cypher

clouds/azure/AzureRT

@@ -1 +1 @@
-Subproject commit 9aa8a2a623077cae13922ba8a9cabe1d17bc5a5c
+Subproject commit a1f5ba28880e6470fa3e8a59ba50388272db1839

file-formats/PackMyPayload

@@ -1 +1 @@
-Subproject commit 75f6270d0417d749b56c718d0d8ad0003c74d785
+Subproject commit 6ce9975ae639ac16b7dce5c6461a066d8988cec8

phishing/decode-spam-headers

@@ -1 +1 @@
-Subproject commit 7d3c3b5991cb430d6ff9c66c794688d67d5baa75
+Subproject commit 9bc13dacc3e21ab9774b059f73f8daadfccdebf6

red-teaming/bloodhound/Handy-BloodHound-Cypher-Queries.md

@@ -131,6 +131,13 @@ RETURN name, description, days_since_pwdlastset, pwdlastset
 ORDER BY days_since_pwdlastset DESC 
 ```
 
+- Pulls kerberoastable Users belonging to critical groups such as Domain Admins, Schema Admins, Domain Controllers, Enterprise Admins:
+```
+MATCH (u:User {hasspn: True})-[r:MemberOf*1..]->(n:Group) 
+WHERE (n.objectid =~ "(?i)S-1-5-.*-512") OR (n.objectid =~ "(?i)S-1-5-.*-516") OR (n.objectid =~ "(?i)S-1-5-.*-518") OR (n.objectid =~ "(?i)S-1-5-.*-519") OR (n.objectid =~ "(?i)S-1-5-.*-520") OR (n.objectid =~ "(?i)S-1-5-.*-544") OR (n.objectid =~ "(?i)S-1-5-.*-548") OR (n.objectid =~ "(?i)S-1-5-.*-549") OR (n.objectid =~ "(?i)S-1-5-.*-551")
+RETURN u.name AS UserName, n.name AS GroupName, u.displayname As DisplayName, u.description As Descrition
+```
+
 - Pulls users eligible for ASREP roasting
 ```
 MATCH (u:User {dontreqpreauth: true}) RETURN u.name, u.displayname, u.description, u.objectid