> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cypher Queries

> Common BloodHound Cypher queries for attack path analysis in Active Directory.

## Domain Admins

Find all Domain Admin users.

```cypher theme={"dark"}
MATCH (u:User)-[:MemberOf*1..]->(g:Group) WHERE g.name =~ "(?i)domain admins@.*" RETURN u
```

Find shortest path from any owned user to Domain Admins.

```cypher theme={"dark"}
MATCH p=shortestPath((u:User {owned: true})-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p
```

Find the shortest paths from owned users to Domain Admins (`allShortestPaths` returns only the shortest paths, not every path).

```cypher theme={"dark"}
MATCH p=allShortestPaths((u:User {owned: true})-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p
```

***

## Kerberos Attacks

Find Kerberoastable users.

```cypher theme={"dark"}
MATCH (u:User {hasspn: true}) RETURN u.name, u.serviceprincipalnames
```

Find Kerberoastable users with a path to Domain Admins.

```cypher theme={"dark"}
MATCH (u:User {hasspn: true}) MATCH p=shortestPath((u)-[*1..]->(g:Group)) WHERE g.name =~ "(?i)domain admins@.*" RETURN p
```

Find AS-REP Roastable users.

```cypher theme={"dark"}
MATCH (u:User {dontreqpreauth: true}) RETURN u.name
```

***

## Delegation

Find computers with Unconstrained Delegation.

```cypher theme={"dark"}
MATCH (c:Computer {unconstraineddelegation: true}) RETURN c.name
```

Find users with Unconstrained Delegation.

```cypher theme={"dark"}
MATCH (u:User {unconstraineddelegation: true}) RETURN u.name
```

Find objects with Constrained Delegation.

```cypher theme={"dark"}
MATCH (n) WHERE n.allowedtodelegate IS NOT NULL RETURN n.name, n.allowedtodelegate
```

***

## ACL Abuse

Find users with GenericAll on a Domain object.

```cypher theme={"dark"}
MATCH (n)-[r:GenericAll]->(d:Domain) RETURN n.name, type(r), d.name
```

Find all ACL paths from owned principals.

```cypher theme={"dark"}
MATCH p=(u {owned: true})-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|AllExtendedRights|ForceChangePassword|AddMember]->(n) RETURN p
```

Find users with DCSync rights.

```cypher theme={"dark"}
MATCH (n1)-[:MemberOf|GetChanges*1..]->(d:Domain) WITH n1, d
MATCH (n1)-[:MemberOf|GetChangesAll*1..]->(d)
RETURN n1.name, d.name
```

***

## Local Admin

Find computers where a user has local admin rights.

```cypher theme={"dark"}
MATCH (u:User)-[:AdminTo]->(c:Computer) RETURN u.name, c.name
```

Find all computers where Domain Users group has local admin.

```cypher theme={"dark"}
MATCH (g:Group)-[:AdminTo]->(c:Computer) WHERE g.name =~ "(?i)domain users@.*" RETURN c.name
```

***

## RDP Access

Find computers where a user can RDP.

```cypher theme={"dark"}
MATCH (u:User)-[:CanRDP]->(c:Computer) RETURN u.name, c.name
```

Find computers where Domain Users group can RDP.

```cypher theme={"dark"}
MATCH (g:Group)-[:CanRDP]->(c:Computer) WHERE g.name =~ "(?i)domain users@.*" RETURN c.name
```

***

## High Value Targets

Find shortest paths to all high value targets.

```cypher theme={"dark"}
MATCH p=shortestPath((u:User {owned: true})-[*1..]->(n {highvalue: true})) WHERE u <> n RETURN p
```

Find all high value targets.

```cypher theme={"dark"}
MATCH (n {highvalue: true}) RETURN n.name, labels(n)
```

***

## Owned Principals

Mark a user as owned.

```cypher theme={"dark"}
MATCH (u:User {name: "USER@DOMAIN.LOCAL"}) SET u.owned = true RETURN u
```

Mark a computer as owned.

```cypher theme={"dark"}
MATCH (c:Computer {name: "COMPUTER@DOMAIN.LOCAL"}) SET c.owned = true RETURN c
```

Find all paths between owned objects and high value targets.

```cypher theme={"dark"}
MATCH p=shortestPath((o {owned: true})-[*1..]->(h {highvalue: true})) WHERE o <> h RETURN p
```

***

## References

* [BloodHound Cypher Query Guide](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251)
* [BloodHound — Custom Queries (GitHub)](https://github.com/ZephrFish/Bloodhound-CustomQueries)
* [Hausec — BloodHound Cheatsheet](https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/)
* [Neo4j Cypher Manual](https://neo4j.com/docs/cypher-manual/current/)
