Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Domain Admins

Find all Domain Admin users. 
MATCH (u:User)-[:MemberOf*1..]->(g:Group) WHERE g.name =~ "(?i)domain admins@.*" RETURN u
Find shortest path from any owned user to Domain Admins. 
MATCH p=shortestPath((u:User {owned: true})-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p
Find all paths from owned users to Domain Admins. 
MATCH p=allShortestPaths((u:User {owned: true})-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p

Kerberos Attacks

Find Kerberoastable users. 
MATCH (u:User {hasspn: true}) RETURN u.name, u.serviceprincipalnames
Find Kerberoastable users with a path to Domain Admins. 
MATCH (u:User {hasspn: true}) MATCH p=shortestPath((u)-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p
Find AS-REP Roastable users. 
MATCH (u:User {dontreqpreauth: true}) RETURN u.name

Delegation

Find computers with Unconstrained Delegation. 
MATCH (c:Computer {unconstraineddelegation: true}) RETURN c.name
Find users with Unconstrained Delegation. 
MATCH (u:User {unconstraineddelegation: true}) RETURN u.name
Find objects with Constrained Delegation. 
MATCH (n) WHERE n.allowedtodelegate IS NOT NULL RETURN n.name, n.allowedtodelegate

ACL Abuse

Find users with GenericAll on a Domain object. 
MATCH (n)-[r:GenericAll]->(d:Domain) RETURN n.name, type(r), d.name
Find all ACL paths from owned principals. 
MATCH p=(u {owned: true})-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|AllExtendedRights|ForceChangePassword|AddMember]->(n) RETURN p
Find users with DCSync rights. 
MATCH (n1)-[:MemberOf|GetChanges*1..]->(d:Domain) WITH n1, d
MATCH (n1)-[:MemberOf|GetChangesAll*1..]->(d)
RETURN n1.name, d.name

Local Admin

Find computers where a user has local admin rights. 
MATCH (u:User)-[:AdminTo]->(c:Computer) RETURN u.name, c.name
Find all computers where Domain Users group has local admin. 
MATCH (g:Group)-[:AdminTo]->(c:Computer) WHERE g.name =~ "(?i)domain users@.*" RETURN c.name

RDP Access

Find computers where a user can RDP. 
MATCH (u:User)-[:CanRDP]->(c:Computer) RETURN u.name, c.name
Find computers where Domain Users group can RDP. 
MATCH (g:Group)-[:CanRDP]->(c:Computer) WHERE g.name =~ "(?i)domain users@.*" RETURN c.name

High Value Targets

Find shortest paths to all high value targets. 
MATCH p=shortestPath((u:User {owned: true})-[*1..]->(n {highvalue: true})) WHERE u <> n RETURN p
Find all high value targets. 
MATCH (n {highvalue: true}) RETURN n.name, labels(n)

Owned Principals

Mark a user as owned. 
MATCH (u:User {name: "[email protected]"}) SET u.owned = true RETURN u
Mark a computer as owned. 
MATCH (c:Computer {name: "[email protected]"}) SET c.owned = true RETURN c
Find all paths between owned objects and high value targets. 
MATCH p=shortestPath((o {owned: true})-[*1..]->(h {highvalue: true})) WHERE o <> h RETURN p

References