Skip to content

[Query Issue]: Computers with membership in Protected Users #44

New issue
New issue
Open
Open
[Query Issue]: Computers with membership in Protected Users#44
@Barneee

Description

@Barneee
Barneee
opened on Jan 16, 2026

Query GUID

a26372f4-2e92-49f6-8993-6657fbc1569a

Query content

MATCH p = (:Base)-[:MemberOf*1..]->(g:Group)
WHERE g.objectid ENDS WITH '-525'
RETURN p LIMIT 1000

Issue description

Maybe I’m missing something, but from my perspective the current query title is misleading.

The title refers to “Computers”, however the Cypher query itself starts from :Base and therefore can also return user accounts, groups, and other principals, not just computers.

Since this query is located in the “NTLM Relay Attacks” category, I assume the intention is to identify accounts that are members of the Protected Users group, as these accounts cannot be targeted by NTLM relay attacks.

If that is the intended purpose, it might make more sense to:

Rename the query to something more accurate, for example:
“Users with membership in Protected Users”

Happy to be corrected if my understanding is wrong.

BloodHound version

Bloodhound

BloodHound DB

Neo4j

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions