Review

Show any owned node along with its associated groups.

MATCH (u:User {owned:true}), (g:Group), p=(u)-[:MemberOf]->(g) RETURN p

Check for Groups with unsafe permissions over Users

MATCH p=(g:Group)-[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedToDelegate|ForceChangePassword]->(n:User) WHERE NOT g.name CONTAINS 'ADMIN' RETURN p

List the Groups of all owned users

MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p

Find what groups can RDP

MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p

FInd Groups that can reset passwords

MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p

Can a user from domain A do anything to a computer in domain b

MATCH (n:User {domain: denkiair.com}) MATCH (m:Computer {domain: denkiair-prod.com) MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p

List all computers with unconstrained delegation

MATCH (c:Computer {unconstraineddelegation:true}) return c

Find computers with contstrained delegation and the targets they are allowed to delegate to.

MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c

Find all edges that a “specific user” has against all the nodes (HasSession is not calculated, as it is an edge that comes from computer to user, not from user to computer)

MATCH (n:User) WHERE n.name =~ 'LISA.PRICE@DENKIAIR.COM' MATCH (m) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p

Find all the edges that any UNPRIVILEGED user (based on the admincount:False) has against all the nodes.

MATCH (n:User {admincount:False}) MATCH (m) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin*1..]->(m)) RETURN p

Find interesting edges related to “ACL Abuse” that unprivileged users have against other users

MATCH (n:User {admincount:False}) MATCH (m:User) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(m)) RETURN p

Find interesting edges related to “ACL Abuse” that unprivileged users have against computers

MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer)) RETURN p