Enumeration Cheatsheets

Bloodhound Cheatsheet – Custom Queries, Neo4j, etc.

This document contains both Custom Queries that you can import/run directly in Bloodhound, as well as as custom queries that you can run from within the Neo4j GUI directly.

Importing Custom Queries to Bloodhound

CompassSecurity / BloodHoundQueries

There is an awesome project over at https://github.com/CompassSecurity/BloodHoundQueries. You can quickly install the custom queries by running the following commands in Linux.

cd /root/.config/bloodhound
curl -o "customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"

Once downloaded, just restart Bloodhound and you’ll see the Custom Queries available.

Within Neo4j GUI

In the Neo4j console (by default http://localhost:7474/browser/), you can run your own queries to get data out of the Bloodhound database. I like to do this for ease of copy/paste when report writing.

Find all computers that have an unsupported Operating System.

MATCH (H:Computer) WHERE H.operatingsystem =~ '.(2000|2003|2008|xp|vista|7).' RETURN H.name, H.operatingsystem

MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*(2000|2003|2008|xp|vista|me|7).*' RETURN H.name,H.operatingsystem

Find all enabled users who are member of a particular group, such as Domain Admins.

MATCH (u:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@<domain>'}) WHERE u.enabled = TRUE return u.name

Find all users that contain a keyword.

MATCH (u:User) WHERE u.name CONTAINS "<keyword>" return u.name, u.displayname, u.description, u.group

Print the name of all enabled users and their description field.

MATCH (n:User) WHERE n.enabled = TRUE RETURN n.name, n.description

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s