queries

Cypher Queries

The following custom Cypher queries can be imported into BloodHound to enhance visibility. Each query is defined in a JSON file located in the this directory of the GitLabHound repository.

Note

This file is automatically generated from the JSON query files that are bundled with the GitLabHound collector.

GitLab nodes

Returns all GitLab related nodes.

MATCH (n:GL_Base) RETURN n

This query can be imported into BloodHound from the all-gitlab-nodes.json file.

Federated Identities Abuse

List all users who can push to a branch which has an OIDC trust relationship.

MATCH p = (:GL_User)-[:GL_HasRole|GL_HasBaseRole|GL_InheritRole*1..]->(:GL_ProjectRole)-[:GL_CanPush]->(:GL_Branch)-[:GL_CanAssumeIdentity]->(:AZServicePrincipal) RETURN p

This query can be imported into BloodHound from the attack-path-federated-identities.json file.

All GitLab Bots

Returns all GitLab bots (subtypes of GL_User) nodes.

MATCH (b:GL_Bot) RETURN b

This query can be imported into BloodHound from the bots.json file.

GitLab branch push rights

List all users who can push to a branch.

MATCH p = (:GL_User)-[:GL_HasRole|GL_HasBaseRole|GL_InheritRole*1..]->(:GL_ProjectRole)-[:GL_CanPush]->(:GL_Branch {objectid:'GIT.PWN.GIFT/PROJECT/1/REPOSITORY/BRANCHES/MAIN'}) RETURN p

This query can be imported into BloodHound from the branch-push-rights.json file.

Branches built on a Windows runner as SYSTEM

Returns branches built on Windows runners with a shell executor resulting in code execution as SYSTEM.

MATCH p = (:GL_Branch)-[:GL_BuildsAsSystem]->(:Computer) RETURN p

This query can be imported into BloodHound from the branches-built-as-system.json file.

Federated Identities

List all users who can push to a branch which has an OIDC trust relationship.

MATCH p=(GL_Branch)-[:GL_CanAssumeIdentity]->(:AZServicePrincipal) RETURN p

This query can be imported into BloodHound from the federated-identities.json file.

Group Hierarchy

Displays the GitLab group hierarchy.

MATCH p = (:GL_Instance)-[:GL_HasGroup]->(:GL_Group)-[:GL_MemberOf|GL_InvitedTo*0..]->(:GL_Group) RETURN p

This query can be imported into BloodHound from the group-hierarchy.json file.

Hybrid Identities

Returns all external identities (e.g., Active Directory or Entra ID users) that are associated with GitLab users.

MATCH p = ()-[:GL_SyncedTo]->(u:GL_User) RETURN p

This query can be imported into BloodHound from the hybrid-identities.json file.

Instance Administrators

Returns all GitLab instance administrators.

MATCH p = (:GL_User)-[:GL_HasRole|GL_HasBaseRole]->(:GL_InstanceRole {short_name: 'admin'}) RETURN p

This query can be imported into BloodHound from the instance-admins.json file.

Instance Role Hierarchy

Displays the GitLab instance role hierarchy.

MATCH p = (:GL_InstanceRole)-[:GL_HasBaseRole]->(:GL_InstanceRole) RETURN p

This query can be imported into BloodHound from the instance-role-hierarchy.json file.

Privileged Hybrid Identities

Returns all external identities (e.g., Active Directory or Entra ID users) that have GitLab administrator privileges.

MATCH p = ()-[:GL_SyncedTo]->(:GL_User)-[:GL_HasRole|GL_HasBaseRole]->(:GL_InstanceRole {short_name: 'admin'}) RETURN p

This query can be imported into BloodHound from the privileged-hybrid-identities.json file.

Possible Renovate Project Configuration

Return possible Renovate project configurations based on defined CI/CD jobs.

MATCH (p:GL_Project) WHERE p.renovate_config <> '' RETURN p

This query can be imported into BloodHound from the renovate-bot-configuration-projects.json file.

Possible Renovate Bot Takeover

Return possible takeover of Renovate bots configured with auto discovery.

MATCH p = ()-[:GL_RenovateInviteAndTakeover]->() RETURN p

This query can be imported into BloodHound from the renovate-bot-takeover.json file.

Possible Renovate Bot Users

Return possible Renovate bot users, based on branch push heuristics.

MATCH (u:GL_User {renovate:true}) RETURN u

This query can be imported into BloodHound from the renovate-bot-users.json file.

Runners with shell executor

Returns runners that are configured with a shell executor.

MATCH p = (:GL_Runner)-[:GL_ManagedBy]->(:GL_RunnerManager {executor:'shell'}) RETURN p

This query can be imported into BloodHound from the shell-runners.json file.

Unrestricted Signup without Admin Approval

Any user can sign-up and create an account without administrator approval.

MATCH p = (:GL_InstanceRole {short_name:'noauth'})-[:GL_CanSignUp {require_admin_approval:false}]->(:GL_Instance) RETURN p

This query can be imported into BloodHound from the signup-restrictions.json file.

User push rights

Returns all branches a user can push to.

MATCH p = (:GL_User {username:'root'})-[:GL_HasRole|GL_HasBaseRole|GL_InheritRole*1..]->(:GL_ProjectRole)-[:GL_CanPush]->(:GL_Branch) RETURN p

This query can be imported into BloodHound from the user-push-rights.json file.

Users without 2FA

Return all GitLab users which do not have a second authentication factor configured (within GitLab).

MATCH (u:GL_User) WHERE u.two_factor_enabled = false RETURN u

This query can be imported into BloodHound from the users-without-2fa.json file.