HighValue group members without "account is sensitive and cannot be d…

…elegated"
RagingRedRiot · Jan 3, 2024 · ff8abac · ff8abac
1 parent 2e958c3
commit ff8abac
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/tasks/default.tasks b/tasks/default.tasks
@@ -13,6 +13,7 @@
 ["DA Sessions","HTML","DA_Sessions.html","MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH \'-512\' MATCH p = (c:Computer)-[:HasSession]->(n) return n.name as Username, c.name as Computer"]
 ["EA Sessions","HTML","EA_Sessions.html","MATCH (n:User)-[:MemberOf]->(g:Group) WHERE g.objectid ENDS WITH \'-519\' MATCH p = (c:Computer)-[:HasSession]->(n) return n.name as Username, c.name as Computer"]
 ["HighValue Group Members (Limited to 1000)","HTMLCSV","Groups-HighValue-members","MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN n.name as User, m.name as Group Limit 1000"]
+["Admins Without Sensitive Protection Flag", "HTMLCSV", "AdminsWithoutSensitiveFlag.html", "MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) WHERE n.sensitive=false RETURN m.name as Group, n.name as User, n.displayname as DisplayName,n.description as Description, n.enabled as Enabled, n.pwdneverexpires as PWDNeverExpire, n.trustedtoauth as TrustedToAuth, n.unconstraineddelegation as UncDelegation LIMIT 1000" ]
 ["Kerberoastable Users","HTML","Kerberoastable_Users.html","MATCH (n:User) WHERE n.hasspn=true RETURN n.name as Username, n.displayname as DisplayName,n.description as Description, n.title as Title, n.pwdneverexpires as PasswordNeverExpires, n.passwordnotreqd as PasswordNotRequired, n.sensitive as Sensitive, n.admincount as AdminCount, n.serviceprincipalnames as SPNs"]
 ["Pre-Windows 2000 Compatibility Access Direct Members", "HTMLCSV", "PreWindows2000.html", "MATCH p=(n:Group)<-[:MemberOf]-(m) WHERE n.objectid ENDS WITH 'S-1-5-32-554' RETURN n.domain as Domain, m.name as Name, m.displayname as DisplayName,m.description as Description, m.enabled as Enabled, m.pwdneverexpires as PWDNeverExpire, m.trustedtoauth as TrustedToAuth, m.unconstraineddelegation as UncDelegation" ]
 ["RDPable Servers","HTML","Workstations_RDP.html","match p=(g:Group)-[:CanRDP]->(c:Computer) where  g.objectid ENDS WITH \'-513\'  AND c.operatingsystem CONTAINS \'Server\' return c.name as Computer"]