查找并列出所有可能与AAD Connect相关的本地用户和Azure用户

在bloodhound界面中的Raw Query模块中输入如下查询语句来查找并列出所有可能与AAD Connect相关的本地用户和Azure用户信息,执行结果如图1-1所示。

MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*' OR u.userprincipalname =~ '(?i)^sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s


图1-1

BloodHoud在AAD Connect信息查询方面有很多语法,笔者仅向读者演示了“查找并列出所有可能与AAD Connect相关的本地用户和Azure用户”查询方法,关于AAD Connect信息查询的更多语法及描述如下表所示。

查询语法

功能描述

MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)MSOL_

.AADConnect.' OR u.userprincipalname =~ '(?i)sync_.*') OPTIONAL MATCH (u)-[:HasSession]->(s:Session) RETURN u, s

MATCH p=(m:Computer)-[:HasSession]->(n) WHERE (n:User OR n:AZUser) AND ((n.name =~ '(?i)MSOL_

.AADConnect.') OR (n.userPrincipalName =~ '(?i)sync_.*')) RETURN p

MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.?) (.?)@.' WITH n, split(n.name, '* ')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern RETURN c

查找所有AADConnect服务器 (从sync_ 帐户名称中提取)

MATCH (n:AZUser) WHERE n.name =~ '(?i)^SYNC_(.?) (.?)@.' WITH n, split(n.name, ' ')[1] AS computerNamePattern MATCH (c:Computer) WHERE c.name CONTAINS computerNamePattern WITH collect(c) AS computers MATCH p = shortestPath((u:User)-[]-(c:Computer)) WHERE c IN computers AND length(p) > 0 AND u.owned = true RETURN u, p

查找从拥有的用户到AADConnect服务器的最短路径