MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:ComputerRETURN u.nameThat’ll retu

1. MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
2. RETURN u.name
3.  
4. That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
5. ---------------
6.  
7. MATCH
8. (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
9. WITH
10. U.name as n,
11. COUNT(DISTINCT(C)) as c
12. RETURN n,c
13. ORDER BY c DESC
14. LIMIT 5
15.  
16. Return username and number of computers that username is admin for, for top N users
17.  
18. ---------------
19.  
20. MATCH
21. (G:Group)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
22. WITH
23. G.name as n,
24. COUNT(DISTINCT(C)) as c
25. RETURN n,c
26. ORDER BY c DESC
27. LIMIT 5
28.  
29. Return group and number of computers that group is admin for, for top N groups
30.  
31. ---------------
32.  
33. MATCH
34. (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
35. WITH
36. U.name as n,
37. COUNT(DISTINCT(C)) as c
38. WHERE c>1
39. RETURN n
40. ORDER BY c DESC
41.  
42. Show all users that are administrator on more than one machine
43.  
44. ---------------
45.  
46. MATCH (u:User)
47. WITH u
48. OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer)
49. WITH u,COUNT(c) as expAdmin
50. OPTIONAL MATCH (u)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c:Computer)
51. WHERE NOT (u)-[:AdminTo]->(c)
52. WITH u,expAdmin,COUNT(DISTINCT(c)) as unrolledAdmin
53. RETURN u.name,expAdmin,unrolledAdmin,expAdmin + unrolledAdmin as totalAdmin
54. ORDER BY totalAdmin ASC
55.  
56. Show all users that are administrative on at least one machine, ranked by the number of machines they are admin on.
57.  
58. ---------------
59.  
60. MATCH p=((S:Computer)-[r:HasSession*1]->(T:User))
61. WHERE NOT S.domain = T.domain
62. RETURN p
63.  
64. This will return cross domain 'HasSession' relationships
65.  
66. ---------------
67.  
68. MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH ‘DOMAIN USERS’ RETURN p
69.  
70. Find all other Rights Domain Users shouldn't have
71.  
72. ---------------
73.  
74. MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r
75.  
76. Show Kerberoastable high value targets
77.  
78. ---------------
79.  
80. MATCH (c:Computer) WITH c
81. OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
82. OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c) WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
83. RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins ORDER BY totalAdmins DESC
84.  
85. Return each computername with the number of admins on that machine
86.  
87. ---------------
88.  
89. MATCH (c:Computer {domain:'$DOMAINNAME$'}) WITH c
90. OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
91. OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c)
92. WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
93. RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins
94. ORDER BY totalAdmins DESC
95.  
96. Return each computername with the number of admins on that machine for a specific domain
97.  
98. ---------------
99.  
100. MATCH (n)
101. MATCH (t {name: "<some_node>"})
102. MATCH p = allshortestPaths((n)-[*1..10]->(t))
103. WHERE NONE(node IN nodes(p) WHERE node.highvalue = true) AND NOT n = t
104. RETURN p
105.  
106. this will search for the paths to a target node and exclude paths that go through any node with the highvalue property set to true
107.  
108. ---------------