Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bloodhound queries: improve outdated OS and top 10 users queries and misc fixes #380

Merged
merged 2 commits into from
Sep 28, 2024
Merged

Bloodhound queries: improve outdated OS and top 10 users queries and misc fixes #380

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cddc462
BH: filter some queries on enabled objects and improve top 10 queries
Sep 2, 2024
47b3282
BH: fix a query and a typo
Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions sources/assets/bloodhound/customqueries.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,7 +475,7 @@
"category": "Groups",
"queryList": [{
"final": true,
"query": "MATCH p=(m:Group)-[:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC"
"query": "MATCH p=(m:Group)-[:ForceChangePassword]->(n:User) RETURN DISTINCT m.name, COUNT(m.name) ORDER BY COUNT(m.name) DESC"
}]
},
{
Expand Down Expand Up @@ -614,55 +614,55 @@
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c"
}]
},
{
"name": "Find all computers running with Windows 2000",
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c"
}]
},
{
"name": "Find all computers running with Windows 2003",
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c"
}]
},
{
"name": "Find all computers running with Windows 2008",
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c"
}]
},
{
"name": "Find all computers running with Windows Vista",
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c"
}]
},
{
"name": "Find all computers running with Windows 7",
"category": "Outdated OS",
"queryList": [{
"final": true,
"query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c"
"query": "MATCH (c:Computer {enabled: TRUE}) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c"
}]
},
{
"name": "Top Ten Users with Most Sessions",
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"allowCollapse": true
}]
},
Expand All @@ -671,43 +671,43 @@
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
"query": "MATCH (n:User {enabled: TRUE})<-[r:HasSession]-(m:Computer {enabled: TRUE}) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)-[:HasSession]->(n) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Users with Most Local Admin Rights",
"name": "Top Ten Users (not Domain Admins or Entreprise Admins) with most local admin rights",
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(n)-[:AdminTo]->(m:Computer {enabled: TRUE}) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Admins and their admins",
"name": "Top Ten Computers with most local admin rights (not Domain Admins or Entreprise Admins) and their admins",
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
"query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH p=(m)<-[:AdminTo]-(n:User {enabled: TRUE}) RETURN p",
"allowCollapse": true
}]
},
{
"name": "Top Ten Computers with Most Admins",
"name": "Top Ten Computers with most admins (not Domain Admins or Entreprise Admins)",
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m",
"query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) RETURN m",
"allowCollapse": true
}]
},
{
"name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT",
"name": "(Warning: edits the DB) Mark Top Ten Computers with most admins (not Domain Admins or Entreprise Admins) as HVT",
"category": "Top Ten",
"queryList": [{
"final": true,
"query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) AS rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m",
"query": "MATCH (u:User {enabled: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' WITH COLLECT(u.objectid) AS domainAdmins MATCH (n:User {enabled: TRUE})-[r:AdminTo]->(m:Computer {enabled: TRUE}) WHERE NOT n.objectid IN domainAdmins AND NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, COUNT(r) AS rel_count ORDER BY rel_count DESC LIMIT 10 MATCH (m)<-[:AdminTo]-(o:User {enabled: TRUE}) SET m.highvalue = true RETURN m",
"allowCollapse": true
}]
},
Expand Down Expand Up @@ -993,7 +993,7 @@
}]
},
{
"name": "Find Unsecured Certificate Templates - Domain Escalation (ESC9)",
"name": "Find insecure Certificate Templates - Domain Escalation (ESC9)",
"category": "AD CS Domain Escalation",
"queryList": [
{
Expand All @@ -1003,7 +1003,7 @@
]
},
{
"name": "Find Unsecured Certificate Templates - PKI (ESC9)",
"name": "Find insecure Certificate Templates - PKI (ESC9)",
"category": "AD CS Domain Escalation",
"queryList": [
{
Expand Down