From 08db2ade11c6463599bfe59738c32635c8e2444a Mon Sep 17 00:00:00 2001 From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com> Date: Wed, 16 Aug 2023 20:31:07 +0200 Subject: [PATCH 1/6] Update package_ad.sh Downgrading neo4j version because of performance issues in BloodHound --- sources/install/package_ad.sh | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/sources/install/package_ad.sh b/sources/install/package_ad.sh index 12b699125..35430ff38 100644 --- a/sources/install/package_ad.sh +++ b/sources/install/package_ad.sh @@ -874,16 +874,20 @@ function install_bqm() { } function install_neo4j() { - colorecho "Configure neo4j" + colorecho "Installing neo4j" wget -O - https://debian.neo4j.com/neotechnology.gpg.key | apt-key add - - echo 'deb https://debian.neo4j.com stable latest' | tee /etc/apt/sources.list.d/neo4j.list - apt-get update + # TODO: temporary fix => rollback to 4.4 stable until perf issue is fix on neo4j 5.x + #echo 'deb https://debian.neo4j.com stable latest' | tee /etc/apt/sources.list.d/neo4j.list + echo 'deb https://debian.neo4j.com stable 4.4' | tee /etc/apt/sources.list.d/neo4j.list + apt update + apt install -y --no-install-recommends gnupg libgtk2.0-bin libcanberra-gtk-module libx11-xcb1 libva-glx2 libgl1-mesa-glx libgl1-mesa-dri libgconf-2-4 libasound2 libxss1 fapt neo4j - # TODO: when temporary fix is not needed anymore --> neo4j-admin dbms set-initial-password exegol4thewin - neo4j-admin dbms set-initial-password exegol4thewin + # TODO: when temporary fix is not needed anymore add --> neo4j-admin dbms set-initial-password exegol4thewin + # TODO: when temporary fix is not needed anymore remove following line + neo4j-admin set-initial-password exegol4thewin mkdir -p /usr/share/neo4j/logs/ touch /usr/share/neo4j/logs/neo4j.log - cp /usr/bin/neo4j /opt/tools/bin/ + add-aliases neo4j add-history neo4j add-test-command "neo4j version" add-to-list "neo4j,https://github.com/neo4j/neo4j,Database." From ec79d1b8956f1c38d18cedf2873c7785f943e7f7 Mon Sep 17 00:00:00 2001 From: gbe Date: Wed, 16 Aug 2023 21:15:24 +0200 Subject: [PATCH 2/6] Rename Bloodhound customqueries categories --- sources/assets/bloodhound/customqueries.json | 196 +++++++++---------- 1 file changed, 98 insertions(+), 98 deletions(-) diff --git a/sources/assets/bloodhound/customqueries.json b/sources/assets/bloodhound/customqueries.json index 09427594f..fd5144b0e 100644 --- a/sources/assets/bloodhound/customqueries.json +++ b/sources/assets/bloodhound/customqueries.json @@ -2,7 +2,7 @@ "queries": [ { "name": "Owned objects", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH (m) WHERE m.owned=TRUE RETURN m" @@ -10,7 +10,7 @@ }, { "name": "Direct groups of owned users", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p", @@ -20,7 +20,7 @@ }, { "name": "Unrolled groups of owned users", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" @@ -28,7 +28,7 @@ }, { "name": "Shortest paths from owned objects to High Value Targets (5 hops)", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((n {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", @@ -37,7 +37,7 @@ }, { "name": "Most exploitable paths from owned objects to High Value Targets (5 hops)", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=allShortestPaths((n {owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory*1..5]->(m {highvalue:true})) WHERE NOT n=m RETURN p", @@ -46,7 +46,7 @@ }, { "name": "Next steps (5 hops) from owned objects", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..5]->(s)) WHERE NOT c = s RETURN p" @@ -54,15 +54,23 @@ }, { "name": "Next steps (3 hops) from owned objects", - "category": "Tigers love pepper", + "category": "Owned Objects", "queryList": [{ "final": true, "query": "MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p" }] }, + { + "name": "Owned users with permissions against GPOs", + "category": "Owned Objects", + "queryList": [{ + "final": true, + "query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" + }] + }, { "name": "Connections between different domains/forests", - "category": "Tigers love pepper", + "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain RETURN p" @@ -70,23 +78,36 @@ }, { "name": "Connections (ACEs only) between different domains/forests", - "category": "Tigers love pepper", + "category": "Domains/Forests", "queryList": [{ "final": true, "query": "MATCH p = (a)-[r]->(b) WHERE NOT a.domain = b.domain AND r.isacl = True RETURN p" }] }, { - "name": "Owned users with permissions against GPOs", - "category": "Tigers love pepper", + "name": "Can a user from domain ‘A ‘ do anything to any computer in domain ‘B’ (Warning: VERY Heavy)", + "category": "Domains/Forests", "queryList": [{ - "final": true, - "query": "MATCH p=(u:User {owned:true})-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" - }] + "final": false, + "title": "Select source domain...", + "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" + }, + { + "final": false, + "title": "Select destination domain...", + "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" + }, + { + "final": true, + "query": "MATCH (n:User {domain: {result}}) MATCH (m:Computer {domain: {}}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p", + "startNode": "{}", + "allowCollapse": false + } + ] }, { "name": "Kerberoastable users with a path to DA", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" @@ -94,7 +115,7 @@ }, { "name": "Kerberoastable users with a path to High Value", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {hasspn:true}),(n {highvalue:true}),p = shortestPath( (u)-[*1..]->(n) ) RETURN p" @@ -102,7 +123,7 @@ }, { "name": " Kerberoastable users and where they are AdminTo", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "OPTIONAL MATCH (u:User) WHERE u.hasspn=true OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer) RETURN u" @@ -110,7 +131,7 @@ }, { "name": "Kerberoastable users who are members of high value groups", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u" @@ -118,7 +139,7 @@ }, { "name": "Kerberoastable users with passwords last set > 5 years ago", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE n.hasspn=true AND WHERE u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" @@ -126,7 +147,7 @@ }, { "name": "Kerberoastable Users", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (n:User)WHERE n.hasspn=true RETURN n", @@ -135,7 +156,7 @@ }, { "name": "AS-REProastable Users", - "category": "They hate cinnamon", + "category": "Roasting", "queryList": [{ "final": true, "query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" @@ -143,7 +164,7 @@ }, { "name": "Unconstrained Delegations", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c {unconstraineddelegation:true}) return c" @@ -151,7 +172,7 @@ }, { "name": "Constrained Delegations (with Protocol Transition)", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=true return c" @@ -159,7 +180,7 @@ }, { "name": "Constrained Delegations (without Protocol Transition)", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c) WHERE NOT c.allowedtodelegate IS NULL AND c.trustedtoauth=false return c" @@ -167,7 +188,7 @@ }, { "name": "Resource-Based Constrained Delegations", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH p=(u)-[:AllowedToAct]->(c) RETURN p" @@ -175,7 +196,7 @@ }, { "name": "Unconstrained Delegation systems (without domain controllers)", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" @@ -183,7 +204,7 @@ }, { "name": "(Warning: edits the DB) Mark unconstrained delegation systems as high value targets", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers SET c2.highvalue = true RETURN c2" @@ -191,7 +212,7 @@ }, { "name": "Shortest paths from owned principals to unconstrained delegation systems", - "category": "Ready to let the dogs out?", + "category": "Kerberos Delegations", "queryList": [{ "final": true, "query": "MATCH (n {owned:true}) MATCH p=shortestPath((n)-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m RETURN p" @@ -199,7 +220,7 @@ }, { "name": "Find computers admin to other computers", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p = (c1:Computer)-[r1:AdminTo]->(c2:Computer) RETURN p UNION ALL MATCH p = (c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[r3:AdminTo]->(c4:Computer) RETURN p" @@ -207,7 +228,7 @@ }, { "name": "Logged in Admins", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p", @@ -216,7 +237,7 @@ }, { "name": "Users with local admin rights", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" @@ -224,7 +245,7 @@ }, { "name": "Domain admin sessions", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" @@ -232,7 +253,7 @@ }, { "name": "Users with adminCount, not sensitive for delegation, not members of Protected Users", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH (u)-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ \"(?i)S-1-5-.*-525\" WITH COLLECT (u.name) as protectedUsers MATCH p=(u2:User)-[:MemberOf*1..3]->(g2:Group) WHERE u2.admincount=true AND u2.sensitive=false AND NOT u2.name IN protectedUsers RETURN p" @@ -240,7 +261,7 @@ }, { "name": "Objects with the AddAllowedToAct or WriteAccountRestrictions right on a computer", - "category": "A nerdy hillbilly", + "category": "Admins", "queryList": [{ "final": true, "query": "MATCH p=(g)-[:AddAllowedToAct|WriteAccountRestrictions]->(c:Computer) RETURN p" @@ -248,7 +269,7 @@ }, { "name": "Groups that contain the word 'admin'", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" @@ -256,7 +277,7 @@ }, { "name": "Groups that can change user passwords", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN DISTINCT m[.]name, COUNT(m[.]name) ORDER BY COUNT(m[.]name) DESC" @@ -264,7 +285,7 @@ }, { "name": "Groups of High Value Targets", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" @@ -272,7 +293,7 @@ }, { "name": "Non Admin Groups with High Value Privileges", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(g:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p", @@ -281,7 +302,7 @@ }, { "name": "Groups with Computer and User Objects", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers", @@ -291,7 +312,7 @@ }, { "name": "Groups that can reset passwords (Warning: Heavy)", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" @@ -299,7 +320,7 @@ }, { "name": "Groups that have local admin rights (Warning: Heavy)", - "category": "A one-man wolf pack", + "category": "Groups", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" @@ -307,7 +328,7 @@ }, { "name": "Users never logged on and account still active", - "category": "There are skittles in there!", + "category": "Users", "queryList": [{ "final": true, "query": "MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n " @@ -315,7 +336,7 @@ }, { "name": "Users logged in the last 90 days", - "category": "There are skittles in there!", + "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) and NOT u.lastlogon IN [-1.0, 0.0] RETURN u" @@ -323,7 +344,7 @@ }, { "name": "Users with passwords last set in the last 90 days", - "category": "There are skittles in there!", + "category": "Users", "queryList": [{ "final": true, "query": "MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) and NOT u.pwdlastset IN [-1.0, 0.0] RETURN u" @@ -331,7 +352,7 @@ }, { "name": "Find if unprivileged users have rights to add members into groups", - "category": "There are skittles in there!", + "category": "Users", "queryList": [{ "final": true, "query": "MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p" @@ -339,7 +360,7 @@ }, { "name": "Find all users a part of the VPN group", - "category": "There are skittles in there!", + "category": "Users", "queryList": [{ "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" @@ -347,7 +368,7 @@ }, { "name": "View all GPOs", - "category": "There are skittles in there!", + "category": "GPOs", "queryList": [{ "final": true, "query": "Match (n:GPO) RETURN n" @@ -355,36 +376,15 @@ }, { "name": "Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", - "category": "There are skittles in there!", + "category": "GPOs", "queryList": [{ "final": true, "query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" }] }, - { - "name": "Can a user from domain ‘A ‘ do anything to any computer in domain ‘B’ (Warning: VERY Heavy)", - "category": "There are skittles in there!", - "queryList": [{ - "final": false, - "title": "Select source domain...", - "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" - }, - { - "final": false, - "title": "Select destination domain...", - "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" - }, - { - "final": true, - "query": "MATCH (n:User {domain: {result}}) MATCH (m:Computer {domain: {}}) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p", - "startNode": "{}", - "allowCollapse": false - } - ] - }, { "name": "Find all computers running with Windows XP", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'XP' RETURN c" @@ -392,7 +392,7 @@ }, { "name": "Find all computers running with Windows 2000", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2000' RETURN c" @@ -400,7 +400,7 @@ }, { "name": "Find all computers running with Windows 2003", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2003' RETURN c" @@ -408,7 +408,7 @@ }, { "name": "Find all computers running with Windows 2008", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '2008' RETURN c" @@ -416,7 +416,7 @@ }, { "name": "Find all computers running with Windows Vista", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS 'VISTA' RETURN c" @@ -424,7 +424,7 @@ }, { "name": "Find all computers running with Windows 7", - "category": "It’s not illegal. It’s frowned upon", + "category": "Outdated OS", "queryList": [{ "final": true, "query": "MATCH (c:Computer) WHERE toUpper(c.operatingsystem) CONTAINS '7' RETURN c" @@ -432,7 +432,7 @@ }, { "name": "Top Ten Users with Most Sessions", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", @@ -441,7 +441,7 @@ }, { "name": "Top Ten Computers with Most Sessions", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p", @@ -450,7 +450,7 @@ }, { "name": "Top Ten Users with Most Local Admin Rights", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", @@ -459,7 +459,7 @@ }, { "name": "Top Ten Computers with Most Admins and their admins", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p", @@ -468,7 +468,7 @@ }, { "name": "Top Ten Computers with Most Admins", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN m", @@ -477,7 +477,7 @@ }, { "name": "(Warning: edits the DB) Mark Top Ten Computers with Most Admins as HVT", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET m.highvalue = true RETURN m", @@ -486,7 +486,7 @@ }, { "name": "Top 20 nodes with most first degree object controls", - "category": "Not at the table Carlos!", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH p=(u)-[r1]->(n) WHERE r1.isacl = true WITH u, count(r1) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", @@ -494,8 +494,8 @@ }] }, { - "name": "Top ten nodes with most group delegated object controls", - "category": "Not at the table Carlos!", + "name": "Top Ten nodes with most group delegated object controls", + "category": "Top Ten", "queryList": [{ "final": true, "query": "MATCH p=(u)-[r1:MemberOf*1..]->(g:Group)-[r2]->(n) WHERE r2.isacl=true WITH u, count(r2) AS count_ctrl ORDER BY count_ctrl DESC LIMIT 20 RETURN u", @@ -504,7 +504,7 @@ }, { "name": "Find machines Domain Users can RDP into", - "category": "We can’t find Doug", + "category": "RDP", "queryList": [{ "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p" @@ -512,7 +512,7 @@ }, { "name": "Find Servers Domain Users can RDP To", - "category": "We can’t find Doug", + "category": "RDP", "queryList": [{ "final": true, "query": "match p=(g:Group)-[:CanRDP]->(c:Computer) where g.name STARTS WITH 'DOMAIN USERS' AND c.operatingsystem CONTAINS 'Server' return p", @@ -521,7 +521,7 @@ }, { "name": "Find what groups can RDP", - "category": "We can’t find Doug", + "category": "RDP", "queryList": [{ "final": true, "query": "MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p" @@ -529,7 +529,7 @@ }, { "name": "Return All Azure Users that are part of the ‘Global Administrator’ Role", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p" @@ -537,7 +537,7 @@ }, { "name": "Return All On-Prem users with edges to Azure", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p" @@ -545,7 +545,7 @@ }, { "name": "Find all paths to an Azure VM", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZVM) RETURN p" @@ -553,7 +553,7 @@ }, { "name": "Find all paths to an Azure KeyVault", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p" @@ -561,7 +561,7 @@ }, { "name": "Return All Azure Users and their Groups", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p" @@ -569,7 +569,7 @@ }, { "name": "Return All Azure AD Groups that are synchronized with On-Premise AD", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n" @@ -577,7 +577,7 @@ }, { "name": "Find all Privileged Service Principals", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p" @@ -585,7 +585,7 @@ }, { "name": "Find all Owners of Azure Applications", - "category": "It's called a satchel", + "category": "Azure", "queryList": [{ "final": true, "query": "MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p" @@ -740,7 +740,7 @@ }] }, { - "name": "Find users that can RDP into something", + "name": "Find users with a plaintext attribute that can RDP into something", "category": "PlainText Password Queries", "queryList": [ { @@ -751,7 +751,7 @@ ] }, { - "name": "Find users that belong to high value groups", + "name": "Find users with a plaintext attribute that belong to high value groups", "category": "PlainText Password Queries", "queryList": [ { @@ -762,7 +762,7 @@ ] }, { - "name": "Find kerberoastable users", + "name": "Find users with a plaintext attribute that are kerberoastable", "category": "PlainText Password Queries", "queryList": [ { From 3c2b1d1c82b11d1e2d12abf2fc2a632dbf2c4791 Mon Sep 17 00:00:00 2001 From: gbe Date: Wed, 16 Aug 2023 21:29:35 +0200 Subject: [PATCH 3/6] Remove zsh color for comments --- sources/assets/zsh/zshrc | 1 + 1 file changed, 1 insertion(+) diff --git a/sources/assets/zsh/zshrc b/sources/assets/zsh/zshrc index d14d92609..a9657b8dc 100644 --- a/sources/assets/zsh/zshrc +++ b/sources/assets/zsh/zshrc @@ -64,6 +64,7 @@ source $HOME/.cargo/env # Color correction for zsh-syntax-highlighting ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#626262' +ZSH_HIGHLIGHT_STYLES[comment]='none' # In case pipx ensurepath didn't work, and positionning pipx in priority export PATH="/root/.local/bin:$PATH" From da529c570bea8085a23ab4982fd0903cc0e19f0e Mon Sep 17 00:00:00 2001 From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com> Date: Wed, 16 Aug 2023 22:48:07 +0200 Subject: [PATCH 4/6] Activating PR workflow for versioned branches --- .github/workflows/entrypoint_pull_request.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/entrypoint_pull_request.yml b/.github/workflows/entrypoint_pull_request.yml index 929641912..d35d35222 100644 --- a/.github/workflows/entrypoint_pull_request.yml +++ b/.github/workflows/entrypoint_pull_request.yml @@ -4,7 +4,8 @@ on: pull_request: branches: - dev - - webui + - "*.*.*" + - "*.*.*b*" paths-ignore: - ".github/**" - "**.md" From 8f2a22b333cd1882925151765432f4799f8d5a0e Mon Sep 17 00:00:00 2001 From: gbe Date: Thu, 17 Aug 2023 20:59:24 +0200 Subject: [PATCH 5/6] Turn zsh comments to the color cyan --- sources/assets/zsh/zshrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/assets/zsh/zshrc b/sources/assets/zsh/zshrc index a9657b8dc..42126ecb8 100644 --- a/sources/assets/zsh/zshrc +++ b/sources/assets/zsh/zshrc @@ -64,7 +64,7 @@ source $HOME/.cargo/env # Color correction for zsh-syntax-highlighting ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#626262' -ZSH_HIGHLIGHT_STYLES[comment]='none' +ZSH_HIGHLIGHT_STYLES[comment]='fg=cyan' # In case pipx ensurepath didn't work, and positionning pipx in priority export PATH="/root/.local/bin:$PATH" From 3c6984cfb53efdd3506067e3cf78e0b25abce064 Mon Sep 17 00:00:00 2001 From: Shutdown <40902872+ShutdownRepo@users.noreply.github.com> Date: Thu, 17 Aug 2023 21:46:40 +0200 Subject: [PATCH 6/6] Update zshrc Setting the comment color to grey --- sources/assets/zsh/zshrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/assets/zsh/zshrc b/sources/assets/zsh/zshrc index 42126ecb8..f278678ea 100644 --- a/sources/assets/zsh/zshrc +++ b/sources/assets/zsh/zshrc @@ -64,7 +64,7 @@ source $HOME/.cargo/env # Color correction for zsh-syntax-highlighting ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#626262' -ZSH_HIGHLIGHT_STYLES[comment]='fg=cyan' +ZSH_HIGHLIGHT_STYLES[comment]='fg=#888888' # In case pipx ensurepath didn't work, and positionning pipx in priority export PATH="/root/.local/bin:$PATH"