SHARE
TWEET

Untitled

a guest Jun 25th, 2019 55 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
  2. RETURN u.name
  3.  
  4. That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
  5. ---------------
  6.  
  7. MATCH
  8. (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
  9. WITH
  10. U.name as n,
  11. COUNT(DISTINCT(C)) as c
  12. RETURN n,c
  13. ORDER BY c DESC
  14. LIMIT 5
  15.  
  16. Return username and number of computers that username is admin for, for top N users
  17.  
  18. ---------------
  19.  
  20. MATCH
  21. (G:Group)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
  22. WITH
  23. G.name as n,
  24. COUNT(DISTINCT(C)) as c
  25. RETURN n,c
  26. ORDER BY c DESC
  27. LIMIT 5
  28.  
  29. Return group and number of computers that group is admin for, for top N groups
  30.  
  31. ---------------
  32.  
  33. MATCH
  34. (U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
  35. WITH
  36. U.name as n,
  37. COUNT(DISTINCT(C)) as c
  38. WHERE c>1
  39. RETURN n
  40. ORDER BY c DESC
  41.  
  42. Show all users that are administrator on more than one machine
  43.  
  44. ---------------
  45.  
  46. MATCH (u:User)
  47. WITH u
  48. OPTIONAL MATCH (u)-[r:AdminTo]->(c:Computer)
  49. WITH u,COUNT(c) as expAdmin
  50. OPTIONAL MATCH (u)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c:Computer)
  51. WHERE NOT (u)-[:AdminTo]->(c)
  52. WITH u,expAdmin,COUNT(DISTINCT(c)) as unrolledAdmin
  53. RETURN u.name,expAdmin,unrolledAdmin,expAdmin + unrolledAdmin as totalAdmin
  54. ORDER BY totalAdmin ASC
  55.  
  56. Show all users that are administrative on at least one machine, ranked by the number of machines they are admin on.
  57.  
  58. ---------------
  59.  
  60. MATCH p=((S:Computer)-[r:HasSession*1]->(T:User))
  61. WHERE NOT S.domain = T.domain
  62. RETURN p
  63.  
  64. This will return cross domain 'HasSession' relationships
  65.  
  66. ---------------
  67.  
  68. MATCH p=(m:Group)-[r:Owns|:WriteDacl|:GenericAll|:WriteOwner|:ExecuteDCOM|:GenericWrite|:AllowedToDelegate|:ForceChangePassword]->(n:Computer) WHERE m.name STARTS WITH ‘DOMAIN USERS’ RETURN p
  69.  
  70. Find all other Rights Domain Users shouldn't have
  71.  
  72. ---------------
  73.  
  74. MATCH (n:User)-[r:MemberOf]->(g:Group) WHERE g.highvalue=true AND n.hasspn=true RETURN n, g, r
  75.  
  76. Show Kerberoastable high value targets
  77.  
  78. ---------------
  79.  
  80. MATCH (c:Computer) WITH c
  81. OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
  82. OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c) WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
  83. RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins ORDER BY totalAdmins DESC
  84.  
  85. Return each computername with the number of admins on that machine
  86.  
  87. ---------------
  88.  
  89. MATCH (c:Computer {domain:'$DOMAINNAME$'}) WITH c
  90. OPTIONAL MATCH (n)-[r:AdminTo]->(c) WITH c,COUNT(n) as expAdmins
  91. OPTIONAL MATCH (n)-[r:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(c)
  92. WITH c,expAdmins,COUNT(DISTINCT(n)) as unrolledAdmins
  93. RETURN SPLIT(c.name,'.')[0],expAdmins,unrolledAdmins,expAdmins + unrolledAdmins as totalAdmins
  94. ORDER BY totalAdmins DESC
  95.  
  96. Return each computername with the number of admins on that machine for a specific domain
  97.  
  98. ---------------
  99.  
  100. MATCH (n)
  101. MATCH (t {name: "<some_node>"})
  102. MATCH p = allshortestPaths((n)-[*1..10]->(t))
  103. WHERE NONE(node IN nodes(p) WHERE node.highvalue = true) AND NOT n = t
  104. RETURN p
  105.  
  106. this will search for the paths to a target node and exclude paths that go through any node with the highvalue property set to true
  107.  
  108. ---------------
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top