> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Cypher Queries

> Jamf extension Cypher queries

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The following custom Cypher queries can be imported into BloodHound to enhance visibility.

<Info>
  This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches).
</Info>

## Account Access by Name

Filter to view access of a Jamf Account named or starting with 'LC' - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more)

```cypher theme={null}
MATCH p=(s:jamf_Account)-[*1..5]->(t)
WHERE s.name STARTS WITH 'LC'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Account\_Access\_by\_Name.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Account_Access_by_Name.json) file.

## Account to Account Attack Paths

Display Jamf Accounts with Attack-Paths impacting other Jamf Accounts - increase the maximum edges to see more relationships (i.e. change 5 to 6 to see 1 more)

```cypher theme={null}
MATCH p=(s:jamf_Account)-[*1..5]->(t:jamf_Account)
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Account\_to\_Account\_Attack\_Paths.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Account_to_Account_Attack_Paths.json) file.

## Account to Tenant Edges

Show edges from Jamf Accounts to the Jamf Tenant

```cypher theme={null}
MATCH p=(s:jamf_Account)-[]->(t:jamf_Tenant)
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Account\_to\_Tenant\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Account_to_Tenant_Edges.json) file.

## All Account Paths

View paths originating from Jamf Accounts with up to 4 edges - increase edges to see more

```cypher theme={null}
MATCH p=(s:jamf_Account)-[*1..4]->(t)
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_All\_Account\_Paths.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_All_Account_Paths.json) file.

## All Computers

Get all Computers

```cypher theme={null}
MATCH p=(s:jamf_Computer)
RETURN p
```

This query can be imported into BloodHound from the [Jamf\_All\_Computers.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_All_Computers.json) file.

## All Groups

Get Jamf Groups

```cypher theme={null}
MATCH p=(s:jamf_Group)
RETURN p
```

This query can be imported into BloodHound from the [Jamf\_All\_Groups.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_All_Groups.json) file.

## All Nodes and Edges

Retrieve all nodes and edges where either a Jamf node has an inbound or outbound relationship, limits results to 1000

```cypher theme={null}
MATCH p=(s)-[]->(t)
WHERE s.primarykind STARTS WITH 'jamf' OR t.primarykind STARTS WITH 'jamf'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_All\_Nodes\_and\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_All_Nodes_and_Edges.json) file.

## API Client Attack Paths to Tenant

Display up to 4 edges in attack paths originating from Jamf API Clients with a matching name or name starting with DEMO targeting the tenant

```cypher theme={null}
MATCH p=(s:jamf_ApiClient)-[*1..4]->(t:jamf_Tenant)
WHERE s.name STARTS WITH 'DEMO'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_API\_Client\_Attack\_Paths\_to\_Tenant.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_API_Client_Attack_Paths_to_Tenant.json) file.

## API Client Immediate Edges

View immediate edges and impacted principals for Jamf API Clients

```cypher theme={null}
MATCH p=(s:jamf_ApiClient)- [] ->(t)
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_API\_Client\_Immediate\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_API_Client_Immediate_Edges.json) file.

## Chained Targeted Filtering

An example of chained targeted filtering with multiple conditions in series that creates multiple proprety filters such as restricting to nodes with specific strings in their name, kinds of nodes, and types of edge relationships existing between the nodes

```cypher theme={null}
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT_ADMIN'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL' OR t.name STARTS WITH 'JVM')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_CreatePolicies' OR type(r) = 'jamf_AdminTo')
OR
s.primarykind = 'jamf_Account' AND (s.name IN ['EXAMPLE', 'REG', 'LCAIN'])
AND type(r) = 'jamf_AdminTo'
OR
t.primarykind STARTS WITH 'jamf_Computer' AND s.primarykind = 'jamf_Account'
AND s.name STARTS WITH 'AZURE'
OR
s.primarykind = 'jamf_Tenant'
AND type(r) = 'jamf_Contains'
AND (t.primarykind = 'jamf_Site' OR t.primarykind = 'jamf_Computer')
OR
(s.primarykind = 'jamf_Site' AND t.primarykind = 'jamf_Computer')
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Chained\_Targeted\_Filtering.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Chained_Targeted_Filtering.json) file.

## Expanded Tier 1 to Tier 0 Paths

Expand the graph by one edge showing nodes with edges to Tier 1 nodes with edges to Tier 0 nodes

```cypher theme={null}
MATCH p=(a) - [] -> (s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Expanded\_Tier\_1\_to\_Tier\_0\_Paths.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Expanded_Tier_1_to_Tier_0_Paths.json) file.

## Group Administrators Filtered Relationships

Targeted Filtering that limits results to starting jamf\_Group nodes starting with 'TENANT' in the name and only show edges/relationships specified by r that are one of the three specified edges

```cypher theme={null}
MATCH p=(s)-[r]->(t)
WHERE s.name STARTS WITH 'TENANT'
AND s.primarykind = 'jamf_Group'
AND (t.name STARTS WITH 'UPDATE' OR t.name STARTS WITH 'SOL')
AND (type(r) = 'jamf_UpdateAccounts' OR type(r) = 'jamf_CreateAccounts' OR type(r) = 'jamf_AdminTo')
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Group\_Administrators\_Filtered\_Relationships.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Group_Administrators_Filtered_Relationships.json) file.

## Group Administrators Targeted Edges

Targeted Filtering Query, display nodes with edges between 'GROUP\_ADMINISTRATORS' and 'UPDATE' or 'GROUP\_ADMINISTRATORS' and other nodes that start with 'SOL'

```cypher theme={null}
MATCH p=(s)-[]->(t)
WHERE s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'UPDATE' OR s.name STARTS WITH 'GROUP_ADMINISTRATORS' AND t.name STARTS WITH 'SOL'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Group\_Administrators\_Targeted\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Group_Administrators_Targeted_Edges.json) file.

## Group Edges to Accounts

Get immediate edges impacting Jamf Accounts originating from Jamf Groups, swap jamfGroup for jamfTenant to see impact edges to the tenant from groups

```cypher theme={null}
MATCH p=(s)-[]->(t:jamf_Account)
WHERE s.primarykind ENDS WITH 'jamf_Group'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Group\_Edges\_to\_Accounts.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Group_Edges_to_Accounts.json) file.

## Matched Email Edges

Show nodes with the edge jamfMatchedEdmail

```cypher theme={null}
MATCH p=(s)-[:jamf_MatchedEmail]->(t)
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Matched\_Email\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Matched_Email_Edges.json) file.

## Tier 1 to Tier 0 Attack Paths

Retrieve attack paths between Tier 1 nodes and Tier 0 nodes that are fully traversable - excludes tenant and site nodes as starting points

```cypher theme={null}
MATCH p=(s)-[r*1..5]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND s.primarykind <> 'jamf_Tenant'
AND s.primarykind <> 'jamf_Site'
AND r.traversable = True
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Tier\_1\_to\_Tier\_0\_Attack\_Paths.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Tier_1_to_Tier_0_Attack_Paths.json) file.

## Tier 1 to Tier 0 Direct Edges

Retrieve direct edges between Tier 1 nodes and Tier 0 nodes

```cypher theme={null}
MATCH p=(s)-[]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Tier\_1\_to\_Tier\_0\_Direct\_Edges.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Tier_1_to_Tier_0_Direct_Edges.json) file.

## Tier 1 to Tier 0 Without Contains

Filter out jamf\_Contains edges from Tiered node query

```cypher theme={null}
MATCH p=(s)-[r]->(t)
WHERE s.Tier = 1 AND t.Tier = 0
AND type(r) <> 'jamf_Contains'
RETURN p
LIMIT 1000
```

This query can be imported into BloodHound from the [Jamf\_Tier\_1\_to\_Tier\_0\_Without\_Contains.json](https://github.com/SpecterOps/openhound-jamf/tree/main/extension/saved_searches/Jamf_Tier_1_to_Tier_0_Without_Contains.json) file.