Skip to content

Instantly share code, notes, and snippets.

@rmdavy

rmdavy/customqueries.json

Forked from seajaysec/customqueries.json
Created June 27, 2021 16:42
Download ZIP

Revisions

  1. @seajaysec seajaysec revised this gist Feb 5, 2020. 1 changed file with 279 additions and 654 deletions.
    933 changes: 279 additions & 654 deletions customqueries.json
    View file
    Original file line number Diff line number Diff line change
    @@ -1,764 +1,389 @@
    {
    "queries": [
    {
    "name": "Find all Domain Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:Group) WHERE n.objectsid =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    },
    "allowCollapse": false
    }
    ]
    "queries": [{
    "name": "List all owned users",
    "queryList": [{
    "final": true,
    "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
    }]
    },
    {
    "name": "Find Shortest Paths to Domain Admins",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain Admin group...",
    "query":
    "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    }
    },
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM*1..]->(m)) RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    "name": "List all owned computers",
    "queryList": [{
    "final": true,
    "query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m"
    }]
    },
    {
    "name": "Find DCSyncers",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: {result}}) WITH p,n1 MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u:Domain {name: {result}}) WITH p,p2 MATCH p3=(n2)-[:MemberOf|GenericAll|AllExtendedRights*1..]->(u:Domain {name: {result}}) RETURN p,p2,p3",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    "name": "List all owned groups",
    "queryList": [{
    "final": true,
    "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
    }]
    },
    {
    "name": "Find logged in Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
    "allowCollapse": true
    }
    ]
    "name": "List the groups of all owned users",
    "queryList": [{
    "final": true,
    "query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p"
    }]
    },
    {
    "name": "Top Ten Users with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Computers with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Local Admin Rights",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Computers with Most Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    "name": "Show owned Nodes with Groups",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p",
    "props": {},
    "allowCollapse": true
    }]
    },
    {
    "name": "Users with Foreign Domain Group Membership",
    "queryList": [
    {
    "final": false,
    "title": "Select source domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH (n:User) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain RETURN p",
    "startNode": "{}",
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Groups with Foreign Domain Group Membership",
    "queryList": [
    {
    "final": false,
    "title": "Select source domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH (n:Group) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain AND NOT n.name=m.name RETURN p",
    "startNode": "{}",
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Map Domain Trusts",
    "queryList": [
    {
    "final": true,
    "query": "MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Path from SPN User",
    "queryList": [
    {
    "final": false,
    "title": "Select a domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": false,
    "title": "Select a user",
    "query":
    "MATCH (n:User) WHERE n.domain={result} AND n.HasSPN=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
    },
    {
    "final": true,
    "query":
    "MATCH n=shortestPath((a:User {name:{result}})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(b:Computer)) RETURN n",
    "startNode": "{}",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Paths to Domain Admins from SPN Users",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain Admin group...",
    "query":
    "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i).*DOMAIN ADMINS.*"
    }
    },
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) WHERE n.HasSPN=true RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Find all owned Domain Admins",
    "requireNodeSelect": false,
    "query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)",
    "allowCollapse": false,
    "props": {"name": "(?i).*DOMAIN ADMINS.*"}
    "name": "Find logged in Admins",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Find Shortest Paths from owned node to Domain Admins",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
    "queryProps": {"name":"(?i).*DOMAIN ADMINS.*"},
    "onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p",
    "start":"",
    "end": "{}",
    "allowCollapse": true,
    "boxTitle": "Select domain to map..."
    }
    "name": "Top Ten Users with Most Sessions",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Show Wave",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
    "queryProps": {},
    "onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
    "start": "",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select wave..."
    }
    },
    {
    "name": "Highlight Delta for Wave",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
    "queryProps": {},
    "onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
    "start": "",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select wave to show deltas..."
    }
    "name": "Top Ten Computers with Most Sessions",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
    "allowCollapse": true
    }]
    },
    {
    "name": "Find Clusters of Password Reuse",
    "requireNodeSelect": false,
    "query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p",
    "allowCollapse": true,
    "props": {}

    "name": "Find all Kerberoastable Users",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User)WHERE n.hasspn=true RETURN n",
    "allowCollapse": false
    }]
    },
    {
    "name": "Show Blacklisted Nodes",
    "requireNodeSelect": false,
    "query": "MATCH (n) WHERE exists(n.blacklist) RETURN n",
    "allowCollapse": true,
    "props": {}
    "name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set less than 5 years ago",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset "
    }]
    },
    {
    "name": "Show Blacklisted Relationships",
    "requireNodeSelect": false,
    "query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    "name": "Find Kerberoastable Users with a path to DA",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p"
    }]
    },
    {
    "name": "Show Blacklist",
    "requireNodeSelect": false,
    "query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p",
    "allowCollapse": true,
    "props": {}
    "name": "Find Kerberoastable Users with a path to High Value",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p"
    }]
    },
    {
    "name": "Show owned Nodes",
    "requireNodeSelect": false,
    "query": "MATCH (n) WHERE exists(n.owned) RETURN n",
    "allowCollapse": true,
    "props": {}
    "name": "Find machines Domain Users can RDP into",
    "queryList": [{
    "final": true,
    "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p"
    }]
    },
    {
    "name": "Find Shortest Paths to DA Equivalency",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
    "queryProps": {"name":"(?i).*DOMAIN CONTROLLERS.*"},
    "onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p",
    "start":"",
    "end": "{}",
    "allowCollapse": true,
    "boxTitle": "Select domain to map..."
    }
    },
    {
    "name": "Find Shortest Paths to Domain Admins from Foreign User",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query": "MATCH (n:Domain) RETURN n.name",
    "queryProps":{},
    "onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p",
    "start": "{}",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select target domain..."
    }
    "name": "Find Servers Domain Users can RDP To",
    "queryList": [{
    "final": true,
    "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Show Connections over 22/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find what groups can RDP",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p"
    }]
    },
    {
    "name": "Show Connections over 80/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Non Admin Groups with High Value Privileges",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Show Connections over 135/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find groups that can reset passwords (Warning: Heavy)",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p"
    }]
    },
    {
    "name": "Show Connections over 139/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Groups with Computer and User Objects",
    "queryList": [{
    "final": true,
    "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers",
    "allowCollapse": true,
    "endNode": "{}"
    }]
    },
    {
    "name": "Show Connections over 389/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find groups that have local admin rights (Warning: Heavy)",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p"
    }]
    },
    {
    "name": "Show Connections over 443/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find all users that have local admin rights",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p"
    }]
    },
    {
    "name": "Show Connections over 445/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Top Ten Users with Most Local Admin Rights",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Show Connections over 1433/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Top Ten Computers with Most Admins",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }]
    },
    {
    "name": "Show Connections over 1521/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find all active Domain Admin sessions",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p"
    }]
    },
    {
    "name": "Show Connections over 3306/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Can a user from domain ‘A ‘ do anything to any computer in domain ‘B’ (Warning: VERY Heavy)",
    "queryList": [{
    "final": false,
    "title": "Select source domain...",
    "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": false,
    "title": "Select destination domain...",
    "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query": "MATCH (n:User {domain: {result}}) MATCH (m:Computer {domain: {}}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
    "startNode": "{}",
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Show Connections over 3389/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find all computers with Unconstrained Delegation",
    "queryList": [{
    "final": true,
    "query": "MATCH (c:Computer {unconstraineddelegation:true}) return c"
    }]
    },
    {
    "name": "Show Connections over 5432/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find all computers with unsupported operating systems",
    "queryList": [{
    "final": true,
    "query": "MATCH (H:Computer) WHERE H.operatingsystem =~ '.*(2000|2003|2008|xp|vista|7|me)*.' RETURN H"
    }]
    },
    {
    "name": "Show Database Connections",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find users that logged in within the last 90 days",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u"
    }]
    },
    {
    "name": "Show Web App Connections",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    "name": "Find users with passwords last set within the last 90 days",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
    }]
    },
    {
    "name": "Find Top 10 RDP Servers",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    "name": "Find constrained delegation",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p"
    }]
    },
    {
    "name": "Find Top 10 SSH Servers",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    "name": "Find computers that allow unconstrained delegation that AREN’T domain controllers.",
    "queryList": [{
    "final": true,
    "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2"
    }]
    },
    {
    "name": "Find Top 10 Web Apps with most Connections",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    "name": " Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'",
    "queryList": [{
    "final": true,
    "query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c"
    }]
    },
    {
    "name": "List Computers where DOMAIN USERS are Local Admin",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Path from DOMAIN USERS to High Value Targets",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "ALL Path from DOMAIN USERS to High Value Targets",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find Workstations where DOMAIN USERS can RDP To",
    "queryList": [
    {
    "final": true,
    "query":
    "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find Servers where DOMAIN USERS can RDP To",
    "queryList": [
    {
    "final": true,
    "query":
    "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find all other Rights DOMAIN USERS shouldn’t have",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Kerberoastable Accounts member of High Value Group",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "List all Kerberoastable Accounts",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User)WHERE n.hasspn=true RETURN n",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
    "allowCollapse": true
    }
    ]
    "name": "View all GPOs",
    "queryList": [{
    "final": true,
    "query": "Match (n:GPO) RETURN n"
    }]
    },
    {
    "name": "Top Ten Computers with Most Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    }, {
    "name": "Top Ten Computers with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
    "allowCollapse": true
    }
    ]
    "name": "View all groups that contain the word 'admin'",
    "queryList": [{
    "final": true,
    "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n"
    }]
    },
    {
    "name": "Top Ten Users with Most Local Admin Rights",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    "name": "Find users that can be AS-REP roasted",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User {dontreqpreauth: true}) RETURN u"
    }]
    },
    {
    "name": "All Shortest Path - Owned to HighValue",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) RETURN p",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find All Users with an SPN/Find all Kerberoastable Users with passwords last set > 5 years ago",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u"
    }]
    },
    {
    "name": "All Shortest Path - Owned to HighValue - Exclude Blacklist",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) WHERE NONE(x IN NODES(p) WHERE x:Blacklist) RETURN p",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Show all high value target's groups",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p"
    }]
    },
    {
    "name": "Owned - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {owned: True}) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find groups that contain both users and computers",
    "queryList": [{
    "final": true,
    "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers"
    }]
    },
    {
    "name": "Owned - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {owned: True}) SET x.owned=False",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Shortest Path from Domain Users to High Value Targets",
    "queryList": [{
    "final": true,
    "query": "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p",
    "allowCollapse": true
    }]
    },
    {
    "name": "HighValue - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {highvalue: True}) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "ALL Path from Domain Users to High Value Targets",
    "queryList": [{
    "final": true,
    "query": "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
    "allowCollapse": true
    }]
    },
    {
    "name": "HighValue - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {highvalue: True}) SET x.highvalue=False",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find Kerberoastable users who are members of high value groups",
    "queryList": [{
    "final": true,
    "query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u"
    }]
    },
    {
    "name": "Blacklist - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x:Blacklist) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find Kerberoastable users and where they are AdminTo",
    "queryList": [{
    "final": true,
    "query": "OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u"
    }]
    },
    {
    "name": "Blacklist - Add User",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:User) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:User) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find computers with constrained delegation permissions and the corresponding targets where they allowed to delegate",
    "queryList": [{
    "final": true,
    "query": "MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c"
    }]
    },
    {
    "name": "Blacklist - Add Group",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Group) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Group) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)",
    "queryList": [{
    "final": true,
    "query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p"
    }]
    },
    {
    "name": "Blacklist - Add Computer",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Computer) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Computer) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find if unprivileged users have rights to add members into groups",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p"
    }]
    },
    {
    "name": "Blacklist - Remove User",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:User:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:User) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find all users a part of the VPN group",
    "queryList": [{
    "final": true,
    "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p"
    }]
    },
    {
    "name": "Blacklist - Remove Group",
    "queryList": [
    {
    "name": "Paths from DU to DA without RDP",
    "queryList": [{
    "final": false,
    "query":
    "MATCH (x:Group:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    "title": "Select a Domain Admin group...",
    "query": "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    }
    },
    {
    "final": true,
    "query": "MATCH (x:Group) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    "query": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Blacklist - Remove Computer",
    "queryList": [
    {
    "name": "Most Exploitable Paths to DA",
    "queryList": [{
    "final": false,
    "query":
    "MATCH (x:Computer:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    "title": "Select a Domain Admin group...",
    "query": "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    }
    },
    {
    "final": true,
    "query": "MATCH (x:Computer) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    "query": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Blacklist - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x:Blacklist) REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    "name": "Find users that have never logged on and account is still active",
    "queryList": [{
    "final": true,
    "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n "
    }]
    }
    ]
    }
  2. @seajaysec seajaysec created this gist Feb 9, 2019.
    764 changes: 764 additions & 0 deletions customqueries.json
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,764 @@
    {
    "queries": [
    {
    "name": "Find all Domain Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:Group) WHERE n.objectsid =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) RETURN p",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    },
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Find Shortest Paths to Domain Admins",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain Admin group...",
    "query":
    "MATCH (n:Group) WHERE n.objectsid =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i)S-1-5-.*-512"
    }
    },
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM*1..]->(m)) RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Find DCSyncers",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: {result}}) WITH p,n1 MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u:Domain {name: {result}}) WITH p,p2 MATCH p3=(n2)-[:MemberOf|GenericAll|AllExtendedRights*1..]->(u:Domain {name: {result}}) RETURN p,p2,p3",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Find logged in Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Computers with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Local Admin Rights",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Computers with Most Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Users with Foreign Domain Group Membership",
    "queryList": [
    {
    "final": false,
    "title": "Select source domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH (n:User) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain RETURN p",
    "startNode": "{}",
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Groups with Foreign Domain Group Membership",
    "queryList": [
    {
    "final": false,
    "title": "Select source domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": true,
    "query":
    "MATCH (n:Group) WITH n MATCH (m:Group) WITH n,m MATCH p=(n)-[r:MemberOf]->(m) WHERE n.domain={result} AND NOT m.domain=n.domain AND NOT n.name=m.name RETURN p",
    "startNode": "{}",
    "allowCollapse": false
    }
    ]
    },
    {
    "name": "Map Domain Trusts",
    "queryList": [
    {
    "final": true,
    "query": "MATCH p=(n:Domain)-[r]-(m:Domain) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Path from SPN User",
    "queryList": [
    {
    "final": false,
    "title": "Select a domain...",
    "query":
    "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
    },
    {
    "final": false,
    "title": "Select a user",
    "query":
    "MATCH (n:User) WHERE n.domain={result} AND n.HasSPN=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
    },
    {
    "final": true,
    "query":
    "MATCH n=shortestPath((a:User {name:{result}})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(b:Computer)) RETURN n",
    "startNode": "{}",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Paths to Domain Admins from SPN Users",
    "queryList": [
    {
    "final": false,
    "title": "Select a Domain Admin group...",
    "query":
    "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name ORDER BY n.name DESC",
    "props": {
    "name": "(?i).*DOMAIN ADMINS.*"
    }
    },
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) WHERE n.HasSPN=true RETURN p",
    "allowCollapse": true,
    "endNode": "{}"
    }
    ]
    },
    {
    "name": "Find all owned Domain Admins",
    "requireNodeSelect": false,
    "query": "MATCH (n:Group) WHERE n.name =~ {name} WITH n MATCH p=(n)<-[r:MemberOf*1..]-(m) WHERE exists(m.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN nodes(p),relationships(p)",
    "allowCollapse": false,
    "props": {"name": "(?i).*DOMAIN ADMINS.*"}
    },
    {
    "name": "Find Shortest Paths from owned node to Domain Admins",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
    "queryProps": {"name":"(?i).*DOMAIN ADMINS.*"},
    "onFinish": "MATCH (n),(m:Group {name:{result}}),p=shortestPath((n)-[*1..12]->(m)) WHERE exists(n.owned) AND NONE (x IN nodes(p) WHERE exists(x.blacklist)) AND NONE (x in relationships(p) WHERE exists(x.blacklist)) RETURN p",
    "start":"",
    "end": "{}",
    "allowCollapse": true,
    "boxTitle": "Select domain to map..."
    }
    },
    {
    "name": "Show Wave",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
    "queryProps": {},
    "onFinish": "OPTIONAL MATCH (n1:User {wave:toInt({result})}) WITH collect(distinct n1) as c1 OPTIONAL MATCH (n2:Computer {wave:toInt({result})}) WITH collect(distinct n2) + c1 as c2 OPTIONAL MATCH (n3:Group {wave:toInt({result})}) WITH c2, collect(distinct n3) + c2 as c3 UNWIND c2 as n UNWIND c3 as m MATCH (n)-[r]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
    "start": "",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select wave..."
    }
    },
    {
    "name": "Highlight Delta for Wave",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n) WHERE exists(n.wave) WITH DISTINCT n.wave as d RETURN toString(d) ORDER BY d",
    "queryProps": {},
    "onFinish": "MATCH (n)-[r]->(m) WHERE n.wave<=toInt({result}) AND not(exists(n.blacklist)) AND not(exists(m.blacklist)) AND not(exists(r.blacklist)) RETURN n,r,m",
    "start": "",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select wave to show deltas..."
    }
    },
    {
    "name": "Find Clusters of Password Reuse",
    "requireNodeSelect": false,
    "query": "MATCH p=(n)-[r:SharesPasswordWith]->(m) WHERE not(exists(n.blacklist)) AND not(exists(m.blacklist)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Blacklisted Nodes",
    "requireNodeSelect": false,
    "query": "MATCH (n) WHERE exists(n.blacklist) RETURN n",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Blacklisted Relationships",
    "requireNodeSelect": false,
    "query": "MATCH (n)-[r]->(m) WHERE exists(r.blacklist) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Blacklist",
    "requireNodeSelect": false,
    "query": "OPTIONAL MATCH (n {blacklist:true}) WITH n OPTIONAL MATCH p=(()-[{blacklist:true}]->()) RETURN n,p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show owned Nodes",
    "requireNodeSelect": false,
    "query": "MATCH (n) WHERE exists(n.owned) RETURN n",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Find Shortest Paths to DA Equivalency",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query":"MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name",
    "queryProps": {"name":"(?i).*DOMAIN CONTROLLERS.*"},
    "onFinish": "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[*1..]->(m)) RETURN p",
    "start":"",
    "end": "{}",
    "allowCollapse": true,
    "boxTitle": "Select domain to map..."
    }
    },
    {
    "name": "Find Shortest Paths to Domain Admins from Foreign User",
    "requireNodeSelect": true,
    "nodeSelectQuery": {
    "query": "MATCH (n:Domain) RETURN n.name",
    "queryProps":{},
    "onFinish": "MATCH (n:User) WHERE NOT n.name ENDS WITH ('@' + {result}) WITH n MATCH (m:Group {name:('DOMAIN ADMINS@' + {result})}) WITH n,m MATCH p=shortestPath((n)-[*1..]->(m)) RETURN p",
    "start": "{}",
    "end": "",
    "allowCollapse": true,
    "boxTitle": "Select target domain..."
    }
    },
    {
    "name": "Show Connections over 22/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_22]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 80/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_80]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 135/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_135]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 139/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_139]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 389/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_389]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 443/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_443]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 445/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_445]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 1433/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1433]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 1521/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1521]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 3306/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_3306]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 3389/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_3389]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Connections over 5432/tcp",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_5432]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Database Connections",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_1433|Connected_1521|Connected_3306|Connected_5432]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Show Web App Connections",
    "requireNodeSelect": false,
    "query": "MATCH p=((s:Computer)-[:Connected_80|Connected_443]->(d:Computer)) RETURN p",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Find Top 10 RDP Servers",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_3389]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_3389]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Find Top 10 SSH Servers",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_22]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_22]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "Find Top 10 Web Apps with most Connections",
    "requireNodeSelect": false,
    "query": "MATCH (n:Computer)-[r:Connected_80|Connected_443]->(m:Computer) WHERE NOT m.name STARTS WITH 'ANONYMOUS LOGON' AND NOT m.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH (n)-[r:Connected_80|Connected_443]->(m) RETURN n,r,m",
    "allowCollapse": true,
    "props": {}
    },
    {
    "name": "List Computers where DOMAIN USERS are Local Admin",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Shortest Path from DOMAIN USERS to High Value Targets",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (g:Group),(n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) WHERE g.name STARTS WITH 'DOMAIN USERS' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "ALL Path from DOMAIN USERS to High Value Targets",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (g:Group) WHERE g.name STARTS WITH 'DOMAIN USERS' MATCH (n {highvalue:true}),p=shortestPath((g)-[r*1..]->(n)) return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find Workstations where DOMAIN USERS can RDP To",
    "queryList": [
    {
    "final": true,
    "query":
    "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND NOT c.operatingsystem CONTAINS 'Server' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find Servers where DOMAIN USERS can RDP To",
    "queryList": [
    {
    "final": true,
    "query":
    "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Find all other Rights DOMAIN USERS shouldn’t have",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH 'DOMAIN USERS' RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Kerberoastable Accounts member of High Value Group",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "List all Kerberoastable Accounts",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User)WHERE n.hasspn=true RETURN n",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Computers with Most Admins",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    }, {
    "name": "Top Ten Computers with Most Sessions",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Top Ten Users with Most Local Admin Rights",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "All Shortest Path - Owned to HighValue",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) RETURN p",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "All Shortest Path - Owned to HighValue - Exclude Blacklist",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH p=allShortestPaths((O {owned: True})-[r:{}*1..]->(H {highvalue: True})) WHERE NONE(x IN NODES(p) WHERE x:Blacklist) RETURN p",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Owned - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {owned: True}) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Owned - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {owned: True}) SET x.owned=False",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "HighValue - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {highvalue: True}) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "HighValue - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x {highvalue: True}) SET x.highvalue=False",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - View All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x:Blacklist) RETURN x",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Add User",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:User) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:User) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Add Group",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Group) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Group) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Add Computer",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Computer) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Computer) WHERE x.name={result} SET x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Remove User",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:User:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:User) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Remove Group",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Group:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Group) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Remove Computer",
    "queryList": [
    {
    "final": false,
    "query":
    "MATCH (x:Computer:Blacklist) RETURN x.name ORDER BY x.name",
    "props": {},
    "allowCollapse": true
    },
    {
    "final": true,
    "query": "MATCH (x:Computer) WHERE x.name={result} REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    },
    {
    "name": "Blacklist - Clear All",
    "queryList": [
    {
    "final": true,
    "query":
    "MATCH (x:Blacklist) REMOVE x:Blacklist",
    "props": {},
    "allowCollapse": true
    }
    ]
    }
    ]
    }