From 16ac077347ad0bbec446139877115eb8493ed367 Mon Sep 17 00:00:00 2001
From: fed <179690073+dojoSec@users.noreply.github.com>
Date: Mon, 6 Oct 2025 15:57:08 +0200
Subject: [PATCH 1/2] added accounts with no pw required for login section

---
 src/bhcli/cli/audit.py | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/bhcli/cli/audit.py b/src/bhcli/cli/audit.py
index 97e27bc..f4bf06b 100644
--- a/src/bhcli/cli/audit.py
+++ b/src/bhcli/cli/audit.py
@@ -2,6 +2,7 @@
 
 import click
 import prettytable
+import datetime
 
 from bhcli import cypher
 from bhcli.api.from_config import api
@@ -142,4 +143,33 @@ def audit(domain):
             print(f"{n[1]} ({n[0]})")
         print()
 
+        print("[*] Accounts which do not require password for login (enabled, password can be changed)")
+        query = f"""
+                MATCH (u:User) 
+                {cypher.where("u", domainsid=domsid, passwordnotreqd=True, enabled=True, passwordcantchange=False)} 
+                RETURN u
+                """
+        result = api.cypher(query)["nodes"].values()
+        count = len(result)
+        print(f"    {count} accounts found")
+        
+        relations = set()
+        for n in result:
+            is_tier0 = False
+            if n["properties"].get("system_tags") != None and "admin_tier_0" in n["properties"].get("system_tags"):
+                is_tier0 = True
+            lastLogonDate = datetime.datetime.fromtimestamp(n["properties"]["lastlogon"]).strftime('%Y-%m-%d %H:%M:%S')
+            pwLastSetDate = datetime.datetime.fromtimestamp(n["properties"]["pwdlastset"]).strftime('%Y-%m-%d %H:%M:%S')
+            relations.add((n["properties"]["name"], n["kind"], pwLastSetDate, lastLogonDate, is_tier0)) 
+        if count > 0:
+            table = prettytable.PrettyTable()
+            table.set_style(prettytable.PLAIN_COLUMNS)
+            table.align = "l"
+            table.field_names = ["Name", "Type", "PasswordLastSet", "LastLogin", "Tier-0"]
+            table.add_rows(sorted(relations))
+            print(table)
+        print()
+
+
+
         print()

From b7122f7a2da8af502988ca09313dd3c6c52b5289 Mon Sep 17 00:00:00 2001
From: fed <179690073+dojoSec@users.noreply.github.com>
Date: Tue, 7 Oct 2025 09:20:04 +0200
Subject: [PATCH 2/2] changed section name

---
 src/bhcli/cli/audit.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/bhcli/cli/audit.py b/src/bhcli/cli/audit.py
index f4bf06b..cdd40d1 100644
--- a/src/bhcli/cli/audit.py
+++ b/src/bhcli/cli/audit.py
@@ -143,10 +143,10 @@ def audit(domain):
             print(f"{n[1]} ({n[0]})")
         print()
 
-        print("[*] Accounts which do not require password for login (enabled, password can be changed)")
+        print("[*] Accounts which have PasswordNotRequired set (enabled)")
         query = f"""
                 MATCH (u:User) 
-                {cypher.where("u", domainsid=domsid, passwordnotreqd=True, enabled=True, passwordcantchange=False)} 
+                {cypher.where("u", domainsid=domsid, passwordnotreqd=True, enabled=True)} 
                 RETURN u
                 """
         result = api.cypher(query)["nodes"].values()