Documentation Index
Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The following custom Cypher queries can be imported into BloodHound to enhance visibility.
Account Access by Name
Filter to view access of a Jamf Account named or starting with ‘LC’ - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more)
MATCH p=(s:jamf_Account)-[*1..5]->(t)
WHERE s.name STARTS WITH 'LC'
RETURN p
LIMIT 1000
Account to Account Attack Paths
Display Jamf Accounts with Attack-Paths impacting other Jamf Accounts - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more)
MATCH p=(s:jamf_Account)-[*1..5]->(t:jamf_Account)
RETURN p
LIMIT 1000
Account to Tenant Edges
Show edges from Jamf Accounts to the Jamf Tenant
MATCH p=(s:jamf_Account)-[]->(t:jamf_Tenant)
RETURN p
LIMIT 1000
All Account Paths
View paths originating from Jamf Accounts with up to 4 edges - increase edges to see more
MATCH p=(s:jamf_Account)-[*1..4]->(t)
RETURN p
LIMIT 1000
All Computers
Get all Computers
MATCH p=(s:jamf_Computer)
RETURN p
All Groups
Get Jamf Groups
MATCH p=(s:jamf_Group)
RETURN p
All Nodes and Edges
Retrieve all nodes and edges where either a Jamf node has an inbound or outbound relationship, limits results to 1000
MATCH p=(s)-[]->(t)
WHERE s.primarykind STARTS WITH 'jamf' OR t.primarykind STARTS WITH 'jamf'
RETURN p
LIMIT 1000
API Client Attack Paths to Tenant
Display up to 4 edges in attack paths originating from Jamf API Clients with a matching name or name starting with DEMO targeting the tenant
MATCH p=(s:jamf_ApiClient)-[*1..4]->(t:jamf_Tenant)
WHERE s.name STARTS WITH 'DEMO'
RETURN p
LIMIT 1000
MATCH p=(s:jamf_ApiClient)- [] ->(t)
RETURN p
LIMIT 1000
Chained Targeted Filtering
An example of chained targeted filtering with multiple conditions in series that creates multiple proprety filters such as restricting to nodes with specific strings in their name, kinds of nodes, and types of edge relationships existing between the nodes
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT_ADMIN'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL' OR t.name STARTS WITH 'JVM')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_CreatePolicies' OR type(r) = 'jamf_AdminTo')
OR
s.primarykind = 'jamf_Account' AND (s.name IN ['EXAMPLE', 'REG', 'LCAIN'])
AND type(r) = 'jamf_AdminTo'
OR
t.primarykind STARTS WITH 'jamf_Computer' AND s.primarykind = 'jamf_Account'
AND s.name STARTS WITH 'AZURE'
OR
s.primarykind = 'jamf_Tenant'
AND type(r) = 'jamf_Contains'
AND (t.primarykind = 'jamf_Site' OR t.primarykind = 'jamf_Computer')
OR
(s.primarykind = 'jamf_Site' AND t.primarykind = 'jamf_Computer')
RETURN p
LIMIT 1000
Expanded Tier 1 to Tier 0 Paths
Expand the graph by one edge showing nodes with edges to Tier 1 nodes with edges to Tier 0 nodes
MATCH p=(a) - [] -> (s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
Group Administrators Filtered Relationships
Targeted Filtering that limits results to starting jamf_Group nodes starting with ‘TENANT’ in the name and only show edges/relationships specified by r that are one of the three specified edges
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT'
AND s.primarykind = 'jamf_Group'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_AdminTo')
RETURN p
LIMIT 1000
Group Administrators Targeted Edges
Targeted Filtering Query, display nodes with edges between ‘GROUP_ADMINISTRATORS’ and ‘UPDATE’ or ‘GROUP_ADMINISTRATORS’ and other nodes that start with ‘SOL’
MATCH p=(s)-[]->(t)
WHERE s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'UPDATE' OR s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'SOL'
RETURN p
LIMIT 1000
Group Edges to Accounts
Get immediate edges impacting Jamf Accounts originating from Jamf Groups, swap jamfGroup for jamfTenant to see impact edges to the tenant from groups
MATCH p=(s)-[]->(t:jamf_Account)
WHERE s.primarykind ENDS WITH 'jamf_Group'
RETURN p
LIMIT 1000
Matched Email Edges
Show nodes with the edge jamfMatchedEdmail
MATCH p=(s)-[:jamf_MatchedEmail]->(t)
RETURN p
LIMIT 1000
Tier 1 to Tier 0 Attack Paths
Retrieve attack paths between Tier 1 nodes and Tier 0 nodes that are fully traversable - excludes tenant and site nodes as starting points
MATCH p=(s)-[r*1..5]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND s.primarykind <> 'jamf_Tenant'
AND s.primarykind <> 'jamf_Site'
AND r.traversable = True
RETURN p
LIMIT 1000
Tier 1 to Tier 0 Direct Edges
Retrieve direct edges between Tier 1 nodes and Tier 0 nodes
MATCH p=(s)-[]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
RETURN p
LIMIT 1000
Tier 1 to Tier 0 Without Contains
Filter out jamf_Contains edges from Tiered node query
MATCH p=(s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
