Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
- RETURN u.name
- That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
- ---------------
- MATCH
- (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
- WITH
- U.name as n,
- COUNT(DISTINCT(C)) as c
- RETURN n,c
- ORDER BY c DESC
- LIMIT 5
- Return username and number of computers that username is admin for, for top N users
- ---------------
- MATCH
- (G:Group)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
- WITH
- G.name as n,
- COUNT(DISTINCT(C)) as c
- RETURN n,c
- ORDER BY c DESC
- LIMIT 5
- Return group and number of computers that group is admin for, for top N groups
- ---------------
- MATCH
- (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
- WITH
- U.name as n,
- COUNT(DISTINCT(C)) as c
- WHERE c>1
- RETURN n
- ORDER BY c DESC
- Show all users that are administrator on more than one machine
- ---------------
- MATCH (u:User)
- WITH u
- OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer)
- WITH u,COUNT(c) as expAdmin
- OPTIONAL MATCH (u)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c:Computer)
- WHERE NOT (u)-[:AdminTo]->(c)
- WITH u,expAdmin,COUNT(DISTINCT(c)) as unrolledAdmin
- RETURN u.name,expAdmin,unrolledAdmin,expAdmin + unrolledAdmin as totalAdmin
- ORDER BY totalAdmin ASC
- Show all users that are administrative on at least one machine, ranked by the number of machines they are admin on.
- ---------------
- MATCH p=((S:Computer)-[r:HasSession*1]->(T:User))
- WHERE NOT S.domain = T.domain
- RETURN p
- This will return cross domain 'HasSession' relationships
- ---------------
- MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH ‘DOMAIN USERS’ RETURN p
- Find all other Rights Domain Users shouldn't have
- ---------------
- MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r
- Show Kerberoastable high value targets
- ---------------
- MATCH (c:Computer) WITH c
- OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
- OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c) WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
- RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins ORDER BY totalAdmins DESC
- Return each computername with the number of admins on that machine
- ---------------
- MATCH (c:Computer {domain:'$DOMAINNAME$'}) WITH c
- OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
- OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c)
- WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
- RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins
- ORDER BY totalAdmins DESC
- Return each computername with the number of admins on that machine for a specific domain
- ---------------
- MATCH (n)
- MATCH (t {name: "<some_node>"})
- MATCH p = allshortestPaths((n)-[*1..10]->(t))
- WHERE NONE(node IN nodes(p) WHERE node.highvalue = true) AND NOT n = t
- RETURN p
- this will search for the paths to a target node and exclude paths that go through any node with the highvalue property set to true
- ---------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement