{"id":13803297,"url":"https://github.com/seajaysec/cypheroth","last_synced_at":"2026-03-03T20:32:32.378Z","repository":{"id":53838851,"uuid":"215388551","full_name":"seajaysec/cypheroth","owner":"seajaysec","description":"Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.","archived":false,"fork":false,"pushed_at":"2021-07-29T14:36:26.000Z","size":882,"stargazers_count":253,"open_issues_count":2,"forks_count":42,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-09T22:18:45.345Z","etag":null,"topics":["active-directory","bash-script","bloodhound","blueteam","cybersecurity","cypher-query-language","redteam"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seajaysec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-15T20:16:43.000Z","updated_at":"2025-03-25T09:17:29.000Z","dependencies_parsed_at":"2022-08-23T02:41:00.959Z","dependency_job_id":null,"html_url":"https://github.com/seajaysec/cypheroth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/seajaysec/cypheroth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seajaysec%2Fcypheroth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seajaysec%2Fcypheroth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seajaysec%2Fcypheroth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seajaysec%2Fcypheroth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seajaysec","download_url":"https://codeload.github.com/seajaysec/cypheroth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seajaysec%2Fcypheroth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30058290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T18:21:05.932Z","status":"ssl_error","status_checked_at":"2026-03-03T18:20:59.341Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","bash-script","bloodhound","blueteam","cybersecurity","cypher-query-language","redteam"],"created_at":"2024-08-04T01:00:28.055Z","updated_at":"2026-03-03T20:32:32.359Z","avatar_url":"https://github.com/seajaysec.png","language":"Shell","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"# Cypheroth\n Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.\n\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./img/cypheroth.png\" alt=\"cypheroth\"/\u003e\n\u003c/p\u003e\n\n\n### Description\n\nThis is a bash script that automates running cypher queries against Bloodhound data stored in a Neo4j database.\n\nI found myself re-running the same queries through the Neo4j web interface on multiple assessments and figured there must be an easier way. 😅\n\nThe list of cypher queries to run is fully extensible. The formatting example below shows how to add your own.\n\nPlease share any additional useful queries so I can add them to this project!\n\n*Fully tested to be working in Bash on Linux, macOS, and Windows*\n\n### Demo\n\n![Cypheroth Demo](./img/demo_v1_4.svg)\n(Rendered with [termtosvg](https://github.com/nbedos/termtosvg) for your viewing pleasure)\n\n### Prereqs\n\n* The `cypher-shell` command comes bundled with Neo4j, and is required for this script to function\n  * _If Neo4j is installed and `cypher-shell` is not found, you may have an outdated version of Neo4j_\n  * _The latest version can always be found at [this location](https://neo4j.com/download-center/)_\n  * _On Kali, upgrade to the latest version using [Neo4j's Debian repository](https://debian.neo4j.org)_\n* Optional: If the `ssconvert` command is present, the script will combine all .csv output to sheets within a .xls file\n  * _Install the gnumeric toolset with apt or brew to gain access to ssconvert_\n\nOn Windows we recommend using WSL to run this script, while the neo4j database runs on Windows. You will just need to install the `cypher-shell` package in WSL (Linux).\n\n### Usage\n\nFlags:\n```\n  -u Neo4J Username (Required)\n  -p Neo4J Password (Required)\n  -d Fully Qualified Domain Name (Required) (Case Sensitive)\n  -a Bolt address (Optional) (Default: localhost:7687)\n  -t Query Timeout (Optional) (Default: 30s)\n  -v Verbose mode (Optional) (Default:FALSE)\n  -h Help text and usage example (Optional)\n```\nExample with Defaults:\n\n  `./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL`\n\nExample with All Options:\n\n  `./cypheroth.sh -u neo4j -p hunter2 -d BigTech.corp -a 10.0.0.1:7687 -t 5m -v true`\n\n\nFiles are added to a subdirectory named after the FQDN.\n\n### Cypher Queries\n\nThere are nearly 60 queries in the script currently. This is a sample of the information you'll receive:\n\n* Full User Property List\n* Full Computer Property List\n* Full Domain Property List\n* Full OU Property List\n* Full GPO Property List\n* Full Group Property List\n* Computers with Admins\n* Computers without Admins\n* Kerberoastable users and computers where they are admins\n\nTo add additional queries, edit the `queries` array within cypheroth.sh and add a line using the following format:\n\n`Description;Cypher Query;Output File`\n\n*If adding a query that requires the Domain value to be set, save it as $DOMAIN.*\n\nExample 1:\n```\nAll Usernames;MATCH (u:User) RETURN u.name;usernames.csv\n```\n\nExample 2:\n```\nAll Domain Admins;MATCH (u:User) MATCH (g:Group {name:'DOMAIN ADMINS@$DOMAIN'}) RETURN u.displayname;domainAdmins.csv\n```\n\n### Analyze several domains\nIf you need to analyze several domains, you can run multiple instances of Cypheroth in parallel with each one working on its domain.\nYou can use the following script for example (10 in parallel).\n\n```bash\n#!/usr/bin/env bash\nDOMAINS=(domA.example.net domB.example.net [...])\nparallel -j10 --lb ./cypheroth.sh \u003cargs\u003e -d {} ::: \"${DOMAINS[@]}\"\n```\n\n### Troubleshooting\n\nIf you are running an outdated version of `cypher-shell` you may receive the following error:\n\n```\nDateTime is not supported as a return type in Bolt protocol version 1.\nPlease make sure driver supports at least protocol version 2.\nDriver upgrade is most likely required.\n```\n\nTo fix, [update Neo4j](https://neo4j.com/download-center/) to the latest version.\n\n### Author\nChris Farrell ([@seajay](https://twitter.com/seajay))\n\n### Acknowledgments\n\n* This tool wouldn't exist without BloodHound - developed by [@_wald0](https://twitter.com/_wald0), [@CptJesus](https://twitter.com/CptJesus), and [@harmj0y](https://twitter.com/harmj0y).\n* Shoutout to the [Bloodhound Slack](https://bloodhoundgang.herokuapp.com) `#cypher_queries` channel for assistance\n* Big ups to [@TinkerSec](https://twitter.com/TinkerSec) - the bones of this project were straight up copy/pasted from his [procdump script](https://github.com/tinkersec/scratchpad/blob/master/BashScripts/grabDump.sh) 🙃\n* Many thanks to [@awsmhacks](https://twitter.com/awsmhacks), [@haus3c](https://twitter.com/haus3c) and [@ScoubiMtl](https://twitter.com/ScoubiMtl) for collecting useful cypher queries ([here](https://github.com/awsmhacks/awsmBloodhoundCustomQueries), [here](https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/) and [here](https://github.com/Scoubi/BloodhoundAD-Queries/blob/master/BH%20Red2Blue.txt))\n* Hugely appreciate contributions from [@chryzsh](https://twitter.com/chryzsh) and [@mubix](https://twitter.com/mubix)!!\n* All of the amazing contributions from [@cnotin](https://twitter.com/cnotin)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseajaysec%2Fcypheroth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseajaysec%2Fcypheroth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseajaysec%2Fcypheroth/lists"}