BloodHound Enterprise (BHE) recently saw the addition of a new, game-changing feature: open-ended Cypher searches. For those unfamiliar, Cypher is a declarative query language used for retrieving data from a graph database (in this case, Neo4j). As you’ll soon see, the nature of Cypher is one that helps drive the concept of relationships between nodes like those within BHE. Consequently, the addition of Cypher helps users bring forth the visualization of conceptual models you may hold about the relationship between principals and objects within Active Directory and Entra ID.
As a brief primer, I’ll note that the Cypher language can seem a little confusing at first — or maybe it’s just me. Generally, we don’t tend to visualize our search queries in the way that Cypher queries are constructed, but over time it begins to make sense as you dig into the way these relationships exist, are modeled, and consequently searched. Structurally, Cypher uses a Node-Relationship-Node format as its basis. To demonstrate this, on the Cypher developer page we can find this example visual:
This query identifies a Person with the name attribute Dan and looks for another person using the variable whom with the relationship attribute LOVES. Then it returns whom, which would provide us with the name(s) associated with whom.
What does this mean for BloodHound Enterprise? This means that if you want to find an instance of a Userthat has GenericAll privileges over something like a Container, you could specify MATCH p=(n:User)-[:GenericAll]->(c:Container) RETURN p which might return something like:
Here we can visualize the relationship described as, “any instance where a User has GenericAll privileges on a Container.” And while this example may be simple, it should provide a basic understanding of how these queries work, what they can produce, and this will lead into leveraging them for developing better clarity over our Active Directory and Entra ID environments.
In this blog, I will further discuss how we at SpecterOps have seen our BHE customers leve
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: