Cypher Queries to Find Credentials

Cypher Queries for Finding User Credentials

Search user descriptions for “pass” or “pw”:

MATCH (e:User) WHERE e.description =~ '(?i).*(pass|pw).*' RETURN e.name,e.description

Also consider searching for:

• change
  • As in “password change” and “Exchange”
• admin

---

Search computer descriptions for “pass” or “pw”:

MATCH (e:Computer) WHERE e.description =~ '(?i).*(pass|pw).*' RETURN e.name,e.description

Also consider searching for:

• change
  • As in “password change” and “Exchange”
• admin

---

Users with password in Active Directory:

Find every user object where the “userpassword” attribute is populated:

MATCH (u:User) WHERE NOT u.userpassword IS null RETURN u.name,u.userpassword

See Also

• Bloodhound
• Sharphound