cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound’s Neo4j backend

Cypheroth

An automated, extensible toolset that runs cipher queries against Bloodhound’s Neo4j backend and saves the output to csv.

The list of cipher queries to run is fully extensible. The formatting example below shows how to add your own.

Download

git clone https://github.com/seajaysec/cypheroth.git

Cypher Queries

The current query set requests the following information:

• Full User Property List
• Full Computer Property List
• Full Domain Property List
• Full OU Property List
• Full GPO Property List
• Full Group Property List
• Computers with Admins
• Computers without Admins
• Groups with Computers and Admins
• Group Admin Info
• Users that are not AdminCount 1, have generic all, and no local admin
• Users that are an admin on 1+ machines, sorted by admin count
• Kerberoastable users sorted by total machine admin count
• Kerberoastable users and computers where they are admins
• Computers that members of the Domain Users group can RDP to
• Computers where users which can Return, if they belong to adm or svr accounts
• Computer names where each domain user has derivative Admin privileges to
• Users with paths to High-Value groups
• Every computer account that has local admin rights on other computers
• Find which domain Groups are Admins to what computers
• What permissions does Everyone/Authenticated users/Domain users/Domain computers have
• All users with SPN in the Domain Admin group, with enabled status and unconstrained delegation status, displayed

To add additional queries, edit  queries.txt and add a line using the following format:

Description;Cypher Query;Output File

Example: All Usernames;MATCH (u:User) RETURN u.name;usernames.csv

Copyright (c) 2019, Chris Johnson
All rights reserved.

Source: https://github.com/seajaysec/