added shadow credential persistence query

InfamousSYN · Jan 21, 2024 · 680be4d · 680be4d
1 parent 4589b52
commit 680be4d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ c:\>(wget https://github.com/InfamousSYN/bloodhound-queries/raw/main/customqueri
 
 ## Query List
 
-Query count: 101
+Query count: 102
 
 
 ```
@@ -116,6 +116,7 @@ Privileged: List all enabled SVC account(s) with privileged group membership(s)
 Privileged: Route all privileged user(s) with sessions to non-privileged computer(s) [Required: sessions]
 Persistence: Find allshortestpaths with dangerous rights to AdminSDHolder object
 Persistence: Find allshortestpaths with DCSync to domain object
+Persistence: Find allshortestpaths with Shadow Credential permission to principal(s)
 AAD: List all Tenancy (Required: azurehound)
 AAD: [WIP] List all AAD Group(s) that are synchronized with AD (Required: azurehound)
 AAD: [WIP] List all principal(s) used for syncing AD and AAD

diff --git a/queries/persistence.json b/queries/persistence.json
@@ -30,5 +30,21 @@
           "allowCollapse": false
         }
       ]
+    },
+    {
+      "name":"Find allshortestpaths with Shadow Credential permission to principal(s)",
+      "category": "Persistence",
+      "queryList": [
+        {
+          "final": false,
+          "title": "Select source domain",
+          "query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name"
+        },
+        {
+          "final": true,
+          "query": "MATCH p=allshortestpaths((a {domain: $result})-[:MemberOf|AddKeyCredentialLink*1..]->(b)) WHERE NOT a=b RETURN p",
+          "allowCollapse": false
+        }
+      ]
     }
 ]