These groups were included as high value targets in the old BH.
$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (g:Group) WHERE (g.system_tags IS NULL OR NOT 'admin_tier_0' IN split(g.system_tags, ' ')) AND (g.objectid =~ '(?i).*S-1-5-.*-548' OR g.objectid =~ '(?i).*S-1-5-.*-549' OR g.objectid =~ '(?i).*S-1-5-.*-550') RETURN g" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:DCSync|AllExtendedRights|GenericAll]->(:Domain) WHERE (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -forceThis query is probably not necessary as BloodHound will create the abusable edge DCSync if GetChanges and GetChangesAll are given.
$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:DCSync|AllExtendedRights|GenericAll|GetChanges|GetChangesAll]->(:Domain) WHERE (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n) WHERE (n:User OR n:Computer) AND n.unconstraineddelegation = true AND (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:AdminTo|ForceChangePassword]->(b) WHERE (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:AllowedToDelegate|ExecuteDCOM|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner]->(:Computer) WHERE (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:GenericAll|GenericWrite|MemberOf|Owns|WriteDacl|WriteOwner]->(g:Group) WHERE g.objectid =~ '(?i).*S-1-5-21-.*-517' AND (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (n)-[:MemberOf*1..]->(g:Group) WHERE (n.system_tags IS NULL OR NOT 'admin_tier_0' IN split(n.system_tags, ' ')) AND g.system_tags CONTAINS 'admin_tier_0' RETURN n" | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -forceThis creates a user Node Group called HasNoSMBSigning. Provide a file with computer names like "pc1.domain.local". One entry per line.
New-BHNodeGroup HasNoSMBSigning
$HasNoSMBSigning = BHNodeGroup | ? name -eq 'HasNoSMBSigning'
foreach($line in [System.IO.File]::ReadLines("./no-smb-computers.txt"))
{
BHSearch Computer $line | Add-BHNodeToNodeGroup -NodeGroupID $HasNoSMBSigning.id -force
}Inactive = last logon > 180 days.
$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath "MATCH (uc) WHERE uc.system_tags CONTAINS 'admin_tier_0' AND ((uc:User AND uc.enabled = false) OR (uc:Computer AND ((uc.enabled = false) OR (uc.lastlogon > 0 AND uc.lastlogon < (TIMESTAMP() / 1000 - 15552000)) OR (uc.lastlogontimestamp > 0 AND uc.lastlogontimestamp < (TIMESTAMP() / 1000 - 15552000))))) RETURN uc" | Remove-BHNodeFromNodeGroup -NodeGroupID $TierZero.id -force$TierZero = BHNodeGroup | ? name -eq 'Admin Tier Zero'
BHPath 'MATCH (a:AZUser)-[:SyncedToADUser]->(n:User) WHERE "admin_tier_0" IN split(n.system_tags, " ") RETURN a' | Add-BHNodeToNodeGroup -NodeGroupID $TierZero.id -force