diff --git a/tasks/default.tasks b/tasks/default.tasks index 0b3afc5..5d33e09 100644 --- a/tasks/default.tasks +++ b/tasks/default.tasks @@ -60,8 +60,10 @@ ["User No Kerb Needed","HTMLCSV","Users_NoKerbReq","MATCH (n:User {dontreqpreauth: true}) RETURN n.name as Username, n.displayname as DisplayName, n.description as Description, n.title as Title, n.pwdneverexpires as PasswordNeverExpires, n.passwordnotreqd as PasswordNotRequired, n.sensitive as Sensitive, n.admincount as AdminCount, n.serviceprincipalnames as SPNs"] ["Users Computer Direct Admin Count","HTML","Users_Count_DirectAdminComputers.html","MATCH (u:User)-[:AdminTo]->(c:Computer) RETURN count(DISTINCT(c.name)) AS COMPUTER, u.name AS USER ORDER BY count(DISTINCT(c.name)) DESC"] ["Users Computer InDirect Admin Count","HTML","Users_Count_InDirectAdminComputers.html","MATCH (u:User)-[:AdminTo]->(c:Computer) RETURN count(DISTINCT(c.name)) AS COMPUTER, u.name AS USER ORDER BY count(DISTINCT(c.name)) DESC"] -["Users Not Active 6 Months","HTMLCSV","UsersNotActive6mo","WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 15552000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, toInteger(n.lastlogontimestamp) as LastLogonTimeStamp"] -["Users Not Active 12 Months","HTMLCSV","UsersNotActive12mo","WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 31104000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, toInteger(n.lastlogontimestamp) as LastLogonTimeStamp"] +["Users Not Active 6 Months", "HTMLCSV", "UsersNotActive6mo", "WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 15552000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, n.enabled as Enabled, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogontimestamp,0))})) as LastLogon ORDER BY LastLogon" ] +["Users Not Active 12 Months", "HTMLCSV", "UsersNotActive12mo", "WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 31104000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, n.enabled as Enabled, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogontimestamp,0))})) as LastLogon ORDER BY LastLogon" ] +["Users Not Active 60 Months", "HTMLCSV", "UsersNotActive60mo", "WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 155520000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, n.enabled as Enabled, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogontimestamp,0))})) as LastLogon ORDER BY LastLogon" ] +["Users Not Active 120 Months", "HTMLCSV", "UsersNotActive120mo", "WITH timestamp() / 1000 AS date_now MATCH (n:User) WHERE date_now - toInteger(n.lastlogontimestamp) > 311040000 AND n.lastlogontimestamp<>-1.0 RETURN n.name as Username, n.displayname as DisplayName, n.enabled as Enabled, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogontimestamp,0))})) as LastLogon ORDER BY LastLogon" ] ["Users Never Active","HTMLCSV","Users_NeverActive_Enabled","MATCH (n:User) WHERE n.lastlogontimestamp=-1.0 AND n.enabled=TRUE RETURN n.name as Username ORDER BY n.name"] ["Users Password Never Expires Exception", "HTMLCSV", "Users_NeverExpirePasswords", "MATCH (n:User) WHERE n.pwdneverexpires RETURN n.name as Name,n.displayname as DisplayName,n.enabled as Enabled, n.highvalue as HighValue, n.description as Description, n.title as Title, n.pwdneverexpires as PWDNeverExpires, n.passwordnotreqd as PWDNotReqd, n.sensitive as Sensitive, n.admincount as AdminCount, n.serviceprincipalnames as SPN, toString(datetime({epochSeconds: ToInteger(coalesce(n.pwdlastset,0))})) as PWDLastSet, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogon,0))})) as LastLogon" ] ["Hunt - Users with Pass or PW in Description", "HTML", "HuntUsersWithPassInDescription.html", "MATCH (n:User) WHERE n.description =~ '(?i).*(pass|pw).*' RETURN n.name as Name,n.displayname as DisplayName,n.enabled as Enabled, n.highvalue as HighValue, n.description as Description, n.title as Title, n.pwdneverexpires as PWDNeverExpires, n.passwordnotreqd as PWDNotReqd, n.sensitive as Sensitive, n.admincount as AdminCount, n.serviceprincipalnames as SPN, toString(datetime({epochSeconds: ToInteger(coalesce(n.pwdlastset,0))})) as PWDLastSet, toString(datetime({epochSeconds: ToInteger(coalesce(n.lastlogon,0))})) as LastLogon" ]