Tool - BloodHound AzureHoundCustomQuery

Collection of custom BloodHound queries

https://github.com/LuemmelSec/Custom-BloodHound-Queries

https://luemmelsec.github.io/Fantastic-BloodHound-Queries-and-Where-to-Find-Them/

Name	Category	Query
Return all Members of the 'Global Administrator' Role	Azure - General	MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
Return all Members of High Privileged Roles	Azure - General	MATCH p=(n)-[:AZHasRole\|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator\|User Administrator\|Cloud Application Administrator\|Authentication Policy Administrator\|Exchange Administrator\|Helpdesk Administrator\|PRIVILEGED AUTHENTICATION ADMINISTRATOR\|Domain Name Administrator\|Hybrid Identity Administrator\|External Identity Provider Administrator\|Privileged Role Administrator\|Partner Tier2 Support\|Application Administrator\|Directory Synchronization Accounts' RETURN p
Return all Members of High Privileged Roles synced from OnPrem AD	Azure - General	MATCH p=(n WHERE n.onpremisesyncenabled = true)-[:AZHasRole\|AZMemberOf*1..2]->(r:AZRole WHERE r.displayname =~ '(?i)Global Administrator\|User Administrator\|Cloud Application Administrator\|Authentication Policy Administrator\|Exchange Administrator\|Helpdesk Administrator\|PRIVILEGED AUTHENTICATION ADMINISTRATOR') RETURN p
Return all Azure Users synced from OnPrem AD	Azure - General	MATCH (n:AZUser WHERE n.onpremisesyncenabled = true) RETURN n
Return all Azure Groups synced from OnPrem AD	Azure - General	MATCH (g:AZGroup {onpremsyncenabled: True}) RETURN g
Return all Owners of Azure Applications	Azure - General	MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p
Return all Azure Subscriptions	Azure - General	MATCH (n:AZSubscription) RETURN n
Return all Azure Subscriptions and their direct Controllers	Azure - General	MATCH p = (n)-[r:AZOwns\|AZUserAccessAdministrator]->(g:AZSubscription) RETURN p
Return all principals with UserAccessAdministrator Role against Subs	Azure - General	MATCH p = (u)-[r:AZUserAccessAdministrator]->(n:AZSubscription) RETURN p
Return all principals with UserAccessAdministrator Role	Azure - General	MATCH p = (u)-[r:AZUserAccessAdministrator]->(n) RETURN p
Return all Azure Users without a Role but with "User Access Administrator"	Azure - General	MATCH (u:AZUser) WHERE NOT EXISTS((u)-[:AZMemberOf\|AZHasRole*1..]->(:AZRole)) AND EXISTS((u)-[:AZUserAccessAdministrator]->()) RETURN u
Find all Azure Users with Paths to High Value Targets	Azure - Paths	MATCH (m:AZUser),(n {highvalue:true}),p=shortestPath((m)-[r*1..]->(n)) WHERE NONE (r IN relationships(p) WHERE type(r)= "GetChanges") AND NONE (r in relationships(p) WHERE type(r)="GetChangesAll") AND NOT m=n RETURN p
Find shortest Paths to High Value Roles	Azure - Paths	MATCH (n:AZRole WHERE n.displayname =~ '(?i)Global Administrator\|User Administrator\|Cloud Application Administrator\|Authentication Policy Administrator\|Exchange Administrator\|Helpdesk Administrator\|PRIVILEGED AUTHENTICATION ADMINISTRATOR'), (m), p=shortestPath((m)-[r*1..]->(n)) WHERE NOT m=n RETURN p
Find shortest Paths from Owned Azure Users to Azure VMs	Azure - Paths	MATCH (n:AZVM) MATCH p = shortestPath((m:AZUser{owned: true})-[*..]->(n)) RETURN p
Find shortest Paths from Azure Users to Subscriptions	Azure - Paths	MATCH (n:AZUser) WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZSubscription)) RETURN p
Find all Service Principals with MS Graph AZMGGrantAppRoles rights	Azure - MS Graph	MATCH p=(n)-[r:AZMGGrantAppRoles]->(o:AZTenant) RETURN p
Find shortest Paths to MS Graph	Azure - MS Graph	MATCH (n) WHERE NOT n.displayname="Microsoft Graph" WITH n MATCH p = shortestPath((n)-[r*1..]->(g:AZServicePrincipal {appdisplayname: "Microsoft Graph"})) WHERE n<>g RETURN p
Return all PRIVILEGED Azure Service Principals	Azure - Service Principals	MATCH p=(n:AZServicePrincipal)-[:AZHasRole\|AZMemberOf*1..2]->(r:AZRole) WHERE r.displayname =~ '(?i)Global Administrator\|User Administrator\|Cloud Application Administrator\|Authentication Policy Administrator\|Exchange Administrator\|Helpdesk Administrator\|PRIVILEGED AUTHENTICATION ADMINISTRATOR\|Domain Name Administrator\|Hybrid Identity Administrator\|External Identity Provider Administrator\|Privileged Role Administrator\|Partner Tier2 Support\|Application Administrator\|Directory Synchronization Accounts' RETURN p