This sequence of queries will identify users who have administrator access to the most computers and then mark the top 10 (or however many you like) with the most admin access as High Value Targets (HVTs).
Each step should be run in the user interface noted - Either the Neo4J web UI at http://127.0.0.1:7474 or the Bloodhound application UI.
1. Neo4J Web UI: List all users with Direct Admin Rights
- Determine how many you want to set as HVTs from this list
MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc MATCH p=(m)<-[r:AdminTo]-(n) RETURN n.name AS User, count(r) AS ComputersWhereAdmin
2. Bloodhound UI: Top 10 users with the most DIRECT local admin rights
- Replace “LIMIT 10” with however many of the top results you want from the previous list
MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN n
3. Bloodhound UI: Mark these users as HVTs
- REPLACE LIMIT 10 AGAIN AS BEFORE
MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) SET n.highvalue=true RETURN n
4. Bloodhound UI: If needed, UNSET Owned nodes as HVTs
MATCH (u:User {highvalue:true}) WHERE u.owned SET u.highvalue=false RETURN u