From a4cf5f96932211d675f22f0c1c2e77ab199bf358 Mon Sep 17 00:00:00 2001
From: Belane <srbelane@gmail.com>
Date: Thu, 1 Sep 2022 22:57:03 +0200
Subject: [PATCH] update customqueries

---
 Dockerfile                        |   5 +-
 config/config.json => config.json |   0
 config/customqueries.json         | 122 ------------------------------
 3 files changed, 4 insertions(+), 123 deletions(-)
 rename config/config.json => config.json (100%)
 delete mode 100644 config/customqueries.json

diff --git a/Dockerfile b/Dockerfile
index f1ea373..3226444 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,10 @@ RUN wget https://github.com/BloodHoundAD/BloodHound/releases/download/$bloodhoun
     chmod +x /opt/BloodHound-linux-x64/BloodHound
 
 # BloodHound Config
-COPY config/*.json /root/.config/bloodhound/
+COPY config.json /root/.config/bloodhound/
+
+# Custom Queries
+RUN wget https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json -nv -P /root/.config/bloodhound/
 
 # Init Script
 RUN echo '#!/usr/bin/env bash\n\
diff --git a/config/config.json b/config.json
similarity index 100%
rename from config/config.json
rename to config.json
diff --git a/config/customqueries.json b/config/customqueries.json
deleted file mode 100644
index ca04327..0000000
--- a/config/customqueries.json
+++ /dev/null
@@ -1,122 +0,0 @@
-{
-    "queries": [
-        {
-            "name": "Find DCSyncers",
-            "queryList": [
-                {
-                    "final": false,
-                    "title": "Select a Domain...",
-                    "query":
-                        "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
-                },
-                {
-                    "final": true,
-                    "query":
-                        "MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: {result}}) WITH p,n1 MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u:Domain {name: {result}}) WITH p,p2 MATCH p3=(n2)-[:MemberOf|GenericAll|AllExtendedRights*1..]->(u:Domain {name: {result}}) RETURN p,p2,p3",
-                    "allowCollapse": true,
-                    "endNode": "{}"
-                }
-            ]
-        },
-        {
-            "name": "Find logged in Admins",
-            "queryList": [
-                {
-                    "final": true,
-                    "query":
-                        "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Top Ten Users with Most Sessions",
-            "queryList": [
-                {
-                    "final": true,
-                    "query":
-                        "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Top Ten Computers with Most Sessions",
-            "queryList": [
-                {
-                    "final": true,
-                    "query":
-                        "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Top Ten Users with Most Local Admin Rights",
-            "queryList": [
-                {
-                    "final": true,
-                    "query":
-                        "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Top Ten Computers with Most Admins",
-            "queryList": [
-                {
-                    "final": true,
-                    "query":
-                        "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Shortest Path from SPN User",
-            "queryList": [
-                {
-                    "final": false,
-                    "title": "Select a domain...",
-                    "query":
-                        "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
-                },
-                {
-                    "final": false,
-                    "title": "Select a user",
-                    "query":
-                        "MATCH (n:User) WHERE n.domain={result} AND n.HasSPN=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
-                },
-                {
-                    "final": true,
-                    "query":
-                        "MATCH n=shortestPath((a:User {name:{result}})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(b:Computer)) RETURN n",
-                    "startNode": "{}",
-                    "allowCollapse": true
-                }
-            ]
-        },
-        {
-            "name": "Shortest Paths to Domain Admins from SPN Users",
-            "queryList": [
-                {
-                    "final": false,
-                    "title": "Select a Domain Admin group...",
-                    "query":
-                        "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name ORDER BY n.name DESC",
-                    "props": {
-                        "name": "(?i).*DOMAIN ADMINS.*"
-                    }
-                },
-                {
-                    "final": true,
-                    "query":
-                        "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) WHERE n.HasSPN=true RETURN p",
-                    "allowCollapse": true,
-                    "endNode": "{}"
-                }
-            ]
-        }
-    ]
-}