custom config

Dockerfile

@@ -34,9 +34,8 @@ RUN wget https://github.com/BloodHoundAD/BloodHound/releases/download/$bloodhoun
     mkdir /data &&\
     chmod +x /opt/BloodHound-linux-x64/BloodHound
 
-# BloodHound Old Queries
-RUN mkdir -p /root/.config/bloodhound &&\
-    wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/e17462cf50422bfe9572e60390d32479fdbc32c4/src/components/SearchContainer/Tabs/PrebuiltQueries.json -O /root/.config/bloodhound/customqueries.json
+# BloodHound Config
+COPY config/*.json /root/.config/bloodhound/
 
 # BloodHound Test Data
 RUN if [ "$data" = "example" ]; then \
@@ -50,11 +49,12 @@ RUN if [ "$data" = "example" ]; then \
 RUN echo '#!/usr/bin/env bash\n\
     service neo4j start\n\
     echo "Starting ..."\n\
-    if [ ! -e /opt/.ready ]; then touch /opt/.ready; sleep 15\n\
-    curl -H "Content-Type: application/json" -X POST -d {\"password\":\"blood\"} -u neo4j:neo4j http://127.0.0.1:7474/user/neo4j/password &1>/dev/null; fi\n\
+    if [ ! -e /opt/.ready ]; then touch /opt/.ready\n\
+    echo "First run takes some time"; sleep 5\n\
+    until $(curl -s -H "Content-Type: application/json" -X POST -d {\"password\":\"blood\"} --fail -u neo4j:neo4j http://127.0.0.1:7474/user/neo4j/password); do sleep 4; done; fi\n\
     cp -n /opt/BloodHound-linux-x64/resources/app/Ingestors/SharpHound.* /data\n\
     echo "\e[92m*** Log in with bolt://127.0.0.1:7687 (neo4j:blood) ***\e[0m"\n\
-    sleep 5; /opt/BloodHound-linux-x64/BloodHound 2>/dev/null\n' > /opt/run.sh &&\
+    sleep 7; /opt/BloodHound-linux-x64/BloodHound 2>/dev/null\n' > /opt/run.sh &&\
     chmod +x /opt/run.sh
 
 

config/config.json

@@ -0,0 +1,33 @@
+{
+	"performance": {
+		"edge": 5,
+		"lowGraphics": false,
+		"nodeLabels": 0,
+		"edgeLabels": 0,
+		"darkMode": false
+	},
+	"edgeincluded": {
+		"MemberOf": true,
+		"HasSession": true,
+		"AdminTo": true,
+		"AllExtendedRights": true,
+		"AddMember": true,
+		"ForceChangePassword": true,
+		"GenericAll": true,
+		"GenericWrite": true,
+		"Owns": true,
+		"WriteDacl": true,
+		"WriteOwner": true,
+		"CanRDP": true,
+		"ExecuteDCOM": true,
+		"AllowedToDelegate": true,
+		"ReadLAPSPassword": true,
+		"Contains": true,
+		"GpLink": true
+	},
+	"databaseInfo": {
+		"url": "bolt://localhost:7687",
+		"user": "neo4j",
+		"password": "blood"
+	}
+}

config/customqueries.json

@@ -0,0 +1,122 @@
+{
+    "queries": [
+        {
+            "name": "Find DCSyncers",
+            "queryList": [
+                {
+                    "final": false,
+                    "title": "Select a Domain...",
+                    "query":
+                        "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
+                },
+                {
+                    "final": true,
+                    "query":
+                        "MATCH p=(n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name: {result}}) WITH p,n1 MATCH p2=(n1)-[:MemberOf|GetChangesAll*1..]->(u:Domain {name: {result}}) WITH p,p2 MATCH p3=(n2)-[:MemberOf|GenericAll|AllExtendedRights*1..]->(u:Domain {name: {result}}) RETURN p,p2,p3",
+                    "allowCollapse": true,
+                    "endNode": "{}"
+                }
+            ]
+        },
+        {
+            "name": "Find logged in Admins",
+            "queryList": [
+                {
+                    "final": true,
+                    "query":
+                        "MATCH p=(a:Computer)-[r:HasSession]->(b:User) WITH a,b,r MATCH p=shortestPath((b)-[:AdminTo|MemberOf*1..]->(a)) RETURN p",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Top Ten Users with Most Sessions",
+            "queryList": [
+                {
+                    "final": true,
+                    "query":
+                        "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN p",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Top Ten Computers with Most Sessions",
+            "queryList": [
+                {
+                    "final": true,
+                    "query":
+                        "MATCH (n:User),(m:Computer), (n)<-[r:HasSession]-(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)-[r:HasSession]->(n) RETURN n,r,m",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Top Ten Users with Most Local Admin Rights",
+            "queryList": [
+                {
+                    "final": true,
+                    "query":
+                        "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH n, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Top Ten Computers with Most Admins",
+            "queryList": [
+                {
+                    "final": true,
+                    "query":
+                        "MATCH (n:User),(m:Computer), (n)-[r:AdminTo]->(m) WHERE NOT n.name STARTS WITH 'ANONYMOUS LOGON' AND NOT n.name='' WITH m, count(r) as rel_count order by rel_count desc LIMIT 10 MATCH p=(m)<-[r:AdminTo]-(n) RETURN p",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Shortest Path from SPN User",
+            "queryList": [
+                {
+                    "final": false,
+                    "title": "Select a domain...",
+                    "query":
+                        "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC"
+                },
+                {
+                    "final": false,
+                    "title": "Select a user",
+                    "query":
+                        "MATCH (n:User) WHERE n.domain={result} AND n.HasSPN=true RETURN n.name, n.PwdLastSet ORDER BY n.PwdLastSet ASC"
+                },
+                {
+                    "final": true,
+                    "query":
+                        "MATCH n=shortestPath((a:User {name:{result}})-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(b:Computer)) RETURN n",
+                    "startNode": "{}",
+                    "allowCollapse": true
+                }
+            ]
+        },
+        {
+            "name": "Shortest Paths to Domain Admins from SPN Users",
+            "queryList": [
+                {
+                    "final": false,
+                    "title": "Select a Domain Admin group...",
+                    "query":
+                        "MATCH (n:Group) WHERE n.name =~ {name} RETURN n.name ORDER BY n.name DESC",
+                    "props": {
+                        "name": "(?i).*DOMAIN ADMINS.*"
+                    }
+                },
+                {
+                    "final": true,
+                    "query":
+                        "MATCH (n:User),(m:Group {name:{result}}),p=shortestPath((n)-[r:MemberOf|AdminTo|HasSession|Contains|GpLink|Owns|DCSync|AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|WriteDacl|WriteOwner*1..]->(m)) WHERE n.HasSPN=true RETURN p",
+                    "allowCollapse": true,
+                    "endNode": "{}"
+                }
+            ]
+        }
+    ]
+}