{ "_comment": "Custom queries v1.0", "_comment2": "Certipy customqueries https://github.com/ly4k/Certipy/blob/main/customqueries.json", "queries": [ { "name": "[A1] Return all users: MATCH (u:User) return u", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (u:User) return u" } ] }, { "name": "[A2] Return all computers: MATCH (c:Computer) return c", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (c:Computer) return c" } ] }, { "name": "[A3] Return all groups: MATCH (g:Group) return g", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (g:Group) return g" } ] }, { "name": "[A4] Return all ous: MATCH (o:OU) return o", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (o:OU) return o" } ] }, { "name": "[A5] Return all gpos: MATCH (g:GPO) return g", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (g:GPO) return g" } ] }, { "name": "[A6] Return all containers: MATCH (c:Container) return c", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (c:Container) return c" } ] }, { "name": "[A7] Return all domains: MATCH (d:Domain) return d", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (d:Domain) return d" } ] }, { "name": "[A8] Return users content specified word: MATCH (u:User) WHERE u.name CONTAINS 'g0h4n' return u", "category": "Simple custom queries", "queryList": [ { "final": true, "query": "MATCH (u:User) WHERE u.name CONTAINS 'g0h4n' return u" } ] }, { "name": "[B1] List all owned users", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m" } ] }, { "name": "[B2] List all owned computers", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" } ] }, { "name": "[B3] List all owned groups", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (m:Group) WHERE m.owned=TRUE RETURN m" } ] }, { "name": "[B4] List all owned computers", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (m:Computer) WHERE m.owned=TRUE RETURN m" } ] }, { "name": "[B5] List the groups of all owned users", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p" } ] }, { "name": "[B6] Find the Shortest path to a high value target from an owned object", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p" } ] }, { "name": "[B7] Find the Shortest path to a unconstrained delegation system from an owned object", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" } ] }, { "name": "[B8] Find all Kerberoastable Users where n.hasspn=true (Kerberosting attack)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n:User) WHERE n.hasspn=true RETURN n", "allowCollapse": false } ] }, { "name": "[B9] Find Kerberoastable Users with a path to DA", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath( (u)-[*1..]->(g) ) RETURN p" } ] }, { "name": "[B10] Find users that can be AS-REP roasted (ASREPRoast)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (u:User {dontreqpreauth: true}) RETURN u" } ] }, { "name": "[B11] Find groups that can reset passwords (Warning: Heavy)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p" } ] }, { "name": "[B12] Find groups that have local admin rights (Warning: Heavy)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p" } ] }, { "name": "[B13] Find all users that have local admin rights", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p" } ] }, { "name": "[B14] Find all active Domain Admin sessions", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p" } ] }, { "name": "[B15] Find all computers with Unconstrained Delegation", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (c:Computer {unconstraineddelegation:true}) return c" } ] }, { "name": "[B16] Find all computers with unsupported operating systems", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H" } ] }, { "name": "[B17.1] Return the name of every computer in the database where at least one SPN for the computer contains the string 'MSSQL'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c" } ] }, { "name": "[B17.2] Return the name of every user in the database where at least one SPN for the computer contains the string 'MSSQL'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN u" } ] }, { "name": "[B18] View all groups that contain the word 'admin'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n" } ] }, { "name": "[B19] Show all high value target's groups", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p" } ] }, { "name": "[B20] Find groups that contain both users and computers", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers" } ] }, { "name": "[B21] Find all users a part of the VPN group", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER (g.name) CONTAINS 'VPN' return p" } ] }, { "name": "[B22] Find if any domain user has interesting permissions against a GPO (Warning: Heavy)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p" } ] }, { "name": "[B23] Find All edges any owned user has on a computer", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p" } ] }, { "name": "[B24] Find all computer or objects who can read GMSA password (ReadGMSAPassword limit 25)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=()-[r:ReadGMSAPassword]->() RETURN p LIMIT 25" } ] }, { "name": "[B25] Find all computer or objects who can DCSync (limit 25)", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH p=(n:Computer)-[r:DCSync]->() RETURN p LIMIT 25" } ] }, { "name": "[B26.1] Find all users who description contains 'pass'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n:User WHERE n.description CONTAINS 'pass') RETURN n" } ] }, { "name": "[B26.2] Find all computers who description contains 'pass'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n:Computer WHERE n.description CONTAINS 'pass') RETURN n" } ] }, { "name": "[B26.3] Find all groups who description contains 'pass'", "category": "Other RustHound custom queries", "queryList": [ { "final": true, "query": "MATCH (n:Group WHERE n.description CONTAINS 'pass') RETURN n" } ] }, { "name": "[C1] KUD (Kerberos Unconstrained Delegation): Find unconstrained delegation", "category": "Kerberos", "_comment": "https://mayfly277.github.io/posts/GOADv2-pwning-part10/", "queryList": [ { "final": true, "query": "MATCH (c {unconstraineddelegation:true}) return c" } ] }, { "name": "[C2] KUD: search for unconstrained delegation system (out of domain controller)", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2" } ] }, { "name": "[C3] KUD: Find the Shortest path to a unconstrained delegation system from an owned object", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p" } ] }, { "name": "[C4] KCD (Kerberos Constrained Delegation): Find constrained delegation (User to Computer)", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH p=(u:User)-[:AllowedToDelegate]->(c) RETURN p" } ] }, { "name": "[C5] KCD: Find constrained delegation (Computer to Computer)", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH p=(u:Computer)-[:AllowedToDelegate]->(c) RETURN p" } ] }, { "name": "[C6] RBCD (Resource Based Constrained Delegation): Computer with msDS-AllowedToActOnBehalfOfOtherIdentity value", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH p=(c)-[:AllowedToAct]->(c) RETURN p" } ] }, { "name": "[C7] RBCD: User with GenericAll or GenericWrite or WriteDACL on Computer", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH (n) MATCH p=shortestPath((n:User)-[:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl*1..]->(m:Computer)) RETURN p" } ] }, { "name": "[C8] KDC:RBCD: Find all computer who can AllowedToAct or AllowToDelegate (limit 25)", "category": "Kerberos", "queryList": [ { "final": true, "query": "MATCH (m:Computer),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= 'GetChanges') AND NONE (r in relationships(p) WHERE type(r)='GetChangesAll') AND NOT m=n RETURN p LIMIT 25" } ] }, { "name": "Find all Certificate Templates", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n" } ] }, { "name": "Find enabled Certificate Templates", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n" } ] }, { "name": "Find Certificate Authorities", "category": "Certificates", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n" } ] }, { "name": "Show Enrollment Rights for Certificate Template", "category": "Certificates", "queryList": [ { "final": false, "title": "Select a Certificate Template...", "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p", "allowCollapse": false } ] }, { "name": "Show Rights for Certificate Authority", "category": "Certificates", "queryList": [ { "final": false, "title": "Select a Certificate Authority...", "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name" }, { "final": true, "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p", "allowCollapse": false } ] }, { "name": "Find Misconfigured Certificate Templates (ESC1)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" } ] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p" } ] }, { "name": "Find Misconfigured Certificate Templates (ESC2)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) RETURN n" } ] }, { "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage`) return p" } ] }, { "name": "Find Enrollment Agent Templates (ESC3)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN n" } ] }, { "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage`) return p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p" } ] }, { "name": "Find Certificate Authorities with User Specified SAN (ESC6)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' RETURN p" } ] }, { "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p" } ] }, { "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n" } ] }, { "name": "Find Unsecured Certificate Templates (ESC9)", "category": "Domain Escalation", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true RETURN n" } ] }, { "name": "Find Unsecured Certificate Templates (ESC9)", "category": "PKI", "queryList": [ { "final": true, "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true RETURN n" } ] }, { "name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)", "category": "PKI", "queryList": [ { "final": true, "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) return p" } ] } ] }