### Install Classic BloodHound Custom Queries (Bash) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Commands to replace the default custom queries file in Classic BloodHound on Windows, Linux, and macOS. Requires refreshing the queries in the BloodHound GUI after replacement. ```bash # Windows: Replace the custom queries file copy customqueries.json %APPDATA%\BloodHound\customqueries.json # Linux/macOS: Replace the custom queries file cp customqueries.json ~/.config/bloodhound/customqueries.json # After replacing, refresh queries in BloodHound GUI: # Queries tab > Custom Queries > Click Refresh icon ``` -------------------------------- ### Install BloodHound Community Edition Custom Queries (Bash) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Command to copy the BHCE format custom queries file into the BloodHound Community Edition configuration directory. Ensure the path to the BloodHound CE configuration is correct. ```bash # Copy the BHCE format file to your BloodHound CE configuration cp BHCE-CustomQueries.json /path/to/bloodhound-ce/custom-queries/ ``` -------------------------------- ### Analyze Azure AD Configurations with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These queries analyze Azure Active Directory configurations and potential attack paths. They cover identifying Global Administrators, mapping on-premises users to Azure, finding paths to Azure VMs and KeyVaults, listing Azure users and their groups, identifying synchronized groups, and discovering privileged service principals and application owners. ```cypher -- Return All Azure Users that are part of the 'Global Administrator' Role MATCH p=(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p -- Return All On-Prem users with edges to Azure MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p -- Find all paths to an Azure VM MATCH p = (n)-[r]->(g:AZVM) RETURN p -- Find all paths to an Azure KeyVault MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p -- Return All Azure Users and their Groups MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p -- Return All Azure AD Groups that are synchronized with On-Premise AD MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n -- Find all Privileged Service Principals MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p -- Find all Owners of Azure Applications MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p ``` -------------------------------- ### Discover RDP Access with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These queries help identify machines that Domain Users can RDP into and which groups have RDP permissions. They utilize Cypher to traverse the graph database. ```cypher -- Find machines Domain Users can RDP into match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' return p -- Find what groups can RDP MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN p ``` -------------------------------- ### Discover Infrastructure Details with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These queries are designed to discover infrastructure details, including identifying computers with specific Service Principal Names (SPNs) like MSSQL, finding machines with unsupported operating systems, and locating users within VPN groups. ```cypher -- Return computers where at least one SPN contains 'MSSQL' MATCH (c:Computer) WHERE ANY (x IN c.serviceprincipalnames WHERE toUpper(x) CONTAINS 'MSSQL') RETURN c -- Find all computers with unsupported operating systems MATCH (H:Computer) WHERE H.operatingsystem = '.*(2000|2003|2008|xp|vista|7|me).*' RETURN H -- Find all users a part of the VPN group Match p=(u:User)-[:MemberOf]->(g:Group) WHERE toUPPER(g.name) CONTAINS 'VPN' return p ``` -------------------------------- ### Inspect Group Policy and Permissions with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These Cypher queries help analyze Group Policy Object (GPO) configurations and identify permission weaknesses. They include viewing all GPOs, finding groups containing 'admin', checking for user rights on GPOs, and identifying unprivileged users with group membership modification rights. ```cypher -- View all GPOs Match (n:GPO) RETURN n -- View all groups that contain the word 'admin' Match (n:Group) WHERE n.name CONTAINS 'ADMIN' RETURN n -- Find if any domain user has interesting permissions against a GPO (Warning: Heavy) MATCH p=(u:User)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|GpLink*1..]->(g:GPO) RETURN p -- Find if unprivileged users have rights to add members into groups MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p -- Find groups that contain both users and computers MATCH (c:Computer)-[r:MemberOf*1..]->(groupsWithComps:Group) WITH groupsWithComps MATCH (u:User)-[r:MemberOf*1..]->(groupsWithComps) RETURN DISTINCT(groupsWithComps) as groupsWithCompsAndUsers ``` -------------------------------- ### Identify Delegation Misconfigurations (Cypher) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Cypher queries to detect delegation misconfigurations in Active Directory, including unconstrained and constrained delegation. These queries help identify potential lateral movement vectors. ```cypher -- Find all computers with Unconstrained Delegation MATCH (c:Computer {unconstraineddelegation:true}) return c -- Find the Shortest path to an unconstrained delegation system from an owned object MATCH (n) MATCH p=shortestPath((n)-[*1..]->(m:Computer {unconstraineddelegation: true})) WHERE NOT n=m AND n.owned = true RETURN p -- Find computers that allow unconstrained delegation that AREN'T domain controllers MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2 -- Find constrained delegation (User to Computer) MATCH p=(u:User)-[:AllowedToDelegate]->(c:Computer) RETURN p -- Find computers with constrained delegation permissions MATCH (c:Computer) WHERE c.allowedtodelegate IS NOT NULL RETURN c ``` -------------------------------- ### Find AS-REP Roasting Vulnerable Users (Cypher) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt A Cypher query to identify users susceptible to AS-REP roasting attacks. This is determined by checking if Kerberos pre-authentication is disabled for the user account. ```cypher -- Find users that can be AS-REP roasted MATCH (u:User {dontreqpreauth: true}) RETURN u ``` -------------------------------- ### Analyze User Activity with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These queries analyze user login patterns and password age to assess security. They identify users who logged in or had passwords last set within the last 90 days, and those who have never logged on but are still active. ```cypher -- Find users that logged in within the last 90 days MATCH (u:User) WHERE u.lastlogon < (datetime().epochseconds - (90 * 86400)) AND NOT u.lastlogon IN [-1.0, 0.0] RETURN u -- Find users with passwords last set within the last 90 days MATCH (u:User) WHERE u.pwdlastset < (datetime().epochseconds - (90 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u -- Find users that have never logged on and account is still active MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n ``` -------------------------------- ### Map Administrative Access with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These Cypher queries map administrative rights across users, groups, and computers, including local admin rights, Domain Admin sessions, and password reset capabilities. Note that some queries can be resource-intensive. ```cypher -- Find groups that have local admin rights (Warning: Heavy) MATCH p=(m:Group)-[r:AdminTo]->(n:Computer) RETURN p -- Find all users that have local admin rights MATCH p=(m:User)-[r:AdminTo]->(n:Computer) RETURN p -- Find all active Domain Admin sessions MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = (c:Computer)-[:HasSession]->(n) return p -- Find groups that can reset passwords (Warning: Heavy) MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN p ``` -------------------------------- ### Identify High Value Targets and Paths (Cypher) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Cypher queries to identify and analyze paths to high-value targets within the environment. This includes listing all high-value targets and finding shortest paths from owned objects. ```cypher -- List all High Valued Targets MATCH (m) WHERE m.highvalue=TRUE RETURN m -- Find the Shortest path to a high value target from an owned object MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p -- Show all high value target's groups MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p ``` -------------------------------- ### Find Kerberoastable Users (Cypher) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Cypher queries to identify users vulnerable to Kerberoasting attacks by checking for Service Principal Names (SPNs). Includes filtering by password last set date and paths to Domain Admin. ```cypher -- Find all Kerberoastable Users MATCH (n:User) WHERE n.hasspn=true RETURN n -- Find Kerberoastable Users with passwords last set less than 5 years ago MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (1825 * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u.name, u.pwdlastset order by u.pwdlastset -- Find Kerberoastable Users with a path to Domain Admin MATCH (u:User {hasspn:true}) MATCH (g:Group) WHERE g.objectid ENDS WITH '-512' MATCH p = shortestPath((u)-[*1..]->(g)) RETURN p -- Find Kerberoastable users who are members of high value groups MATCH (u:User)-[r:MemberOf*1..]->(g:Group) WHERE g.highvalue=true AND u.hasspn=true RETURN u -- Find Kerberoastable users and where they are AdminTo OPTIONAL MATCH (u1:User) WHERE u1.hasspn=true OPTIONAL MATCH (u1)-[r:AdminTo]->(c:Computer) RETURN u ``` -------------------------------- ### Enumerate Owned Objects (Cypher) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Cypher queries to list all objects (users, computers, groups) that have been marked as 'owned' during a security engagement. These queries help track assets identified as important. ```cypher -- List all owned users MATCH (m:User) WHERE m.owned=TRUE RETURN m -- List all owned computers MATCH (m:Computer) WHERE m.owned=TRUE RETURN m -- List all owned groups MATCH (m:Group) WHERE m.owned=TRUE RETURN m -- List the groups of all owned users (shows group membership paths) MATCH (m:User) WHERE m.owned=TRUE WITH m MATCH p=(m)-[:MemberOf*1..]->(n:Group) RETURN p ``` -------------------------------- ### Classic BloodHound Query Structure (JSON) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Defines the structure for BloodHound custom queries, including support for parameterized node selection and multi-step queries. This format allows for more complex query logic and user interaction within the BloodHound GUI. ```json { "queries": [ { "name": "Find all Kerberoastable Users", "queryList": [ { "final": true, "query": "MATCH (n:User) WHERE n.hasspn=true RETURN n", "allowCollapse": false } ] }, { "name": "Find all sessions a user in a specific domain has", "requireNodeSelect": true, "queryList": [ { "final": false, "title": "Select source domain...", "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name" }, { "final": true, "query": "MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p", "startNode": "{}", "allowCollapse": false } ] } ] } ``` -------------------------------- ### Analyze Cross-Domain Relationships with Cypher Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt These Cypher queries focus on analyzing trust relationships and cross-domain attack paths. They include finding objects in one domain that can affect foreign objects, identifying user sessions across domains, and tracing paths from owned users to computers. ```cypher -- Find an object in one domain that can do something to a foreign object MATCH p=(n)-[r]->(m) WHERE NOT n.domain = m.domain RETURN p -- Find all sessions a user in a specific domain has (parameterized) MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain:{result}}) RETURN p -- Find an object from domain 'A' that can do anything to a foreign object (parameterized) MATCH p=(n {domain:{result}})-[r]->(d) WHERE NOT d.domain=n.domain RETURN p -- Find All edges any owned user has on a computer MATCH p=shortestPath((m:User)-[r*]->(b:Computer)) WHERE m.owned RETURN p ``` -------------------------------- ### BloodHound CE Query Structure (JSON) Source: https://context7.com/hausec/bloodhound-custom-queries/llms.txt Presents the simplified flat array structure for custom queries in BloodHound Community Edition. Each object in the array represents a single query with its name and Cypher query string. ```json [ { "name": "Find all Kerberoastable Users", "query": "MATCH (n:User) WHERE n.hasspn=true RETURN n", "description": "Find all Kerberoastable Users" }, { "name": "List all owned users", "query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m", "description": "List all owned users" } ] ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.