only owned nodes of the above ones: -``` -MATCH (n) WHERE n.description CONTAINS 'pass' and n.owned = TRUE RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'secret' and n.owned = TRUE RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'admin' and n.owned = TRUE RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS 'sensitive' and n.owned = TRUE RETURN n.name, n.description UNION -MATCH (n) WHERE n.description CONTAINS '\\' and n.owned = TRUE RETURN n.name, n.description +UNWIND ["admin", "amministratore", "contrase", "empfidlich", "geheim", "hasło", "important", "azure", "MSOL", "Kennwort", "parol", "parola", "pass", "passe", "secret", "secreto", "segreto", "sekret", "sensibil", "sensibile", "sensible", "sensitive", "wrażliw"] AS word MATCH (n) WHERE (toLower(n.name) CONTAINS toLower(word)) OR (toLower(n.description) CONTAINS toLower(word)) RETURN word, n.name, n.description ORDER BY n.name ``` - Retrieves nodes that contain UNC paths to SMB shares in their description fields: