Queries for Demonstrating Impact
Hunting Crown Jewels
Search user/computer/group names and descriptions for whatever you are looking for:
- Replace
e:Computerwithe:User/e:Groupdepending on what you are searching for. Case sensitive. - BE SURE TO REPLACE THE SEARCH KEYWORD IN BOTH PLACES
MATCH (e:Computer) WHERE e.name =~ '(?i).*(<SEARCH-KEYWORD>).*' OR e.description =~ '(?i).*(<SEARCH-KEYWORD>).*' RETURN e.name,e.description
Example - Searching for CyberArk in an environment where it was spelled “cybrark” and “cyberark”
MATCH (e:Computer) WHERE e.name =~ '(?i).*(cyb.?r).*' OR e.description =~ '(?i).*(cyb.?r).*' RETURN e.name,e.description
User/Group Hunting
Find computers where the user(s) you are targeting are logged in:
- Multiple users can be targeted - just separate the usernames with a pipe (
|)
MATCH (c:Computer)-[:HasSession]->(u:User) WHERE u.name =~ '(?i).*(<USERNAME>).*' RETURN c.name, u.name, c.description
Find computers where members of a target group are logged in:
MATCH (c:Computer)-[:HasSession]->(u:User)-[:MemberOf*1..]->(g:Group) WHERE g.name =~ '(?i).*(<GROUP NAME>).*' RETURN c.name, u.name, c.description
Search computer descriptions for the user’s username and/or full name. Use the example under “Hunting Crown Jewels”.
To do:
- Computers where the user/group has local admin access