You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Despite clearly having high value nodes, the "highvalue" property is nowhere to be seen in neo4j and cannot be queried on. This used to work before SpecterOps.
After some digging, I realized this had been changed to a system_tag, which also contains the "owned" property. "system_tags": "admin_tier_0",
OR "system_tags": "admin_tier_0 owned",
So to find high value targets, I would use: MATCH (m) where m.system_tags =~'admin_tier_0.*' RETURN m
For some reason, nothing seems to work for NOT highvalue. The following works in neo4j, but in Bloodhound results in an error "line 1:26 no viable alternative at input 'match (m) where not exists('"
match (m) where not exists(m.system_tags) return m limit 8
EDIT: I found a hack to do this that works in bloodhound: match (m) where not 'system_tags' in keys(m) return m limit 8
It would be great is this was documented, including a way to query on NOT highvalue. Old bloodhound queries that use highvalue don't work anymore.
Component(s) Affected:
UI
API
Neo4j
PostgreSQL
Data Collector (SharpHound, AzureHound)
[x ] Other (tooling, documentation, etc.)
Steps to Reproduce:
Expected Behavior:
A description of what you expected to happen.
Actual Behavior:
A description of what actually happened.
Screenshots/Code Snippets/Sample Files:
If applicable, add screenshots, relevant code snippets, or sample files that help illustrate the issue.
git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound/examples/docker-compose
docker compose up
Environment Information:
BloodHound: [BloodHound version or revision]
Collector: [SharpHound version / AzureHound version]
OS: [your OS and version]
Browser (if UI related): [browser name and version]
Node.js (if UI related: [Node.js version]
Go (if API related): [Go version]
Database (if persistence related): [Neo4j version / PostgreSQL version]
Docker (if using Docker): [docker version]
Additional Information:
Any additional context or information that might be helpful in understanding and diagnosing the issue.
Potential Solution (Optional):
If you have any ideas about what might be causing the issue or how it could be fixed, you can share them here.
Related Issues:
If you've found related issues in the project's issue tracker, mention them here.
Contributor Checklist:
[ x] I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
[x ] I have provided clear steps to reproduce the issue.
[ x] I have included relevant environment information details.
[x ] I have attached necessary supporting documents.
[ x] I have checked that any JSON files I am attempting to upload to BloodHound are valid.
The text was updated successfully, but these errors were encountered:
TheKevinWang
changed the title
Documentation needs to include "highvalue" as "system_tags":"admin_tier_0"
Documentation needs to include "highvalue" as "system_tags":"admin_tier_0" and how to query for NOT highvalue
Jun 11, 2024
Despite clearly having high value nodes, the "highvalue" property is nowhere to be seen in neo4j and cannot be queried on. This used to work before SpecterOps.
After some digging, I realized this had been changed to a system_tag, which also contains the "owned" property.
"system_tags": "admin_tier_0",
OR
"system_tags": "admin_tier_0 owned",
So to find high value targets, I would use:
MATCH (m) where m.system_tags =~'admin_tier_0.*' RETURN m
For some reason, nothing seems to work for NOT highvalue. The following works in neo4j, but in Bloodhound results in an error
"line 1:26 no viable alternative at input 'match (m) where not exists('"
match (m) where not exists(m.system_tags) return m limit 8
EDIT: I found a hack to do this that works in bloodhound:
match (m) where not 'system_tags' in keys(m) return m limit 8
It would be great is this was documented, including a way to query on NOT highvalue. Old bloodhound queries that use highvalue don't work anymore.
Component(s) Affected:
Steps to Reproduce:
Expected Behavior:
A description of what you expected to happen.
Actual Behavior:
A description of what actually happened.
Screenshots/Code Snippets/Sample Files:
If applicable, add screenshots, relevant code snippets, or sample files that help illustrate the issue.
Environment Information:
BloodHound: [BloodHound version or revision]
Collector: [SharpHound version / AzureHound version]
OS: [your OS and version]
Browser (if UI related): [browser name and version]
Node.js (if UI related: [Node.js version]
Go (if API related): [Go version]
Database (if persistence related): [Neo4j version / PostgreSQL version]
Docker (if using Docker): [docker version]
Additional Information:
Any additional context or information that might be helpful in understanding and diagnosing the issue.
Potential Solution (Optional):
If you have any ideas about what might be causing the issue or how it could be fixed, you can share them here.
Related Issues:
If you've found related issues in the project's issue tracker, mention them here.
Contributor Checklist:
The text was updated successfully, but these errors were encountered: