diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml index a170a8e..d6a5437 100644 --- a/queries/ACEs across trusts.yml +++ b/queries/ACEs across trusts.yml @@ -13,6 +13,5 @@ query: |- note: revision: 1 resources: -acknowledgement: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Accounts with weak password storage encryption.yml b/queries/Accounts with weak password storage encryption.yml new file mode 100644 index 0000000..0810373 --- /dev/null +++ b/queries/Accounts with weak password storage encryption.yml @@ -0,0 +1,19 @@ +name: Accounts with weak password storage encryption +guid: 8bd6fcf2-3f3c-414c-857a-4caf28e49def +prebuilt: true +platform: Active Directory +category: Active Directory Hygiene +description: Accounts with passwords set before Windows Server 2008 DC promotion, which therefore lack AES encryption keys. Uses the RODC group creation date to find accounts with pwdLastSet dates predating AES key generation capability. +query: |- + MATCH (g:Group) + WHERE g.objectid ends with "-521" + MATCH (n:Base) + WHERE g.domainsid = n.domainsid + AND n.pwdlastset < g.whencreated + RETURN n + LIMIT 100 +note: +revision: 1 +resources: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797 +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml index 0c0e9b6..12dc5fd 100644 --- a/queries/AdminSDHolder protected Accounts and Groups.yml +++ b/queries/AdminSDHolder protected Accounts and Groups.yml @@ -17,6 +17,5 @@ revision: 1 resources: - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a0d0b4fa-2895-4c64-b182-ba64ad0f84b8 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory -acknowledgement: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml index c6027a4..cc231c0 100644 --- a/queries/All incoming and local paths for a specific computer.yml +++ b/queries/All incoming and local paths for a specific computer.yml @@ -13,6 +13,5 @@ query: |- note: revision: 1 resources: -acknowledgement: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml index f8fed6f..970cc8e 100644 --- a/queries/All paths crossing a specific trust.yml +++ b/queries/All paths crossing a specific trust.yml @@ -15,6 +15,5 @@ query: |- note: revision: 1 resources: -acknowledgement: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Computers without Windows LAPS.yml b/queries/Computers without Windows LAPS.yml new file mode 100644 index 0000000..dc26d0b --- /dev/null +++ b/queries/Computers without Windows LAPS.yml @@ -0,0 +1,18 @@ +name: Computers without Windows LAPS +guid: 7c50f724-c467-4005-8e3f-9a6ce1461db0 +prebuilt: false +platform: Active Directory +category: Active Directory Hygiene +description: +query: |- + MATCH (c:Computer) + WHERE c.operatingsystem =~ '(?i).*WINDOWS (SERVER)? ?(10|11|2019|2022|2025).*' + AND c.haslaps = false + AND c.enabled = true + RETURN c + LIMIT 100 +note: +revision: 1 +resources: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Enrollment rights on published ESC15 certificate templates.yml b/queries/Enrollment rights on published ESC15 certificate templates.yml new file mode 100644 index 0000000..aa16b85 --- /dev/null +++ b/queries/Enrollment rights on published ESC15 certificate templates.yml @@ -0,0 +1,20 @@ +name: Enrollment rights on published ESC15 certificate templates +guid: 78d59fe1-e1a0-4813-adc9-c3c96ac08b66 +prebuilt: false +platform: Active Directory +category: Active Directory Certificate Services +description: Enrollment rights on certificate templates that meet the requirements for the ADCS ESC15 (EKUwu) attack. +query: |- + MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain) + WHERE ct.enrolleesuppliessubject = True + AND ct.authenticationenabled = False + AND ct.requiresmanagerapproval = False + AND ct.schemaversion = 1 + RETURN p +note: +revision: 1 +resources: +- https://x.com/SpecterOps/status/1844800558151901639 +- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019 +acknowledgements: Jonas Bülow Knudsen, @Jonas_B_K + diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml index 818ac0d..c101a5f 100644 --- a/queries/Map Azure Management structure.yml +++ b/queries/Map Azure Management structure.yml @@ -11,6 +11,5 @@ query: |- note: revision: 1 resources: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview -acknowledgement: Martin Sohn Christensen, @martinsohndk acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml b/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml new file mode 100644 index 0000000..2f2bd91 --- /dev/null +++ b/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml @@ -0,0 +1,20 @@ +name: Microsoft Entra Connect accounts with passwords not rotated in over 90 days +guid: 97fb1310-d15d-4d63-82a2-8788056250f1 +prebuilt: false +platform: +- Active Directory +- Azure +category: Active Directory Hygiene +description: Micosoft recommends to change the password of MSOL accounts every 90 days to prevent attackers from allowing use of the high privileges +query: |- + WITH 90 as days_since_change + MATCH (u:User) + WHERE u.name STARTS WITH "MSOL_" + AND u.pwdlastset < (datetime().epochseconds - (days_since_change * 86400)) + AND NOT u.pwdlastset IN [-1.0, 0.0] + RETURN u +note: +revision: 1 +resources: https://learn.microsoft.com/en-us/defender-for-identity/rotate-password-microsoft-entra-connect +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml index bb9ab79..0c532d7 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml @@ -13,6 +13,5 @@ query: |- note: revision: 1 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l -acknowledgement: Martin Sohn Christensen, @martinsohndk acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml index c37df48..e6d518b 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml @@ -23,6 +23,5 @@ query: |- note: revision: 1 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l -acknowledgement: Martin Sohn Christensen, @martinsohndk acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Overprivileged Microsoft Entra Connect accounts.yml b/queries/Overprivileged Microsoft Entra Connect accounts.yml new file mode 100644 index 0000000..0d1db4e --- /dev/null +++ b/queries/Overprivileged Microsoft Entra Connect accounts.yml @@ -0,0 +1,19 @@ +name: Overprivileged Microsoft Entra Connect accounts +guid: 9e6e75b4-9ecc-45d4-a39b-b6427b813f0a +prebuilt: false +platform: +- Active Directory +- Azure +category: Active Directory Hygiene +description: Legacy MSOL accounts were by default deployed with Domain Admins or Enterprise Admins membership. +query: |- + MATCH p=(n:User)-[:MemberOf*1..]->(g:Group) + WHERE n.name STARTS WITH "MSOL_" + AND (g.objectid ENDS WITH "-512" // Domain Admins + OR g.objectid ENDS WITH "-519") // Entterprise Admins + RETURN p +note: +revision: 1 +resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Sessions across trusts.yml b/queries/Sessions across trusts.yml index 76e010b..9925207 100644 --- a/queries/Sessions across trusts.yml +++ b/queries/Sessions across trusts.yml @@ -12,6 +12,5 @@ query: |- note: revision: 1 resources: -acknowledgement: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Trace ACE inheritance.yml b/queries/Trace ACE inheritance.yml index ec6909f..2eaf422 100644 --- a/queries/Trace ACE inheritance.yml +++ b/queries/Trace ACE inheritance.yml @@ -14,6 +14,5 @@ query: |- note: revision: 1 resources: -acknowledgement: Walter.Legowski, @SadProcessor -acknowledgements: Martin Sohn Christensen, @martinsohndk +acknowledgements: Walter.Legowski, @SadProcessor