SpecterOps · martinsohn · Jun 13, 2025 · Jun 12, 2025 · Jun 13, 2025
diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml
@@ -13,6 +13,5 @@ query: |-
 note: 
 revision: 1
 resources: 
-acknowledgement: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Accounts with weak password storage encryption.yml b/queries/Accounts with weak password storage encryption.yml
@@ -0,0 +1,19 @@
+name: Accounts with weak password storage encryption
+guid: 8bd6fcf2-3f3c-414c-857a-4caf28e49def
+prebuilt: true
+platform: Active Directory
+category: Active Directory Hygiene
+description: Accounts with passwords set before Windows Server 2008 DC promotion, which therefore lack AES encryption keys. Uses the RODC group creation date to find accounts with pwdLastSet dates predating AES key generation capability.
+query: |-
+  MATCH (g:Group)
+  WHERE g.objectid ends with "-521"
+  MATCH (n:Base)
+  WHERE g.domainsid = n.domainsid
+  AND n.pwdlastset < g.whencreated
+  RETURN n
+  LIMIT 100
+note: 
+revision: 1
+resources: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+
diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml
@@ -17,6 +17,5 @@ revision: 1
 resources:
 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a0d0b4fa-2895-4c64-b182-ba64ad0f84b8
 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
-acknowledgement: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml
@@ -13,6 +13,5 @@ query: |-
 note: 
 revision: 1
 resources: 
-acknowledgement: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml
@@ -15,6 +15,5 @@ query: |-
 note: 
 revision: 1
 resources: 
-acknowledgement: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Computers without Windows LAPS.yml b/queries/Computers without Windows LAPS.yml
@@ -0,0 +1,18 @@
+name: Computers without Windows LAPS
+guid: 7c50f724-c467-4005-8e3f-9a6ce1461db0
+prebuilt: false
+platform: Active Directory
+category: Active Directory Hygiene
+description: 
+query: |-
+  MATCH (c:Computer)
+  WHERE c.operatingsystem =~ '(?i).*WINDOWS (SERVER)? ?(10|11|2019|2022|2025).*'
+  AND c.haslaps = false
+  AND c.enabled = true
+  RETURN c
+  LIMIT 100
+note: 
+revision: 1
+resources: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+
diff --git a/queries/Enrollment rights on published ESC15 certificate templates.yml b/queries/Enrollment rights on published ESC15 certificate templates.yml
@@ -0,0 +1,20 @@
+name: Enrollment rights on published ESC15 certificate templates
+guid: 78d59fe1-e1a0-4813-adc9-c3c96ac08b66
+prebuilt: false
+platform: Active Directory
+category: Active Directory Certificate Services
+description: Enrollment rights on certificate templates that meet the requirements for the ADCS ESC15 (EKUwu) attack.
+query: |-
+  MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
+  WHERE ct.enrolleesuppliessubject = True
+  AND ct.authenticationenabled = False
+  AND ct.requiresmanagerapproval = False
+  AND ct.schemaversion = 1
+  RETURN p
+note: 
+revision: 1
+resources:
+- https://x.com/SpecterOps/status/1844800558151901639
+- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019
+acknowledgements: Jonas Bülow Knudsen, @Jonas_B_K
+
diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml
@@ -11,6 +11,5 @@ query: |-
 note: 
 revision: 1
 resources: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
-acknowledgement: Martin Sohn Christensen, @martinsohndk
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml b/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml
@@ -0,0 +1,20 @@
+name: Microsoft Entra Connect accounts with passwords not rotated in over 90 days
+guid: 97fb1310-d15d-4d63-82a2-8788056250f1
+prebuilt: false
+platform:
+- Active Directory
+- Azure
+category: Active Directory Hygiene
+description: Micosoft recommends to change the password of MSOL accounts every 90 days to prevent attackers from allowing use of the high privileges
+query: |-
+  WITH 90 as days_since_change
+  MATCH (u:User)
+  WHERE u.name STARTS WITH "MSOL_"
+  AND u.pwdlastset < (datetime().epochseconds - (days_since_change * 86400))
+  AND NOT u.pwdlastset IN [-1.0, 0.0]
+  RETURN u
+note: 
+revision: 1
+resources: https://learn.microsoft.com/en-us/defender-for-identity/rotate-password-microsoft-entra-connect
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+
diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml
@@ -13,6 +13,5 @@ query: |-
 note: 
 revision: 1
 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l
-acknowledgement: Martin Sohn Christensen, @martinsohndk
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml
@@ -23,6 +23,5 @@ query: |-
 note: 
 revision: 1
 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l
-acknowledgement: Martin Sohn Christensen, @martinsohndk
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Overprivileged Microsoft Entra Connect accounts.yml b/queries/Overprivileged Microsoft Entra Connect accounts.yml
@@ -0,0 +1,19 @@
+name: Overprivileged Microsoft Entra Connect accounts
+guid: 9e6e75b4-9ecc-45d4-a39b-b6427b813f0a
+prebuilt: false
+platform:
+- Active Directory
+- Azure
+category: Active Directory Hygiene
+description: Legacy MSOL accounts were by default deployed with Domain Admins or Enterprise Admins membership.
+query: |-
+  MATCH p=(n:User)-[:MemberOf*1..]->(g:Group)
+  WHERE n.name STARTS WITH "MSOL_"
+  AND (g.objectid ENDS WITH "-512" // Domain Admins
+  OR g.objectid ENDS WITH "-519") // Entterprise Admins
+  RETURN p
+note: 
+revision: 1
+resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+
diff --git a/queries/Sessions across trusts.yml b/queries/Sessions across trusts.yml
@@ -12,6 +12,5 @@ query: |-
 note: 
 revision: 1
 resources: 
-acknowledgement: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Trace ACE inheritance.yml b/queries/Trace ACE inheritance.yml
@@ -14,6 +14,5 @@ query: |-
 note: 
 revision: 1
 resources: 
-acknowledgement: Walter.Legowski, @SadProcessor
-acknowledgements: Martin Sohn Christensen, @martinsohndk
+acknowledgements: Walter.Legowski, @SadProcessor