BloodHound Cypher Queries

The purpose of this page is to share cypher queries to assist in Active Directory assessments.

This page contains BloodHound queries to:

#1 List owned users

MATCH (u:User {owned:true}) RETURN u.name

Usefull when owned accounts have been flagged on BloodHound (‘Mark node as owned’)

#2 List owned computers

MATCH (c:Computer {owned:true}) RETURN c.name,c.operatingsystem

Same as above

#3 List enabled machines with unsupported operating system

MATCH (c:Computer {enabled:true}) WHERE c.operatingsystem =~ ‘(?i).*(2000|2003|2008|xp|vista|7|me).*’ RETURN c.name,c.operatingsystem

When network ranges are not provided, a quick list of potential targets is the hosts with unsupported operating systems. Prioritize these hosts for vulnerability scanning - for example Nessus scans.

#4 List description of enabled machines

MATCH (c:Computer {enabled:true}) WHERE c.description IS NOT NULL return c.name,c.description

List computer accounts that have a description. Usefull to get an understanding of the role of the reviewed host.

#5 List description of enabled users

MATCH (u:User {enabled:true}) WHERE u.description IS NOT NULL return u.name,u.description

List enabled user accounts that have a description. Usefull to get an understanding of the role of the reviewed account.

#6 List user accounts that contain the word “PASS” in their description

MATCH (u:User {enabled:true}) WHERE toupper(u.description) CONTAINS ‘PASS’ RETURN u.name,u.description

This query looks for account that may contain a password in the description

#7 List computer accounts that contain the word ‘TOMCAT’ in the description

MATCH (c:Computer {enabled:true}) WHERE toupper(c.description) CONTAINS ‘TOMCAT’ RETURN c.name,c.description

Identify server that may be running Tomcat

#8 List hosts where an owned user can RDP to

MATCH (u:User {owned:true}) MATCH (c:Computer {enabled:true}) MATCH p=(u)-[:MemberOf|CanRDP*1..]->(c) WHERE NOT u=c return p

To which hosts a user can RDP by investigating group membership

#9 List enabled user accounts that have a blank password

MATCH (u:User {enabled:true,passwordnotreqd:true}) RETURN u.name,u.displayname

#10 List enabled computer accounts that allow unconstrained delegation

MATCH (c:Computer {enabled:true,unconstraineddelegation:true}) return c.name,c.description

Returns hosts configured with unconstrained delegation. If a computer configured with unconstrained delegation is compromised and additionally the attacker has elevated privileges on that host, a privileged account can be forced to authenticate to the compromised host and as a result extract the TGT of the privileged account from the memory of the compromised computer.

#11 Find edges an owned user has to a computer

MATCH p=shortestPath((u:User {owned:true})-[r]->(c:Computer)) RETURN p

#12 List user accounts that do not require PreAuthentication

MATCH (u:User {enabled:true,donotreqpreauth:true}) RETURN u

#13 List user accounts configured with constrained delegation

MATCH (u:User {enabled:true}) WHERE u.allowedtodelegate IS NOT NULL RETURN u.name,u.allowedtodelegate

#14 List hosts with principal names

MATCH (c:Computer {enabled:true}) WHERE c.serviceprincipalnames IS NOT NULL RETURN c.name,c.serviceprincipalnames

Returns hosts with principal names. Principal names reveals additional context on the role of the each host, such as the services that may be running on each host.

#15 List active accounts that have never logged in

MATCH (u:User {enabled:true}) WHERE u.lastlogon=-1 AND u.lastlogontimestamp=-1 RETURN u.name