hausec / bloodhound-custom-queries Goto Github PK
View Code? Open in Web Editor NEWCustom Query list for the Bloodhound GUI based off my cheatsheet
Custom Query list for the Bloodhound GUI based off my cheatsheet
Currently query reads: "query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
Should read: "query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u1"
Although, even with that, the data I'm looking at only returns the kerberoastable accounts. I tried adding ",c" to the end of the query and I do get the machines, but it's missing the relationship between the two. When I tried adding "r" as well, it went back to producing only kerberoastable accounts
I'll leave here some fixes to the customqueries.json, just in case someone stumble upon these errors
Query:
Find all sessions a user in a specific domain has
Find an object from domain 'A' that can do anything to a foreign object
Fix:
{domain:{result}}
for {domain: $result}
Query:
Find Kerberoastable users and where they are AdminTo
Fix:
RETURN u
for RETURN u1
Query:
Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago
Fix:
WHERE
keyword in AND WHERE u.pwdlastset
n.hasspn
for u.hasspn
Query:
Find all computers with unsupported operating systems
Fix:
MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).(2000|2003|2008|xp|vista|7|me).' RETURN H
This update is based on a comment in the original blog
Hi awesome tool, i couldn't find this query any help ?
Hello dear hausec,
A very great job!!!!!! thanks!
Can you guide me please how to write a query which finds on which computers a specific user can RDP to?
Thanks!
Ilan-sec.
Are the two queries below correct?
I took your query and added info to get the actual name and pwdlastset timestamp. In the Neo4j browser:
MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset
I get this data back:
u.name | u.pwdlastset |
---|---|
"USERNAME@DOMAIN" | 1540398615.0 |
Converting that timestamp to a date:
MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name,datetime({epochSeconds:toInteger(u.pwdlastset)})
I get this data back (which is more than 90 days):
u.name | datetime({epochSeconds:toInteger(u.pwdlastset)}) |
---|---|
"USERNAME@DOMAIN" | "2018-10-24T16:30:15Z" |
I think the text needs to be flipped to read Find users with passwords last set in 90 days or more
or the less than symbol (<) needs to be flipped around to a greater than symbol (>)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.