-
Notifications
You must be signed in to change notification settings - Fork 20
/
customqueries.json
105 lines (103 loc) · 3.42 KB
/
customqueries.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
{
"queries": [
{
"name": "Find users that can RDP into something",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p1=(u1)-[:CanRDP*1..]->(c:Computer) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find users that belong to high value groups",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Find kerberoastable users",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintext=True AND u1.hasspn=True RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and are high value targets",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with seasons in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"([Ww]inter.*|[sS]pring.*|[sS]ummer.*|[fF]all.*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and are high value targets",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "MATCH (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=(u1:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN u1",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and have local admin on at least one computer",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" match p=(u1:User)-[r:AdminTo]->(n:Computer) RETURN p",
"allowCollapse": true
}
]
},
{
"name": "Return users with a variant of \"password\" in their password and a path to high value targets (limit to 25 results)",
"category": "PlainText Password Queries",
"queryList": [
{
"final": true,
"query": "match (u1:User) WHERE u1.plaintextpassword =~ \"(.*[pP][aA@][sS$][sS$][wW][oO0][rR][dD].*)\" MATCH p=shortestPath((u1:User)-[*1..]->(n {highvalue:true})) WHERE u1<>n return u1 LIMIT 25",
"allowCollapse": true
}
]
}
]
}