diff --git a/Queries.json b/Queries.json index acc5b3d..e1994b5 100644 --- a/Queries.json +++ b/Queries.json @@ -3,212 +3,244 @@ "name": "Computers with the outgoing NTLM setting set to Deny all", "guid": "a9ddca74-feeb-4dbf-8b0f-de08b3cfa8a6", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (c:Computer)\nWHERE c.restrictoutboundntlm = True\nRETURN c LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Shortest paths to systems trusted for unconstrained delegation", "guid": "16a9e47b-45f8-4514-b409-771bb5186142", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Computer))\nWHERE t.unconstraineddelegation = true AND s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "All service principals with Microsoft Graph privilege to grant arbitrary App Roles", "guid": "e6d6b5da-89da-4514-a409-2d6e368397da", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Microsoft Graph", "description": null, "query": "MATCH p=(:AZServicePrincipal)-[:AZMGGrantAppRoles]->(:AZTenant)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Accounts with SID History", "guid": "8172d52c-a975-49bd-9180-5b6efc59c9ab", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(:Base)-[:HasSIDHistory]->(:Base)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domain controllers with weak certificate binding enabled", "guid": "a2444d99-10b5-412d-8fea-4b063cfddd2c", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (s:Computer)-[:DCFor]->(:Domain)\nWHERE s.strongcertificatebindingenforcementraw = 0 OR s.strongcertificatebindingenforcementraw = 1\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Servers where Domain Users can RDP", "guid": "b9a330ae-1d89-44d4-8f74-9ca18e93eb92", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Group)-[:CanRDP]->(t:Computer)\nWHERE s.objectid ENDS WITH '-513' AND toUpper(t.operatingsystem) CONTAINS 'SERVER'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Unresolved SID with outbound control", "guid": "4e8429f9-cba2-41e9-bac6-0c42f96b2c57", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Base)-[r]->(:Base)\nWHERE r.isacl\nAND n.name CONTAINS \"S-1-5-21-\" // Unresolved SID\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All service principals with Microsoft Graph App Role assignments", "guid": "74440269-eb41-476b-8dec-b4095569b029", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Microsoft Graph", "description": null, "query": "MATCH p=(:AZServicePrincipal)-[:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All]->(:AZServicePrincipal)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains not mitigating CVE-2021-42291", "guid": "02202726-d86d-46c2-891c-9770c635f76f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Checks the AttributeAuthorizationOnLDAPAdd flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{27}[^1].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths from Domain Users to Tier Zero / High Value targets", "guid": "469dc0f3-71b8-41b0-a03b-b4af7874665d", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))\nWHERE s.objectid ENDS WITH '-513' AND s<>t\nAND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Paths from Domain Users to Tier Zero / High Value targets", "guid": "977bec40-565c-40b8-90c8-e3e122c291cd", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=shortestPath((s:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))\nWHERE s.objectid ENDS WITH '-513' AND s<>t\nAND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "All Global Administrators", "guid": "94d7d765-6837-4eb8-aa33-e1c9ef262cdc", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "General", "description": null, "query": "MATCH p = (:AZBase)-[:AZGlobalAdmin*1..]->(:AZTenant)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Large default group added to computer-local group", "guid": "dde133d2-b4d2-4de9-a656-905f3bf066f3", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[:MemberOfLocalGroup]->(m:ADLocalGroup)-[:LocalToComputer]->(:Computer)\nWHERE n.objectid =~ \".*-(S-1-5-11|S-1-1-0|S-1-5-32-545|S-1-5-7|-513|-515)$\" // Authenticated Users, Everyone, Users, Anonymous, Domain Users, Domain Computers\nAND NOT m.objectid =~ \".*-(545|574|554)$\" // Users, Certificate Service DCOM Access, Pre-Windows 2000 Compatible Access\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains where any user can join a computer to the domain", "guid": "421921fa-bc0f-4659-9680-b7481adcb132", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Domain)\nWHERE n.machineaccountquota > 0\nRETURN n", - "note": "Does not check the 'Add workstations to domain' URA Security Policy on DCs.", "revision": 1, + "note": "Does not check the 'Add workstations to domain' URA Security Policy on DCs.", "resources": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/add-workstations-to-domain" ], - "acknowledgements": null + "acknowledgement": null }, { "name": "Computers with passwords older than the default maximum password age", "guid": "185c5010-8d4f-4f9b-b24e-831707dddfca", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Machine account passwords are regularly changed for security purposes. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days.", "query": "WITH 60 as rotation_period\nMATCH (n:Computer)\nWHERE n.pwdlastset < (datetime().epochseconds - (rotation_period * 86400)) // password not rotated\nAND n.enabled = true // enabled computers\nAND n.whencreated < (datetime().epochseconds - (rotation_period * 86400)) // exclude recently created computers\nAND n.lastlogontimestamp > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Replicated value)\nAND n.lastlogon > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Non-replicated value)\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-machine-account-password", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Computers not requiring inbound SMB signing", "guid": "6b1fcfb6-b010-41a2-9d31-f9872fe994ff", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (n:Computer)\nWHERE n.smbsigning = False\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated)", @@ -221,101 +253,115 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZHasRole]->(:AZRole)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Principals with passwords stored using reversible encryption", "guid": "ab900835-b2b8-4674-87b4-8b5141e80439", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE n.encryptedtextpwdallowed = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Enrollment rights on published ESC2 certificate templates", "guid": "ebc77984-1ceb-4ed2-a395-ce1067847941", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(c:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)\nWHERE c.requiresmanagerapproval = false\nAND (c.effectiveekus = [''] OR '2.5.29.37.0' IN c.effectiveekus)\nAND (c.authorizedsignatures = 0 OR c.schemaversion = 1)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "PKI hierarchy", "guid": "928acc23-ee4c-40a5-bde7-64c05cc1491d", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p=()-[:HostsCAService|IssuedSignedBy|EnterpriseCAFor|RootCAFor|TrustedForNTAuth|NTAuthStoreFor*..]->(:Domain)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled", "guid": "96e70597-2d74-4503-a624-f1e30b642894", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(eca:EnterpriseCA)\nWHERE eca.isuserspecifiessanenabled = True\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero computers not owned by Tier Zero", "guid": "99d29ded-223a-442b-a0e0-f8b5694c6441", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths to Azure Subscriptions", "guid": "4785b305-c101-461c-80fc-3fb3ff67a8ce", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:AZBase)-[:AZAvereContributor|AZContributor|AZGetCertificates|AZGetKeys|AZGetSecrets|AZHasRole|AZMemberOf|AZOwner|AZRunsAs|AZVMContributor|AZAutomationContributor|AZKeyVaultContributor|AZVMAdminLogin|AZAddMembers|AZAddSecret|AZExecuteCommand|AZGlobalAdmin|AZPrivilegedAuthAdmin|AZGrant|AZGrantSelf|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZOwns|AZCloudAppAdmin|AZAppAdmin|AZAddOwner|AZManagedIdentity|AZAKSContributor|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributor|AZMGAddMember|AZMGAddOwner|AZMGAddSecret|AZMGGrantAppRoles|AZMGGrantRole|SyncedToADUser|AZRoleEligible|AZContains*1..]->(t:AZSubscription))\nWHERE s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Kerberoastable users with most admin privileges", "guid": "9907b208-494c-4ba6-846d-485e6de14e17", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": null, "query": "MATCH (u:User)\nWHERE u.hasspn = true\n AND u.enabled = true\n AND NOT u.objectid ENDS WITH '-502'\n AND NOT COALESCE(u.gmsa, false) = true\n AND NOT COALESCE(u.msa, false) = true\nMATCH (u)-[:MemberOf|AdminTo*1..]->(c:Computer)\nWITH DISTINCT u, COUNT(c) AS adminCount\nRETURN u\nORDER BY adminCount DESC\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": "https://attack.mitre.org/techniques/T1558/003/", - "acknowledgements": null + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users that Own Entra Objects", @@ -328,406 +374,463 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwns]->(:AZBase)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains allowing unauthenticated NSPI RPC binds", "guid": "a950fdab-5934-4c69-a88b-e2e0e3da9d52", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Checks the fAllowAnonNSPI flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{7}[^0].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All incoming and local paths for a specific computer", "guid": "1f67e538-19d4-4020-89c8-5b39b31571bd", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "All incoming and local paths for a specific computer; incoming from domain objects and paths local inside the computer.", "query": "// Replace 'HOSTNAME' with the computer's shortname eg. 'SRV01', not FQDN\nMATCH p=(n:Base)-[:RemoteInteractiveLogonPrivilege|AdminTo|CanRDP|LocalToComputer|MemberOfLocalGroup]-(m:Base)\nWHERE m.name CONTAINS 'HOSTNAME'\nAND m.name CONTAINS '.' // Only see computer-related objects (eg. not AD Groups)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgement": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero computers with the WebClient running", "guid": "27a6f917-8ed4-4e2e-9b38-41a4b6de1b14", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (c:Computer)\nWHERE c.webclientrunning = True\nAND ((c:Tag_Tier_Zero) OR COALESCE(c.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN c LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Non-Tier Zero account with excessive control", "guid": "944cecfe-519b-4318-b226-e8520161b454", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH (d:Domain)-[:Contains*1..]->(u:User)\nWHERE u.enabled = true\nWITH d, COUNT(u) AS enabledUserCount\nMATCH (d)-[:Contains*1..]->(n:Base)-[r:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions]->(m:Base)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nWITH n, enabledUserCount, COLLECT(DISTINCT(m)) AS endNodes\nWHERE SIZE(endNodes) >= 1000\nRETURN n", - "note": "Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals", "revision": 1, + "note": "Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals", "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Devices with unsupported operating systems", "guid": "e3f2b53a-7ce6-4e52-9c74-68b69338288b", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Azure Hygiene", "description": null, "query": "MATCH (n:AZDevice)\nWHERE n.operatingsystem CONTAINS 'WINDOWS'\nAND n.operatingsystemversion =~ '(10.0.19044|10.0.22000|10.0.19043|10.0.19042|10.0.19041|10.0.18363|10.0.18362|10.0.17763|10.0.17134|10.0.16299|10.0.15063|10.0.14393|10.0.10586|10.0.10240|6.3.9600|6.2.9200|6.1.7601|6.0.6200|5.1.2600|6.0.6003|5.2.3790|5.0.2195).?.*'\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Non-default delegation on MicrosoftDNS container", "guid": "008792c0-4458-46a1-a10d-50cdaf95af1e", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Base)-[r]->(m:Container)\nWHERE m.distinguishedname STARTS WITH \"CN=MICROSOFTDNS,CN=SYSTEM,DC=\"\nAND NOT n.name STARTS WITH \"DNSADMINS@\"\nAND NOT n.objectid =~ \"-(512|544|519|9)$\"\nAND r.isacl\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Object name conflict", "guid": "c561c4f8-ea45-453f-85a2-3fc2e20e7f8c", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "When two objects are created with the same Relative Distinguished Name (RDN) in the same parent Organizational Unit or container, the conflict is recognized by the system when one of the new objects replicates to another domain controller. When this happens, one of the objects is renamed with 'CNF'", "query": "MATCH (n:Base)\nWHERE n.distinguishedname CONTAINS 'CNF:'\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths from Azure Applications to Tier Zero / High Value targets", "guid": "60ff7c58-a98e-4bc1-9e32-8378d2db0c43", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:AZApp)-[:AZAvereContributor|AZContributor|AZGetCertificates|AZGetKeys|AZGetSecrets|AZHasRole|AZMemberOf|AZOwner|AZRunsAs|AZVMContributor|AZAutomationContributor|AZKeyVaultContributor|AZVMAdminLogin|AZAddMembers|AZAddSecret|AZExecuteCommand|AZGlobalAdmin|AZPrivilegedAuthAdmin|AZGrant|AZGrantSelf|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZOwns|AZCloudAppAdmin|AZAppAdmin|AZAddOwner|AZManagedIdentity|AZAKSContributor|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributor|AZMGAddMember|AZMGAddOwner|AZMGAddSecret|AZMGGrantAppRoles|AZMGGrantRole|SyncedToADUser|AZRoleEligible|AZContains*1..]->(t:AZBase))\nWHERE ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') AND s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains without Protected Users group", "guid": "8c3e0811-a31b-45b4-a29d-1dce80fa2c5f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH (n:Domain)\nWHERE n.collected = true\nOPTIONAL MATCH (m:Group)\nWHERE m.name ENDS WITH n.name\nAND m.objectid ENDS WITH '-525'\nWITH n, m\nWHERE m IS NULL\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "KRBTGT accounts with passwords not rotated in over 1 year", "guid": "1b3ae310-ffa7-4ce5-a37f-6111aef600c8", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:User)\nWHERE (n.objectid ENDS WITH '-502'\nOR n.name STARTS WITH 'AZUREADKERBEROS.'\nOR n.name STARTS WITH 'KRBTGT_AZUREAD@')\nAND n.pwdlastset < (datetime().epochseconds - (365 * 86400))\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Users with non-expiring passwords", "guid": "212c2a98-53d9-4dfa-b177-42c601452dd1", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (u:User)\nWHERE u.enabled = true\nAND u.pwdneverexpires = true\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domain migration groups", "guid": "f39c4953-ae92-4d67-bb50-eb1a161d4d3f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH (n:Group)\nWHERE n.name CONTAINS \"$$$@\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero / High Value external Entra ID users", "guid": "20e07417-d286-4dca-a962-568f2b262f65", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Azure Hygiene", "description": null, "query": "MATCH (n:AZUser)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.name CONTAINS '#EXT#@'\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Shortest paths to privileged roles", "guid": "3dc73dd8-4873-4aeb-a88f-56a58c77f512", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:AZBase)-[:AZAvereContributor|AZContributor|AZGetCertificates|AZGetKeys|AZGetSecrets|AZHasRole|AZMemberOf|AZOwner|AZRunsAs|AZVMContributor|AZAutomationContributor|AZKeyVaultContributor|AZVMAdminLogin|AZAddMembers|AZAddSecret|AZExecuteCommand|AZGlobalAdmin|AZPrivilegedAuthAdmin|AZGrant|AZGrantSelf|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZOwns|AZCloudAppAdmin|AZAppAdmin|AZAddOwner|AZManagedIdentity|AZAKSContributor|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributor|AZMGAddMember|AZMGAddOwner|AZMGAddSecret|AZMGGrantAppRoles|AZMGGrantRole|SyncedToADUser|AZRoleEligible|AZContains*1..]->(t:AZRole))\nWHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator' AND s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Public Key Services container", "guid": "07e94492-71aa-4665-ab8c-e7aec25906cd", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (c:Container)-[:Contains*..]->(:Base)\nWHERE c.distinguishedname starts with 'CN=PUBLIC KEY SERVICES,CN=SERVICES,CN=CONFIGURATION,DC='\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Shortest paths from Entra Users to Tier Zero / High Value targets", "guid": "58089b28-54e0-4fd2-bf66-3db480b00e2f", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:AZUser)-[:AZAvereContributor|AZContributor|AZGetCertificates|AZGetKeys|AZGetSecrets|AZHasRole|AZMemberOf|AZOwner|AZRunsAs|AZVMContributor|AZAutomationContributor|AZKeyVaultContributor|AZVMAdminLogin|AZAddMembers|AZAddSecret|AZExecuteCommand|AZGlobalAdmin|AZPrivilegedAuthAdmin|AZGrant|AZGrantSelf|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZOwns|AZCloudAppAdmin|AZAppAdmin|AZAddOwner|AZManagedIdentity|AZAKSContributor|AZNodeResourceGroup|AZWebsiteContributor|AZLogicAppContributor|AZMGAddMember|AZMGAddOwner|AZMGAddSecret|AZMGGrantAppRoles|AZMGGrantRole|SyncedToADUser|AZRoleEligible|AZContains*1..]->(t:AZBase))\nWHERE (t:AZBase) AND t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator' AND s<>t\nAND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Computers with membership in Protected Users", "guid": "a26372f4-2e92-49f6-8993-6657fbc1569a", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH p = (:Base)-[:MemberOf*1..]->(g:Group)\nWHERE g.objectid ENDS WITH \"-525\"\nRETURN p LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Accounts with SID History to a non-existent domain", "guid": "2710401a-c4c2-4d2c-9edb-d7625045f2e8", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (d:Domain)\nWITH collect(d.objectid) AS domainSIDs\nMATCH p=(n:Base)-[:HasSIDHistory]->(m:Base)\nWHERE NOT n.domainsid IN domainSIDs\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero computers with unsupported operating systems", "guid": "a87b558c-5746-4a90-9f83-c86e7b924a52", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (c:Computer)\nWHERE c.operatingsystem =~ '(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*'\nAND ((c:Tag_Tier_Zero) OR COALESCE(c.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN c\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Map OU structure", "guid": "8f14084b-5065-43d8-865a-a6ac52da25d1", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p = (:Domain)-[:Contains*1..]->(:OU)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "ESC8-vulnerable Enterprise CAs", "guid": "60881923-296c-4702-adf7-a4f059dc9bb8", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (n:EnterpriseCA)\nWHERE n.hasvulnerableendpoint=true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "ACEs across trusts", "guid": "c902d3b4-1a75-4335-acd7-28246dab746d", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "ACEs granted across a trust, the ACEs are set on trusting objects and the rights are granted to objects from trusted domains.", "query": "MATCH p=(trustedDomainPrincipal:Base)-[r]->(trustingDomainPrincipal:Base)\nWHERE trustedDomainPrincipal.domainsid <> trustingDomainPrincipal.domainsid\nAND r.isacl\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgement": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domain Controllers allowing NTLMv1 or LM authentication", "guid": "4b42513c-f89d-47ff-8d98-908af49d2b48", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (dc:Computer)\nWHERE dc.isdc = true\nAND (dc.lmcompatibilitylevel IS NOT NULL AND NOT dc.lmcompatibilitylevel = 5)\nRETURN dc", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Computers with the WebClient running", "guid": "51107ad1-f0bc-43d3-a561-5cee471ca196", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (c:Computer)\nWHERE c.webclientrunning = True\nRETURN c LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Workstations where Domain Users can RDP", "guid": "9486e0e6-2617-4595-b969-cf57ca21fc86", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Group)-[:CanRDP]->(t:Computer)\nWHERE s.objectid ENDS WITH '-513' AND NOT toUpper(t.operatingsystem) CONTAINS 'SERVER'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "AdminSDHolder protected Accounts and Groups", "guid": "5ee2f40e-a55c-4140-ab8a-91746ba3752b", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "Objects whose permissions are set by SDProp to the template AdminSDHolder object as per MS-ADTS 3.1.1.6.1.2 Protected Objects. Does not exclude objects if specified in dSHeuristics dwAdminSDExMask", "query": "MATCH (n:Base)-[:MemberOf*0..]->(m:Group)\nWHERE (\n n.objectid =~ \".*-(S-1-5-32-544|S-1-5-32-548|S-1-5-32-549|S-1-5-32-550|S-1-5-32-551|S-1-5-32-552|518|512|519)$\" // Groups\n OR m.objectid =~ \".*-(S-1-5-32-544|S-1-5-32-548|S-1-5-32-549|S-1-5-32-550|S-1-5-32-551|S-1-5-32-552|518|512|519)$\" // Members of groups\n OR n.objectid =~ \".*-(500|502|516|521)$\" // Direct objects\n)\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a0d0b4fa-2895-4c64-b182-ba64ad0f84b8", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory" ], - "acknowledgement": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero AD principals synchronized with Entra ID", "guid": "a8b6ec67-21aa-4dd2-8906-47bb81bf5262", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Azure Hygiene", "description": null, "query": "MATCH (ENTRA:AZBase)\nMATCH (AD:Base)\nWHERE ((AD:Tag_Tier_Zero) OR COALESCE(AD.system_tags, '') CONTAINS 'admin_tier_0')\nAND ENTRA.onpremsyncenabled = true\nAND ENTRA.onpremid = AD.objectid\nRETURN ENTRA\n// Replace 'RETURN ENTRA' with 'RETURN AD' to see the corresponding AD principals\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Cross-forest trusts with abusable configuration", "guid": "5cf1f354-80d4-420e-bc4b-424fabc21a56", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Domain)-[:CrossForestTrust|SpoofSIDHistory|AbuseTGTDelegation]-(m:Domain)\nWHERE (n)-[:SpoofSIDHistory|AbuseTGTDelegation]-(m)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "DCs vulnerable to NTLM relay to LDAP attacks", "guid": "3f87e0b0-fc06-4986-a94c-e08781253dc8", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH p = (dc:Computer)-[:DCFor]->(:Domain)\nWHERE (dc.ldapavailable = True AND dc.ldapsigning = False)\nOR (dc.ldapsavailable = True AND dc.ldapsepa = False)\nOR (dc.ldapavailable = True AND dc.ldapsavailable = True AND dc.ldapsigning = False and dc.ldapsepa = True)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero / High Value enabled users not requiring smart card authentication", "guid": "867f9f17-c149-4c4b-ad84-9a807622ff8c", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (u:User)\nWHERE ((u:Tag_Tier_Zero) OR COALESCE(u.system_tags, '') CONTAINS 'admin_tier_0')\nAND u.enabled = true\nAND u.smartcardrequired = false\nAND NOT u.name STARTS WITH 'MSOL_' // Removes false positive, Entra sync\nAND NOT u.name STARTS WITH 'PROVAGENTGMSA' // Removes false positive, Entra sync\nAND NOT u.name STARTS WITH 'ADSYNCMSA_' // Removes false positive, Entra sync\nRETURN u", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Entra Users synced from On-Prem Users added to Domain Admins group", @@ -740,248 +843,283 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:AZUser)-[:SyncedToADUser]->(:User)-[:MemberOf]->(t:Group)\nWHERE t.objectid ENDS WITH '-512'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Computers with unsupported operating systems", "guid": "d06d3b14-0318-4fa9-9639-4b79ccaf3c2c", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (c:Computer)\nWHERE c.operatingsystem =~ '(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*'\nRETURN c\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Non-Tier Zero account with 'Admin Count' flag", "guid": "e7f703b3-5dba-4aef-8346-4d589be2c828", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Users who were a member of one of AD's built-in administrative groups but are not currently Tier Zero.", "query": "MATCH (n:User)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.admincount = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/windows/win32/adschema/a-admincount", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero computers with passwords older than the default maximum password age", "guid": "b6d6d0bf-130e-4719-996b-adc29bba36e9", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Computers with non-default Primary Group membership", "guid": "5862dc4e-6f6f-4321-9474-d838968495ed", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Computer)-[r:MemberOf]->(g:Group)\nWHERE NOT g.objectid ENDS WITH \"-515\" // Domain Computers\nAND NOT g.objectid ENDS WITH \"-516\" // Domain Controllers\nAND NOT g.objectid ENDS WITH \"-521\" // Read-Only Domain Controllers\nAND r.isprimarygroup = true\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Principals with weak supported Kerberos encryption types", "guid": "ca329573-2157-41da-ab17-4d122c54b11d", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (u:Base)\nWHERE 'DES-CBC-CRC' IN u.supportedencryptiontypes\nOR 'DES-CBC-MD5' IN u.supportedencryptiontypes\nOR 'RC4-HMAC-MD5' IN u.supportedencryptiontypes\nRETURN u", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero accounts that can be delegated", "guid": "4316eaf1-6af0-4879-8f55-ac2633a711c3", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": null, "query": "MATCH (m:Base)\nWHERE ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')\nAND m.enabled = true\nAND m.sensitive = false\nOPTIONAL MATCH (g:Group)<-[:MemberOf*1..]-(n:Base)\nWHERE g.objectid ENDS WITH '-525'\nWITH m, COLLECT(n) AS matchingNs\nWHERE NONE(n IN matchingNs WHERE n.objectid = m.objectid)\nRETURN m", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Smart card accounts with passwords not rotated in over 1 year", "guid": "7e56f2e7-79c3-4f0d-aa3e-14cf3de7ab73", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE n.pwdlastset < (datetime().epochseconds - (365 * 86400))\nAND n.enabled = true\nAND n.smartcardrequired = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domain controllers with UPN certificate mapping enabled", "guid": "799ea3ce-572b-4594-98c4-041aa2ae6176", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (s:Computer)-[:DCFor]->(:Domain)\nWHERE s.certificatemappingmethodsraw IN [4, 5, 6, 7, 12, 13, 14, 15, 20, 21, 22, 23, 28, 29, 30, 31]\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": [ "https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16", "https://specterops.io/blog/2024/02/28/adcs-esc14-abuse-technique/" ], - "acknowledgements": "Jonas B\u00fclow Knudsen, @Jonas_B_K" + "acknowledgement": null }, { "name": "Users with logon scripts stored in a trusted domain", "guid": "8d94d3f3-3d53-4939-a206-3c0a4dd3f646", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:User)\nWHERE n.logonscript IS NOT NULL\nMATCH (d:Domain)-[:TrustedBy]->(:Domain)-[:Contains*1..]->(n)\nWITH n,last(split(d.name, '@')) AS domain\nWHERE toUpper(n.logonscript) STARTS WITH (\"\\\\\\\\\" + domain + \"\\\\\")\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enrollment rights on published certificate templates", "guid": "a4ae2e54-aad3-4bfd-a12d-90cb8a9cbc86", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Computers where Domain Users are local administrators", "guid": "d43a7bdc-33c6-4a39-a3bb-24115749e595", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Group)-[:AdminTo]->(:Computer)\nWHERE s.objectid ENDS WITH '-513'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "All members of high privileged roles", "guid": "3df24d92-dd12-4125-811b-e696b098f60e", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "General", "description": null, "query": "MATCH p=(t:AZRole)<-[:AZHasRole|AZMemberOf*1..2]-(:AZBase)\nWHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero users with passwords not rotated in over 1 year", "guid": "5e0d69b1-37d1-43ae-ac5d-f297f312fab5", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 365 as days_since_change\nMATCH (u:User)\nWHERE ((u:Tag_Tier_Zero) OR COALESCE(u.system_tags, '') CONTAINS 'admin_tier_0')\nAND u.pwdlastset < (datetime().epochseconds - (days_since_change * 86400))\nAND NOT u.pwdlastset IN [-1.0, 0.0]\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Non-default members in Pre-Windows 2000 Compatible Access", "guid": "091995b9-7254-473a-996f-6b8368d20431", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Group)-[:MemberOf]->(m:Group)\nWHERE NOT n.objectid ENDS WITH \"S-1-5-11\" // Authenticated Users\nAND NOT (n.objectid ENDS WITH \"S-1-5-7\" // Anonymous\nAND NOT n.objectid ENDS WITH \"S-1-1-0\") // Everyone\nAND m.objectid ENDS WITH \"S-1-5-32-554\" // Pre-Windows 2000 Compatible Access\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Principals with foreign domain group membership", "guid": "8fb3214a-5a75-4ecd-b293-c121abd94b4b", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Base)-[:MemberOf]->(t:Group)\nWHERE s.domainsid<>t.domainsid\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Disabled Tier Zero / High Value principals", "guid": "860d5c2d-84fe-4c85-80de-e0a9badbd0e7", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Azure Hygiene", "description": null, "query": "MATCH (n:AZBase)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.enabled = false\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Map Azure Management structure", "guid": "c1bb109e-e6a4-4c91-864f-f78e1e42615e", "prebuilt": false, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Kerberos Interaction", "description": "Maps the structure of Azure Management", "query": "MATCH p = (:AZTenant)-[:AZContains*1..]->(:AZResourceGroup)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/azure/governance/management-groups/overview", - "acknowledgement": "Martin Sohn Christensen, @martinsohndk", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": "Martin Sohn Christensen, @martinsohndk" }, { "name": "Kerberos-enabled service account member of built-in Admins groups", "guid": "42a856fc-257a-4142-9592-ca95fd49e579", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Base)-[:MemberOf*1..]->(g:Group)\nWHERE (\n g.objectid ENDS WITH '-512' // Domain Admins\n OR g.objectid ENDS WITH '-519' // Enterprise Admins\n OR g.objectid ENDS WITH '-518' // Schema Admins\n)\nAND n.hasspn = true\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Entra ID SSO accounts not rolling Kerberos decryption key", @@ -994,297 +1132,340 @@ "category": "Configuration Weakness", "description": "Microsoft highly recommends that you roll over the Entra ID SSO Kerberos decryption key at least every 30 days.", "query": "MATCH (n:Computer)\nWHERE n.name STARTS WITH \"AZUREADSSOACC.\"\nAND n.pwdlastset < (datetime().epochseconds - (30 * 86400))\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domain Admins logons to non-Domain Controllers", "guid": "e2f3fd0a-1df2-4089-b0a4-272ad6e369a9", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH (s)-[:MemberOf*0..]->(g:Group)\nWHERE g.objectid ENDS WITH '-516'\nWITH COLLECT(s) AS exclude\nMATCH p = (c:Computer)-[:HasSession]->(:User)-[:MemberOf*1..]->(g:Group)\nWHERE g.objectid ENDS WITH '-512' AND NOT c IN exclude\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Map domain trusts", "guid": "268d3d26-5bc2-4820-a6ed-09d20f3d5413", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p = (:Domain)-[:SameForestTrust|CrossForestTrust]->(:Domain)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero users with email", "guid": "9654c0d4-f1e8-4393-a2d1-53a5554a9de8", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Tier Zero accounts with email access have an increased attack surface.", "query": "MATCH (n)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.email <> \"\"\nAND n.enabled = true\nAND NOT toUpper(n.email) ENDS WITH \".ONMICROSOFT.COM\"\nAND NOT (\n (toUpper(n.email) STARTS WITH \"HEALTHMAILBOX\"\n OR toUpper(n.email) STARTS WITH \"MSEXCHDISCOVERYMAILBOX\"\n OR toUpper(n.email) STARTS WITH \"MSEXCHDISCOVERY\"\n OR toUpper(n.email) STARTS WITH \"MSEXCHAPPROVAL\"\n OR toUpper(n.email) STARTS WITH \"FEDERATEDEMAIL\"\n OR toUpper(n.email) STARTS WITH \"SYSTEMMAILBOX\"\n OR toUpper(n.email) STARTS WITH \"MIGRATION.\")\n AND\n (n.name STARTS WITH \"SM_\"\n OR n.name STARTS WITH \"HEALTHMAILBOX\")\n)\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains with smart card accounts where smart account passwords do not expire", "guid": "97e05e67-5961-4aba-a8e7-fe5f92334035", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (s:Domain)-[:Contains*1..]->(t:Base)\nWHERE s.expirepasswordsonsmartcardonlyaccounts = false\nAND t.enabled = true\nAND t.smartcardrequired = true\nRETURN s", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains with more than 50 Tier Zero accounts", "guid": "f046e95a-5f84-4e83-bcda-6e83f3d8e21a", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (d:Domain)-[:Contains*1..]->(n:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nWITH d, COUNT(n) AS adminCount\nWHERE adminCount > 50\nRETURN d", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Principals with DCSync privileges", "guid": "6e9beb8a-ad14-43de-bda1-644d174a5906", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(:Base)-[:DCSync|AllExtendedRights|GenericAll]->(:Domain)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Enabled computers inactive for 180 days - MSSQL Failover Cluster", "guid": "d263e621-7f1b-4efb-ad25-098fc7d4fb72", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 180 as inactive_days\nMATCH (n:Computer)\nWHERE n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND ANY(type IN n.serviceprincipalnames WHERE \n toLower(type) CONTAINS 'mssqlservercluster' OR \n toLower(type) CONTAINS 'mssqlserverclustermgmtapi' OR \n toLower(type) CONTAINS 'msclustervirtualserver')\nRETURN n\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/high-availability/troubleshoot-issues-accounts-used-failover-clusters#troubleshoot-password-issues-with-the-cluster-name-account", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enrollment rights on published certificate templates with no security extension", "guid": "0677b70c-4e04-4e89-a6a2-f5764604a6a7", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)\nWHERE ct.nosecurityextension = true\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Computers where Domain Users can read LAPS passwords", "guid": "aa4bfa95-e7b9-4d56-8f35-f34f04d7b6f4", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Group)-[:AllExtendedRights|ReadLAPSPassword]->(:Computer)\nWHERE s.objectid ENDS WITH '-513'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains with smart card accounts where smart account passwords do not expire", "guid": "97e05e67-5961-4aba-a8e7-fe5f92334035", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (s:Domain)-[:Contains*1..]->(t:Base)\nWHERE s.expirepasswordsonsmartcardonlyaccounts = false\nAND t.enabled = true\nAND t.smartcardrequired = true\nRETURN s", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All Domain Admins", "guid": "0596dba7-9180-49a0-aa54-00243240037c", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p = (t:Group)<-[:MemberOf*1..]-(a)\nWHERE (a:User or a:Computer) and t.objectid ENDS WITH '-512'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains allowing unauthenticated domain enumeration", "guid": "41a08d76-f8a5-4296-ad19-464c4c5c69fe", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Group)-[:MemberOf]->(m:Group)\nWHERE (n.objectid ENDS WITH \"S-1-5-7\" // Anonymous\nOR n.objectid ENDS WITH \"S-1-1-0\") // Everyone\nAND m.objectid ENDS WITH \"S-1-5-32-554\" // Pre-Windows 2000 Compatible Access\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All coerce and NTLM relay edges", "guid": "15c5ff3b-856c-44d1-a731-a8cb72512dd1", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH p = (n:Base)-[:CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|CoerceAndRelayNTLMToADCS|CoerceAndRelayNTLMToSMB]->(:Base)\nRETURN p LIMIT 500", - "note": null, "revision": 1, + "note": null, "resources": "https://specterops.io/blog/2025/04/08/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know/", - "acknowledgements": null + "acknowledgement": null }, { "name": "Accounts with clear-text password attributes", "guid": "e303498f-e3d4-489d-8a34-b68e187bc4e7", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE n.userpassword IS NOT NULL\nOR n.unixpassword IS NOT NULL\nOR n.unicodepwd IS NOT NULL\nOR n.msSFU30Password IS NOT NULL\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "CA administrators and CA managers", "guid": "fd35e3d8-0c74-4b5a-a847-c0dd1f1c9f19", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:ManageCertificates|ManageCA]->(:EnterpriseCA)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Sessions across trusts", "guid": "aea7ac64-1f51-407b-b0ee-19fd30075794", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "Users logging on across a trust, the users originate from trusted domains.", "query": "MATCH p=(trustedDomainPrincipal:Computer)-[r:HasSession]->(trustingDomainPrincipal:User)\nWHERE trustedDomainPrincipal.domainsid <> trustingDomainPrincipal.domainsid\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgement": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enrollment rights on published ESC1 certificate templates", "guid": "2af855bc-f48f-4b22-9839-627d8231e425", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)\nWHERE ct.enrolleesuppliessubject = True\nAND ct.authenticationenabled = True\nAND ct.requiresmanagerapproval = False\nAND (ct.authorizedsignatures = 0 OR ct.schemaversion = 1)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Foreign principals in Tier Zero / High Value targets", "guid": "95bec736-86ef-4017-8465-9b9b66548b17", "prebuilt": true, - "platform": "Azure", + "platform": [ + "Azure" + ], "category": "Azure Hygiene", "description": null, "query": "MATCH (n:AZServicePrincipal)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND NOT toUpper(n.appownerorganizationid) = toUpper(n.tenantid)\nAND n.appownerorganizationid CONTAINS '-'\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Non-Tier Zero accounts with SID History of Tier Zero accounts", "guid": "59744dfe-9411-4daf-b342-1203dc62acd4", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base)\nWHERE ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')\nAND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Tier Zero computers at risk of resource-based constrained delegation", "guid": "4dc97cf4-3c03-4fe6-8a8b-4f665c67e1e5", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p = (n:Computer)<-[:AllowedToAct]-(:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains with a minimum default password policy length less than 15 characters", "guid": "7d258d2d-a43d-4a90-85d7-71c946ae5fd7", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Domain)\nWHERE n.minpwdlength < 15\nRETURN n", - "note": "NIST recommends 15 characters.", "revision": 1, + "note": "NIST recommends 15 characters.", "resources": "https://pages.nist.gov/800-63-3/sp800-63b.html", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains affected by AdPrep privilege escalation risk", "guid": "815ff190-f6f3-4757-a516-2f4bf589b705", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[r:GenericAll]->(m:Domain)\nWHERE n.objectid ENDS WITH \"-527\" // Enterprise Key Admins\nAND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users with Azure RM Roles (group delegated)", @@ -1297,179 +1478,205 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Enabled computers inactive for 180 days", "guid": "0768e810-1e1e-4319-a216-76d9c2058644", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 180 as inactive_days\nMATCH (n:Computer)\nWHERE n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH 'AZUREADKERBEROS.' // Removes false positive, Azure KRBTGT\nAND NOT n.name STARTS WITH 'AZUREADSSOACC.' // Removes false positive, Entra Seamless SSO\nRETURN n\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Disabled Tier Zero / High Value principals", "guid": "d65a801f-d3ef-4b7e-8030-99ebfd6dad12", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.enabled = false\nAND NOT n.objectid ENDS WITH '-502' // Removes false positive, KRBTGT\nAND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Kerberos-enabled service accounts without AES encryption support", "guid": "cb8cf96e-21c9-422b-9439-390a13446ca6", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE n.hasspn = true\nAND ((\n n.supportedencryptiontypes <> ['Not defined']\n AND n.supportedencryptiontypes <> []\n AND NONE(type IN n.supportedencryptiontypes WHERE type CONTAINS 'AES128' OR type CONTAINS 'AES256')\n)\nOR (n.pwdlastset < datetime('2008-02-27T00:00:00').epochseconds // Password Last Set before Windows Server 2008\nAND NOT n.pwdlastset IN [-1.0, 0.0]\n))\nRETURN n\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths from Owned objects", "guid": "e370a01d-c129-4f19-b88d-9479cbe00028", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:Base)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))\nWHERE (s:Tag_Owned)\nAND s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Kerberoastable members of Tier Zero / High Value groups", "guid": "e6da7800-ae06-41cb-80a6-d5421ab2143a", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": null, "query": "MATCH (u:User)\nWHERE (u:Tag_Tier_Zero) AND u.hasspn=true\nAND u.enabled = true\nAND NOT u.objectid ENDS WITH '-502'\nAND NOT COALESCE(u.gmsa, false) = true\nAND NOT COALESCE(u.msa, false) = true \nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": "https://attack.mitre.org/techniques/T1558/003/", - "acknowledgements": null + "acknowledgement": null }, { "name": "Users with non-default Primary Group membership", "guid": "93890f88-df2c-4167-a945-a53961d08d00", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:User)-[r:MemberOf]->(g:Group)\nWHERE NOT g.objectid ENDS WITH \"-513\" // Domain Users\nAND r.isprimarygroup = true\nAND NOT n.objectid ENDS WITH \"-501\" // Guests account, as it has primaryGroup to Guests\nAND (n.gmsa IS NULL OR n.gmsa = false) // Not gMSA, as it has primaryGroup to Domain Computers\nAND (n.msa IS NULL OR n.msa = false) // Not MSA, as it has primaryGroup to Domain Computers\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enabled Tier Zero / High Value principals inactive for 60 days", "guid": "72550bcb-3c4f-463d-8973-91a49163dc5a", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 60 as inactive_days\nMATCH (n:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH 'AZUREADKERBEROS.' // Removes false positive, Azure KRBTGT\nAND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator\nAND NOT n.name STARTS WITH 'AZUREADSSOACC.' // Removes false positive, Entra Seamless SSO\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Shortest paths to Domain Admins", "guid": "f40cb34b-5ec7-44bc-9aa8-a200a4a41f22", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((t:Group)<-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]-(s:Base))\nWHERE t.objectid ENDS WITH '-512' AND s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Enrollment rights on published enrollment agent certificate templates", "guid": "8483bf5b-89f1-4723-abb2-c48295f6393e", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)\nWHERE '1.3.6.1.4.1.311.20.2.1' IN ct.effectiveekus\nOR '2.5.29.37.0' IN ct.effectiveekus\nOR SIZE(ct.effectiveekus) = 0\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Locations of Tier Zero / High Value objects", "guid": "18a83a17-b451-4343-acfe-7620516e2968", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p = (t:Base)<-[:Contains*1..]-(:Domain)\nWHERE ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains with a single-point-of-failure Domain Controller", "guid": "3359a295-7cfd-491f-976b-c5a68647431c", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Group)<-[:MemberOf]-(:Computer)\nWHERE n.objectid ENDS WITH '-516'\nWITH n, COUNT(n) AS dcCount\nWHERE dcCount = 1\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "AS-REP Roastable Tier Zero users (DontReqPreAuth)", "guid": "6d51e4dc-e1ad-477a-b6c6-324f18f03120", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND n.dontreqpreauth = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://attack.mitre.org/techniques/T1558/004/", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Large default groups with outbound control", "guid": "a334f21a-3d7f-448e-b7ea-1465a3127bce", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base)\nWHERE n.objectid ENDS WITH \"-513\" // DOMAIN USERS\nOR n.objectid ENDS WITH \"-515\" // DOMAIN COMPUTERS\nOR n.objectid ENDS WITH \"-S-1-5-11\" // AUTHENTICATED USERS\nOR n.objectid ENDS WITH \"-S-1-1-0\" // EVERYONE\nOR n.objectid ENDS WITH \"S-1-5-32-545\" // USERS\nOR n.objectid ENDS WITH \"S-1-5-32-546\" // GUESTS\nOR n.objectid ENDS WITH \"S-1-5-7\" // ANONYMOUS\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users with Entra Group Membership", @@ -1482,141 +1689,160 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero accounts not members of Denied RODC Password Replication Group", "guid": "e9613406-e346-410b-a033-690a6cf0c708", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND (n:User or n:Computer)\nWITH n\nOPTIONAL MATCH (n)-[:MemberOf*1..]->(m:Group)\nWHERE m.objectid ENDS WITH '-519'\nWITH n, m\nWHERE m IS NULL\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains without Microsoft LAPS computers", "guid": "f9b440b5-732c-4ed3-b6d2-83857db17e1a", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH (d:Domain)\nOPTIONAL MATCH (c:Computer)\nWHERE c.domainsid = d.objectid AND c.haslaps = true\nWITH d, COLLECT(c) AS computers\nWHERE SIZE(computers) = 0\nRETURN d", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Nested groups within Tier Zero / High Value", "guid": "8e541e75-df1d-423f-b429-4bbf0403a338", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(t:Group)<-[:MemberOf*..]-(s:Group)\nWHERE ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nAND NOT s.objectid ENDS WITH '-512' // Domain Admins\nAND NOT s.objectid ENDS WITH '-519' // Enterprise Admins\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Users which do not require password to authenticate", "guid": "23bdc2ad-6739-4b2b-85d3-258e3f424eb2", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (u:User)\nWHERE u.passwordnotreqd = true\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Computer owners who can obtain LAPS passwords", "guid": "92aa81d6-b08e-4abb-ae39-ecbe5735a74c", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": "Creators of computer objects get abusable rights on the computer object. If the owner is not explicitly granted ReadLAPSPassword they can still compromise the computer with the abusable owner rights.", "query": "MATCH p = (c:Computer)<-[:GenericAll|Owns|WriteDacl|WriteOwner|AllExtendedRights]-(n:User)\nWHERE c.haslaps = true AND c.ownersid = n.objectid\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enrollment rights on CertTemplates with OIDGroupLink", "guid": "140a68eb-d21c-4b75-971f-309225fb2d75", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(:CertTemplate)-[:ExtendedByPolicy]->(:IssuancePolicy)-[:OIDGroupLink]->(:Group)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Trace ACE inheritance", "guid": "8c5454df-3ae8-412c-b271-3c4c55df7141", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "When BloodHound shows that an inherited ACE applies to an object it does not show the source/where it is inherited from from (OU, Container, Domain root) - the source is where it should be remediated. This query can sometimes find the source of an inherited ACE, but only works if the ACE is set to also apply to the source itself.", "query": "// Replace INSERT_OBJECT_ID with the affected principal\n// Replace 'GenericAll' with the specific edge you're tracing\nWITH \"INSERT_OBJECT_ID\" as OID\nMATCH p=()-[:GenericAll {isacl:true,isinherited:false}]->()-[:Contains*1..]->(:Base{objectid:OID})\nWHERE NONE(ou in NODES(p) WHERE ou:OU AND ou.isaclprotected IS NOT NULL)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgement": "Walter.Legowski, @SadProcessor", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": "Walter.Legowski, @SadProcessor" }, { "name": "All DNSAdmins", "guid": "183fb320-f3ae-4ab3-a090-3f9a7db692e1", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p=(n:Base)-[:MemberOf]->(g:Group) \nWHERE n.name STARTS WITH \"DNSADMINS@\"\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains allowing unauthenticated rootDSE searches and binds", "guid": "ebc79aa4-e816-4be8-93fe-a0b30dbc771d", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Checks the fLDAPBlockAnonOps flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{6}[^2].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Users with passwords not rotated in over 1 year", "guid": "be70d1bd-b7eb-40b0-971c-eefc50eca032", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 365 as days_since_change\nMATCH (u:User)\nWHERE u.pwdlastset < (datetime().epochseconds - (days_since_change * 86400))\nAND NOT u.pwdlastset IN [-1.0, 0.0]\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users with Azure RM Roles (direct)", @@ -1629,217 +1855,248 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero / High Value users with non-expiring passwords", "guid": "4eca1b69-00a2-48a0-abb3-b94ea647cf6b", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (u:User)\nWHERE ((u:Tag_Tier_Zero) OR COALESCE(u.system_tags, '') CONTAINS 'admin_tier_0') AND u.enabled = true\nAND u.pwdneverexpires = true\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains exempting privileged groups from AdminSDHolder protections", "guid": "79f8d8f9-8291-4bf7-a13a-15989018075f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Checks the dwAdminSDExMask flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{15}[^0].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains allowing authenticated domain enumeration", "guid": "1e1e6fdd-6973-4547-906c-a494b5fbdcba", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH p=(n:Group)-[:MemberOf]->(m:Group)\nWHERE n.objectid ENDS WITH \"S-1-5-11\" // Authenticated Users\nAND m.objectid ENDS WITH \"S-1-5-32-554\" // Pre-Windows 2000 Compatible Access\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains affected by Exchange privilege escalation risk", "guid": "f2d09c94-b6f2-4901-9a2d-f8bacd61edc7", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[r:WriteDacl|ForceChangePassword|AddMember]->(m:Base)\nWHERE n.name STARTS WITH \"EXCHANGE \"\nAND ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Principals with DES-only Kerberos authentication", "guid": "d03ea1ef-70f0-439b-b1ef-d7f94ceb2af3", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Base)\nWHERE n.enabled = true\nAND n.usedeskeyonly = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Non-Tier Zero principals with BadSuccessor rights (no prerequisites check)", "guid": "2b9fb71e-73ad-4061-a2df-40c7132b044d", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": "Finds non-Tier Zero principals with BadSuccessor rights with no prerequisites check (DC2025 & KDC key).", "query": "// Find OU control\nMATCH p = (ou:OU)<-[:WriteDacl|Owns|GenericAll|WriteOwner]-(n:Base)\n// Exclude Tier Zero\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": "https://bsky.app/profile/specterops.io/post/3lpua65qeu22l", - "acknowledgement": "Martin Sohn Christensen, @martinsohndk", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": "Martin Sohn Christensen, @martinsohndk" }, { "name": "Non-Tier Zero principals with control of AdminSDHolder", "guid": "4c1e0137-5b7f-48d8-bd09-9db7674bca61", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[r:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteOwnerLimitedRights|OwnsLimitedRights]->(m:Container)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nAND m.name STARTS WITH \"ADMINSDHOLDER@\"\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Dangerous privileges for Domain Users groups", "guid": "9b8b9c18-f8c6-4c54-a20f-de0f7a7edbe0", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(s:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation]->(:Base)\nWHERE s.objectid ENDS WITH '-513'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Shortest paths to Tier Zero / High Value targets", "guid": "237aac58-8641-4703-a9f7-001d69546fd8", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Tag_Tier_Zero))\nWHERE s<>t\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Members of Allowed RODC Password Replication Group", "guid": "19fc5acd-e30a-4038-a5b5-2e0494f93373", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p=(n:Base)-[r:MemberOf]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nAND (n:User or n:Computer)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths from Owned objects to Tier Zero", "guid": "dfaa8e8f-2c79-4e92-a291-b1347f6e83b0", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "// MANY TO MANY SHORTEST PATH QUERIES USE EXCESSIVE SYSTEM RESOURCES AND TYPICALLY WILL NOT COMPLETE\nMATCH p=shortestPath((s:Tag_Owned)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))\nWHERE s<>t\nAND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Domains not verifying UPN and SPN uniqueness", "guid": "cb0b1591-5c3e-45f1-afb7-984e5ad865d0", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Checks the DoNotVerifyUPNAndOrSPNUniqueness flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{20}[^0].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains with functional level not the latest version", "guid": "3da9d14a-f1cb-4df7-b3da-8d73ff5c401b", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Domain)\nWHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native']\nRETURN n", - "note": "Functional level <4", "revision": 1, + "note": "Functional level <4", "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enabled users inactive for 180 days", "guid": "71972f3c-b32d-4023-a841-5cc8cc1c1867", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "WITH 180 as inactive_days\nMATCH (n:User)\nWHERE n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator\nRETURN n\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "AS-REP Roastable users (DontReqPreAuth)", "guid": "2570e359-dec1-419d-b0dc-a204bd64ee42", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": null, "query": "MATCH (u:User)\nWHERE u.dontreqpreauth = true\nAND u.enabled = true\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": "https://attack.mitre.org/techniques/T1558/004/", - "acknowledgements": null + "acknowledgement": null }, { "name": "All ADCS ESC privilege escalation edges", "guid": "49db8edc-8421-438f-b97b-23c042959bef", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p=(:Base)-[:ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|GoldenCert|CoerceAndRelayNTLMToADCS]->(:Base)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": [ "https://posts.specterops.io/certified-pre-owned-d95910965cd2", "https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf", @@ -1848,100 +2105,112 @@ "https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53", "https://specterops.io/blog/2025/04/08/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know/#:~:text=Introducing%20the%20CoerceAndRelayNTLMToADCS%20Edge" ], - "acknowledgements": "Jonas B\u00fclow Knudsen, @Jonas_B_K" + "acknowledgement": null }, { "name": "All Schema Admins", "guid": "76d8e61d-7a86-40ff-8a85-fd37f1e2563f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p=(n:Base)-[:MemberOf*1..]->(m:Group)\nWHERE (n:User OR n:Computer)\nAND m.objectid ENDS WITH \"-518\" // Schema Admins\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Domains with List Object mode enabled", "guid": "05e2a94b-5ee6-47ec-b715-3982f30af01b", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "Checks the fDoListObject flag of dSHeuristics.", "query": "MATCH (n:Domain)\nWHERE n.dsheuristics =~ \".{2}[^0].*\"\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All paths crossing a specific trust", "guid": "251fc893-7a6b-4a0a-8650-9d5408d38c3c", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": "All paths crossing a specific trust from a trusted to a trusting domain.", "query": "// Replace the TRUSTED domain SID\n// Replace the TRUSTING domain SID\nMATCH p=(Trusted:Base)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation]->(Trusting:Base)\nWHERE Trusted.domainsid = 'S-1-5-21-1111111111-1111111111-1111111111'\nAND Trusting.domainsid = 'S-1-5-21-2222222222-2222222222-2222222222'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgement": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Shortest paths to Domain Admins from Kerberoastable users", "guid": "bd163361-1e05-47c7-908b-962aef251535", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Shortest Paths", "description": null, "query": "MATCH p=shortestPath((s:User)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Group))\nWHERE s.hasspn=true\nAND s.enabled = true\nAND NOT s.objectid ENDS WITH '-502'\nAND NOT COALESCE(s.gmsa, false) = true\nAND NOT COALESCE(s.msa, false) = true\nAND t.objectid ENDS WITH '-512'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Non-Tier Zero principals with BadSuccessor rights (with prerequisites check)", "guid": "74daaebe-6040-4f7a-9c9a-416faf73dcc3", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": "Finds non-Tier Zero principals with BadSuccessor rights after checking prerequisites check (DC2025 & KDC key).", "query": "// Find 2025 DCs\nMATCH (dc:Computer)\nWHERE dc.isdc = true AND dc.operatingsystem CONTAINS '2025'\n// Find gMSAs\nMATCH (m:User)\nWHERE m.gmsa = true\n// Find OU control\nMATCH p = (ou:OU)<-[:WriteDacl|Owns|GenericAll|WriteOwner]-(n:Base)\n// Confirm domain has a 2025 DC\nWHERE ou.domain = dc.domain\n// Confirm domain KDC key\nAND ou.domain = m.domain\n// Exclude Tier Zero\nAND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p LIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": "https://bsky.app/profile/specterops.io/post/3lpua65qeu22l", - "acknowledgement": "Martin Sohn Christensen, @martinsohndk", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": "Martin Sohn Christensen, @martinsohndk" }, { "name": "Non-default permissions on IssuancePolicy nodes", "guid": "b2280665-c91b-448c-8c0f-97d1f38b6f59", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Certificate Services", "description": null, "query": "MATCH p = (s:Base)-[:GenericAll|GenericWrite|Owns|WriteOwner|WriteDacl]->(:IssuancePolicy)\nWHERE NOT s.objectid ENDS WITH '-512' AND NOT s.objectid ENDS WITH '-519'\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Accounts with SID History to a same-domain account", "guid": "275d2d58-0cad-4cad-8103-e0874cece666", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base)\nWHERE n.domainsid = m.domainsid\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "On-Prem Users synced to Entra Users with Entra Admin Roles (direct)", @@ -1954,140 +2223,159 @@ "category": "Cross Platform Attack Paths", "description": null, "query": "MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZHasRole]->(:AZRole)\nRETURN p\nLIMIT 1000", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero users not member of Protected Users", "guid": "543eb01d-9fa3-4b8f-a936-b46bbfdaa2ae", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (m:User)\nWHERE ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')\nOPTIONAL MATCH (g:Group)<-[:MemberOf*1..]-(n:Base)\nWHERE g.objectid ENDS WITH '-525'\nWITH m, COLLECT(n) AS matchingNs\nWHERE NONE(n IN matchingNs WHERE n.objectid = m.objectid)\nRETURN m", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Usage of built-in domain Administrator account", "guid": "35b1206f-871b-44aa-a601-c5258060dfcf", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": "Usage of Active Directory's built-in Administrator account is a sign that the account is not only used for break-glass purposes.", "query": "MATCH (n:User)\nWHERE n.objectid ENDS WITH \"-500\"\nAND (\n n.lastlogontimestamp > (datetime().epochseconds - (60 * 86400)) OR\n n.lastlogon > (datetime().epochseconds - (60 * 86400))\n)\nAND NOT n.whencreated > (datetime().epochseconds - (60 * 86400))\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Enabled built-in guest user accounts", "guid": "bb0f620d-6a55-4413-ac74-4c82905e8598", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:User)\nWHERE n.objectid ENDS WITH \"-501\"\nAND n.enabled = true\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All Operators", "guid": "3dfd0843-1ff9-4c21-aa67-feae08d109de", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Domain Information", "description": null, "query": "MATCH p=(:Base)-[:MemberOf]->(n:Group)\nWHERE (\n n.objectid ENDS WITH 'S-1-5-32-551' OR // Backup Operators\n n.objectid ENDS WITH 'S-1-5-32-556' OR // Network Configuration Operators\n n.objectid ENDS WITH 'S-1-5-32-549' OR // Server Operators\n n.objectid ENDS WITH 'S-1-5-32-579' OR // Access Control Assistance Operators\n n.objectid ENDS WITH 'S-1-5-32-548' OR // Account Operators\n n.objectid ENDS WITH 'S-1-5-32-569' OR // Cryptographic Operators\n n.objectid ENDS WITH 'S-1-5-32-550' // Print Operators\n)\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Principal with SPN keyword", "guid": "38a9c4c9-3d70-453f-a017-cbfd35ed9917", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": "Finds service accounts used with a specific Kerberos-enabled service or all service accounts running on a Kerberos-enabled service on a specific server.", "query": "// Replace keyword with a service type or server name (not FQDN)\nWITH \"KEYWORD\" as SPNKeyword\nMATCH (n:User)\nWHERE ANY(keyword IN n.serviceprincipalnames WHERE toUpper(keyword) CONTAINS toUpper(SPNKeyword))\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": "https://adsecurity.org/?page_id=183", - "acknowledgement": "Ryan, @haus3c", - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": "Ryan, @haus3c" }, { "name": "Tier Zero computers at risk of constrained delegation", "guid": "8641e593-f2f2-48ba-bd45-fbc86e9f632a", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p = (n:Computer)<-[:AllowedToDelegate]-(:Base)\nWHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Large default groups with outbound control of OUs", "guid": "310b3626-f8e6-4ab0-832c-72df6048597f", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Group)-[]->(:OU)\nWHERE n.objectid ENDS WITH \"-513\" // DOMAIN USERS\nOR n.objectid ENDS WITH \"-515\" // DOMAIN COMPUTERS\nOR n.objectid ENDS WITH \"-S-1-5-11\" // AUTHENTICATED USERS\nOR n.objectid ENDS WITH \"-S-1-1-0\" // EVERYONE\nOR n.objectid ENDS WITH \"S-1-5-32-545\" // USERS\nOR n.objectid ENDS WITH \"S-1-5-32-546\" // GUESTS\nOR n.objectid ENDS WITH \"S-1-5-7\" // ANONYMOUS\nRETURN p", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "Non-Tier Zero account with unconstrained delegation", "guid": "e7e9a927-3f34-42c7-b921-d8bcf626011e", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Dangerous Privileges", "description": null, "query": "MATCH (n:Base)\nWHERE n.unconstraineddelegation = true\nAND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null }, { "name": "All Kerberoastable users", "guid": "14ab4eaa-b73b-49c4-b2d1-1e020757c995", "prebuilt": true, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "Kerberos Interaction", "description": null, "query": "MATCH (u:User)\nWHERE u.hasspn=true\nAND u.enabled = true\nAND NOT u.objectid ENDS WITH '-502'\nAND NOT COALESCE(u.gmsa, false) = true\nAND NOT COALESCE(u.msa, false) = true\nRETURN u\nLIMIT 100", - "note": null, "revision": 1, + "note": null, "resources": "https://attack.mitre.org/techniques/T1558/003/", - "acknowledgements": null + "acknowledgement": null }, { "name": "Tier Zero omputers not requiring inbound SMB signing", "guid": "13485477-f026-4b1f-906d-4f2e37364ba4", "prebuilt": false, - "platform": "Active Directory", + "platform": [ + "Active Directory" + ], "category": "NTLM Relay Attacks", "description": null, "query": "MATCH (n:Computer)\nWHERE n.smbsigning = False\nAND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n", - "note": null, "revision": 1, + "note": null, "resources": null, - "acknowledgements": "Martin Sohn Christensen, @martinsohndk" + "acknowledgement": null } ] \ No newline at end of file diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml index d6a5437..364fd7c 100644 --- a/queries/ACEs across trusts.yml +++ b/queries/ACEs across trusts.yml @@ -1,7 +1,7 @@ name: ACEs across trusts guid: c902d3b4-1a75-4335-acd7-28246dab746d prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: ACEs granted across a trust, the ACEs are set on trusting objects and the rights are granted to objects from trusted domains. query: |- diff --git a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml index a363c4d..0333f1c 100644 --- a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml +++ b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml @@ -1,7 +1,7 @@ name: AS-REP Roastable Tier Zero users (DontReqPreAuth) guid: 6d51e4dc-e1ad-477a-b6c6-324f18f03120 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/AS-REP Roastable users (DontReqPreAuth).yml b/queries/AS-REP Roastable users (DontReqPreAuth).yml index 91285ec..7dd19da 100644 --- a/queries/AS-REP Roastable users (DontReqPreAuth).yml +++ b/queries/AS-REP Roastable users (DontReqPreAuth).yml @@ -1,7 +1,7 @@ name: AS-REP Roastable users (DontReqPreAuth) guid: 2570e359-dec1-419d-b0dc-a204bd64ee42 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: query: |- diff --git a/queries/Accounts with SID History to a non-existent domain.yml b/queries/Accounts with SID History to a non-existent domain.yml index c7e1a49..942afb0 100644 --- a/queries/Accounts with SID History to a non-existent domain.yml +++ b/queries/Accounts with SID History to a non-existent domain.yml @@ -1,7 +1,7 @@ name: Accounts with SID History to a non-existent domain guid: 2710401a-c4c2-4d2c-9edb-d7625045f2e8 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Accounts with SID History to a same-domain account.yml b/queries/Accounts with SID History to a same-domain account.yml index 7605550..7060814 100644 --- a/queries/Accounts with SID History to a same-domain account.yml +++ b/queries/Accounts with SID History to a same-domain account.yml @@ -1,7 +1,7 @@ name: Accounts with SID History to a same-domain account guid: 275d2d58-0cad-4cad-8103-e0874cece666 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Accounts with SID History.yml b/queries/Accounts with SID History.yml index a3cd2b8..3263635 100644 --- a/queries/Accounts with SID History.yml +++ b/queries/Accounts with SID History.yml @@ -1,7 +1,7 @@ name: Accounts with SID History guid: 8172d52c-a975-49bd-9180-5b6efc59c9ab prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Accounts with clear-text password attributes.yml b/queries/Accounts with clear-text password attributes.yml index b187bd8..6c5fe62 100644 --- a/queries/Accounts with clear-text password attributes.yml +++ b/queries/Accounts with clear-text password attributes.yml @@ -1,7 +1,7 @@ name: Accounts with clear-text password attributes guid: e303498f-e3d4-489d-8a34-b68e187bc4e7 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml index 12dc5fd..102696a 100644 --- a/queries/AdminSDHolder protected Accounts and Groups.yml +++ b/queries/AdminSDHolder protected Accounts and Groups.yml @@ -1,7 +1,7 @@ name: AdminSDHolder protected Accounts and Groups guid: 5ee2f40e-a55c-4140-ab8a-91746ba3752b prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: Objects whose permissions are set by SDProp to the template AdminSDHolder object as per MS-ADTS 3.1.1.6.1.2 Protected Objects. Does not exclude objects if specified in dSHeuristics dwAdminSDExMask query: |- diff --git a/queries/All ADCS ESC privilege escalation edges.yml b/queries/All ADCS ESC privilege escalation edges.yml index 5ebf2cc..574ec1e 100644 --- a/queries/All ADCS ESC privilege escalation edges.yml +++ b/queries/All ADCS ESC privilege escalation edges.yml @@ -1,7 +1,7 @@ name: All ADCS ESC privilege escalation edges guid: 49db8edc-8421-438f-b97b-23c042959bef prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/All DNSAdmins.yml b/queries/All DNSAdmins.yml index 016983c..0ba9588 100644 --- a/queries/All DNSAdmins.yml +++ b/queries/All DNSAdmins.yml @@ -1,7 +1,7 @@ name: All DNSAdmins guid: 183fb320-f3ae-4ab3-a090-3f9a7db692e1 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/All Domain Admins.yml b/queries/All Domain Admins.yml index 7aaa9c9..e473090 100644 --- a/queries/All Domain Admins.yml +++ b/queries/All Domain Admins.yml @@ -1,7 +1,7 @@ name: All Domain Admins guid: 0596dba7-9180-49a0-aa54-00243240037c prebuilt: true -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/All Global Administrators.yml b/queries/All Global Administrators.yml index b74e56e..99b573f 100644 --- a/queries/All Global Administrators.yml +++ b/queries/All Global Administrators.yml @@ -1,7 +1,7 @@ name: All Global Administrators guid: 94d7d765-6837-4eb8-aa33-e1c9ef262cdc prebuilt: true -platform: Azure +platforms: Azure category: General description: query: |- diff --git a/queries/All Kerberoastable users.yml b/queries/All Kerberoastable users.yml index a5385bb..065247b 100644 --- a/queries/All Kerberoastable users.yml +++ b/queries/All Kerberoastable users.yml @@ -1,7 +1,7 @@ name: All Kerberoastable users guid: 14ab4eaa-b73b-49c4-b2d1-1e020757c995 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: query: |- diff --git a/queries/All Operator groups.yml b/queries/All Operator groups.yml index 3fac95d..a1cf9ff 100644 --- a/queries/All Operator groups.yml +++ b/queries/All Operator groups.yml @@ -1,7 +1,7 @@ name: All Operators guid: 3dfd0843-1ff9-4c21-aa67-feae08d109de prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/All Schema Admins.yml b/queries/All Schema Admins.yml index 1887192..a3bb08f 100644 --- a/queries/All Schema Admins.yml +++ b/queries/All Schema Admins.yml @@ -1,7 +1,7 @@ name: All Schema Admins guid: 76d8e61d-7a86-40ff-8a85-fd37f1e2563f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/All coerce and NTLM relay edges.yml b/queries/All coerce and NTLM relay edges.yml index 51b91a0..b7d3dc6 100644 --- a/queries/All coerce and NTLM relay edges.yml +++ b/queries/All coerce and NTLM relay edges.yml @@ -1,7 +1,7 @@ name: All coerce and NTLM relay edges guid: 15c5ff3b-856c-44d1-a731-a8cb72512dd1 prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml index cc231c0..411ae80 100644 --- a/queries/All incoming and local paths for a specific computer.yml +++ b/queries/All incoming and local paths for a specific computer.yml @@ -1,7 +1,7 @@ name: All incoming and local paths for a specific computer guid: 1f67e538-19d4-4020-89c8-5b39b31571bd prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: All incoming and local paths for a specific computer; incoming from domain objects and paths local inside the computer. query: |- diff --git a/queries/All members of high privileged roles.yml b/queries/All members of high privileged roles.yml index 96c312e..0d4d1d2 100644 --- a/queries/All members of high privileged roles.yml +++ b/queries/All members of high privileged roles.yml @@ -1,7 +1,7 @@ name: All members of high privileged roles guid: 3df24d92-dd12-4125-811b-e696b098f60e prebuilt: true -platform: Azure +platforms: Azure category: General description: query: |- diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml index 970cc8e..573fce6 100644 --- a/queries/All paths crossing a specific trust.yml +++ b/queries/All paths crossing a specific trust.yml @@ -1,7 +1,7 @@ name: All paths crossing a specific trust guid: 251fc893-7a6b-4a0a-8650-9d5408d38c3c prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: All paths crossing a specific trust from a trusted to a trusting domain. query: |- diff --git a/queries/All service principals with Microsoft Graph App Role assignments.yml b/queries/All service principals with Microsoft Graph App Role assignments.yml index 59a4ad9..d941ac4 100644 --- a/queries/All service principals with Microsoft Graph App Role assignments.yml +++ b/queries/All service principals with Microsoft Graph App Role assignments.yml @@ -1,7 +1,7 @@ name: All service principals with Microsoft Graph App Role assignments guid: 74440269-eb41-476b-8dec-b4095569b029 prebuilt: true -platform: Azure +platforms: Azure category: Microsoft Graph description: query: |- diff --git a/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml b/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml index a76a982..bcd4eec 100644 --- a/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml +++ b/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml @@ -1,7 +1,7 @@ name: All service principals with Microsoft Graph privilege to grant arbitrary App Roles guid: e6d6b5da-89da-4514-a409-2d6e368397da prebuilt: true -platform: Azure +platforms: Azure category: Microsoft Graph description: query: |- diff --git a/queries/CA administrators and CA managers.yml b/queries/CA administrators and CA managers.yml index 04cd20a..bbc4f91 100644 --- a/queries/CA administrators and CA managers.yml +++ b/queries/CA administrators and CA managers.yml @@ -1,7 +1,7 @@ name: CA administrators and CA managers guid: fd35e3d8-0c74-4b5a-a847-c0dd1f1c9f19 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Computer owners who can obtain LAPS passwords.yml b/queries/Computer owners who can obtain LAPS passwords.yml index b22bc4c..a035f03 100644 --- a/queries/Computer owners who can obtain LAPS passwords.yml +++ b/queries/Computer owners who can obtain LAPS passwords.yml @@ -1,7 +1,7 @@ name: Computer owners who can obtain LAPS passwords guid: 92aa81d6-b08e-4abb-ae39-ecbe5735a74c prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: Creators of computer objects get abusable rights on the computer object. If the owner is not explicitly granted ReadLAPSPassword they can still compromise the computer with the abusable owner rights. query: |- diff --git a/queries/Computers not requiring inbound SMB signing.yml b/queries/Computers not requiring inbound SMB signing.yml index 997b6fd..319bc0e 100644 --- a/queries/Computers not requiring inbound SMB signing.yml +++ b/queries/Computers not requiring inbound SMB signing.yml @@ -1,7 +1,7 @@ name: Computers not requiring inbound SMB signing guid: 6b1fcfb6-b010-41a2-9d31-f9872fe994ff prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Computers where Domain Users are local administrators.yml b/queries/Computers where Domain Users are local administrators.yml index 5f6bb7a..a427de9 100644 --- a/queries/Computers where Domain Users are local administrators.yml +++ b/queries/Computers where Domain Users are local administrators.yml @@ -1,7 +1,7 @@ name: Computers where Domain Users are local administrators guid: d43a7bdc-33c6-4a39-a3bb-24115749e595 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Computers where Domain Users can read LAPS passwords.yml b/queries/Computers where Domain Users can read LAPS passwords.yml index 187271e..6c8200c 100644 --- a/queries/Computers where Domain Users can read LAPS passwords.yml +++ b/queries/Computers where Domain Users can read LAPS passwords.yml @@ -1,7 +1,7 @@ name: Computers where Domain Users can read LAPS passwords guid: aa4bfa95-e7b9-4d56-8f35-f34f04d7b6f4 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Computers with membership in Protected Users.yml b/queries/Computers with membership in Protected Users.yml index ff115f8..09eaf2b 100644 --- a/queries/Computers with membership in Protected Users.yml +++ b/queries/Computers with membership in Protected Users.yml @@ -1,7 +1,7 @@ name: Computers with membership in Protected Users guid: a26372f4-2e92-49f6-8993-6657fbc1569a prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Computers with non-default Primary Group membership.yml b/queries/Computers with non-default Primary Group membership.yml index 922a645..d5cc418 100644 --- a/queries/Computers with non-default Primary Group membership.yml +++ b/queries/Computers with non-default Primary Group membership.yml @@ -1,7 +1,7 @@ name: Computers with non-default Primary Group membership guid: 5862dc4e-6f6f-4321-9474-d838968495ed prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Computers with passwords older than the default maximum password age.yml b/queries/Computers with passwords older than the default maximum password age.yml index e0b3f2a..6435bc8 100644 --- a/queries/Computers with passwords older than the default maximum password age.yml +++ b/queries/Computers with passwords older than the default maximum password age.yml @@ -1,7 +1,7 @@ name: Computers with passwords older than the default maximum password age guid: 185c5010-8d4f-4f9b-b24e-831707dddfca prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Machine account passwords are regularly changed for security purposes. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days. query: |- diff --git a/queries/Computers with the WebClient running.yml b/queries/Computers with the WebClient running.yml index df6327d..dcf3f5f 100644 --- a/queries/Computers with the WebClient running.yml +++ b/queries/Computers with the WebClient running.yml @@ -1,7 +1,7 @@ name: Computers with the WebClient running guid: 51107ad1-f0bc-43d3-a561-5cee471ca196 prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Computers with the outgoing NTLM setting set to Deny all.yml b/queries/Computers with the outgoing NTLM setting set to Deny all.yml index 4d2ee63..52bf176 100644 --- a/queries/Computers with the outgoing NTLM setting set to Deny all.yml +++ b/queries/Computers with the outgoing NTLM setting set to Deny all.yml @@ -1,7 +1,7 @@ name: Computers with the outgoing NTLM setting set to Deny all guid: a9ddca74-feeb-4dbf-8b0f-de08b3cfa8a6 prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Computers with unsupported operating systems.yml b/queries/Computers with unsupported operating systems.yml index 5a7db47..ef5d794 100644 --- a/queries/Computers with unsupported operating systems.yml +++ b/queries/Computers with unsupported operating systems.yml @@ -1,7 +1,7 @@ name: Computers with unsupported operating systems guid: d06d3b14-0318-4fa9-9639-4b79ccaf3c2c prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Cross-forest trusts with abusable configuration.yml b/queries/Cross-forest trusts with abusable configuration.yml index e8c88fe..578bdc5 100644 --- a/queries/Cross-forest trusts with abusable configuration.yml +++ b/queries/Cross-forest trusts with abusable configuration.yml @@ -1,7 +1,7 @@ name: Cross-forest trusts with abusable configuration guid: 5cf1f354-80d4-420e-bc4b-424fabc21a56 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml index a07adb0..ac0a9e2 100644 --- a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml +++ b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml @@ -1,7 +1,7 @@ name: DCs vulnerable to NTLM relay to LDAP attacks guid: 3f87e0b0-fc06-4986-a94c-e08781253dc8 prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Dangerous privileges for Domain Users groups.yml b/queries/Dangerous privileges for Domain Users groups.yml index dd1fb93..b4d5c89 100644 --- a/queries/Dangerous privileges for Domain Users groups.yml +++ b/queries/Dangerous privileges for Domain Users groups.yml @@ -1,7 +1,7 @@ name: Dangerous privileges for Domain Users groups guid: 9b8b9c18-f8c6-4c54-a20f-de0f7a7edbe0 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Devices with unsupported operating systems.yml b/queries/Devices with unsupported operating systems.yml index 42abc49..5c565e1 100644 --- a/queries/Devices with unsupported operating systems.yml +++ b/queries/Devices with unsupported operating systems.yml @@ -1,7 +1,7 @@ name: Devices with unsupported operating systems guid: e3f2b53a-7ce6-4e52-9c74-68b69338288b prebuilt: true -platform: Azure +platforms: Azure category: Azure Hygiene description: query: |- diff --git a/queries/Disabled Tier Zero High Value principals - AD.yml b/queries/Disabled Tier Zero High Value principals - AD.yml index 693bc2b..3737895 100644 --- a/queries/Disabled Tier Zero High Value principals - AD.yml +++ b/queries/Disabled Tier Zero High Value principals - AD.yml @@ -1,7 +1,7 @@ name: Disabled Tier Zero / High Value principals guid: d65a801f-d3ef-4b7e-8030-99ebfd6dad12 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Disabled Tier Zero High Value principals - AZ.yml b/queries/Disabled Tier Zero High Value principals - AZ.yml index a0582ab..e5631aa 100644 --- a/queries/Disabled Tier Zero High Value principals - AZ.yml +++ b/queries/Disabled Tier Zero High Value principals - AZ.yml @@ -1,7 +1,7 @@ name: Disabled Tier Zero / High Value principals guid: 860d5c2d-84fe-4c85-80de-e0a9badbd0e7 prebuilt: true -platform: Azure +platforms: Azure category: Azure Hygiene description: query: |- diff --git a/queries/Domain Admins logons to non-Domain Controllers.yml b/queries/Domain Admins logons to non-Domain Controllers.yml index a590c9f..a32618d 100644 --- a/queries/Domain Admins logons to non-Domain Controllers.yml +++ b/queries/Domain Admins logons to non-Domain Controllers.yml @@ -1,7 +1,7 @@ name: Domain Admins logons to non-Domain Controllers guid: e2f3fd0a-1df2-4089-b0a4-272ad6e369a9 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml index b007ef2..de21eaf 100644 --- a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml +++ b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml @@ -1,7 +1,7 @@ name: Domain Controllers allowing NTLMv1 or LM authentication guid: 4b42513c-f89d-47ff-8d98-908af49d2b48 prebuilt: false -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Domain controllers with UPN certificate mapping enabled.yml b/queries/Domain controllers with UPN certificate mapping enabled.yml index 9afefc9..c90cca4 100644 --- a/queries/Domain controllers with UPN certificate mapping enabled.yml +++ b/queries/Domain controllers with UPN certificate mapping enabled.yml @@ -1,7 +1,7 @@ name: Domain controllers with UPN certificate mapping enabled guid: 799ea3ce-572b-4594-98c4-041aa2ae6176 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Domain controllers with weak certificate binding enabled.yml b/queries/Domain controllers with weak certificate binding enabled.yml index 8991072..6c40331 100644 --- a/queries/Domain controllers with weak certificate binding enabled.yml +++ b/queries/Domain controllers with weak certificate binding enabled.yml @@ -1,7 +1,7 @@ name: Domain controllers with weak certificate binding enabled guid: a2444d99-10b5-412d-8fea-4b063cfddd2c prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Domain migration groups.yml b/queries/Domain migration groups.yml index 16829ab..3350622 100644 --- a/queries/Domain migration groups.yml +++ b/queries/Domain migration groups.yml @@ -1,7 +1,7 @@ name: Domain migration groups guid: f39c4953-ae92-4d67-bb50-eb1a161d4d3f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Domains affected by AdPrep privilege escalation risk.yml b/queries/Domains affected by AdPrep privilege escalation risk.yml index 72d50b6..48a700e 100644 --- a/queries/Domains affected by AdPrep privilege escalation risk.yml +++ b/queries/Domains affected by AdPrep privilege escalation risk.yml @@ -1,7 +1,7 @@ name: Domains affected by AdPrep privilege escalation risk guid: 815ff190-f6f3-4757-a516-2f4bf589b705 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Domains affected by Exchange privilege escalation risk.yml b/queries/Domains affected by Exchange privilege escalation risk.yml index bc39172..77e5bfe 100644 --- a/queries/Domains affected by Exchange privilege escalation risk.yml +++ b/queries/Domains affected by Exchange privilege escalation risk.yml @@ -1,7 +1,7 @@ name: Domains affected by Exchange privilege escalation risk guid: f2d09c94-b6f2-4901-9a2d-f8bacd61edc7 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Domains allowing authenticated domain enumeration.yml b/queries/Domains allowing authenticated domain enumeration.yml index e3eda79..3514ff1 100644 --- a/queries/Domains allowing authenticated domain enumeration.yml +++ b/queries/Domains allowing authenticated domain enumeration.yml @@ -1,7 +1,7 @@ name: Domains allowing authenticated domain enumeration guid: 1e1e6fdd-6973-4547-906c-a494b5fbdcba prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains allowing unauthenticated NSPI RPC binds.yml b/queries/Domains allowing unauthenticated NSPI RPC binds.yml index a52da71..ed4fb63 100644 --- a/queries/Domains allowing unauthenticated NSPI RPC binds.yml +++ b/queries/Domains allowing unauthenticated NSPI RPC binds.yml @@ -1,7 +1,7 @@ name: Domains allowing unauthenticated NSPI RPC binds guid: a950fdab-5934-4c69-a88b-e2e0e3da9d52 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Checks the fAllowAnonNSPI flag of dSHeuristics. query: |- diff --git a/queries/Domains allowing unauthenticated domain enumeration.yml b/queries/Domains allowing unauthenticated domain enumeration.yml index 7c971e7..dde5829 100644 --- a/queries/Domains allowing unauthenticated domain enumeration.yml +++ b/queries/Domains allowing unauthenticated domain enumeration.yml @@ -1,7 +1,7 @@ name: Domains allowing unauthenticated domain enumeration guid: 41a08d76-f8a5-4296-ad19-464c4c5c69fe prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml index 97210c0..b1cecf1 100644 --- a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml +++ b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml @@ -1,7 +1,7 @@ name: Domains allowing unauthenticated rootDSE searches and binds guid: ebc79aa4-e816-4be8-93fe-a0b30dbc771d prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Checks the fLDAPBlockAnonOps flag of dSHeuristics. query: |- diff --git a/queries/Domains exempting privileged groups from AdminSDHolder protections.yml b/queries/Domains exempting privileged groups from AdminSDHolder protections.yml index a99ef25..2aaec66 100644 --- a/queries/Domains exempting privileged groups from AdminSDHolder protections.yml +++ b/queries/Domains exempting privileged groups from AdminSDHolder protections.yml @@ -1,7 +1,7 @@ name: Domains exempting privileged groups from AdminSDHolder protections guid: 79f8d8f9-8291-4bf7-a13a-15989018075f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Checks the dwAdminSDExMask flag of dSHeuristics. query: |- diff --git a/queries/Domains not mitigating CVE-2021-42291.yml b/queries/Domains not mitigating CVE-2021-42291.yml index bfab6c3..115b2bc 100644 --- a/queries/Domains not mitigating CVE-2021-42291.yml +++ b/queries/Domains not mitigating CVE-2021-42291.yml @@ -1,7 +1,7 @@ name: Domains not mitigating CVE-2021-42291 guid: 02202726-d86d-46c2-891c-9770c635f76f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Checks the AttributeAuthorizationOnLDAPAdd flag of dSHeuristics. query: |- diff --git a/queries/Domains not verifying UPN and SPN uniqueness.yml b/queries/Domains not verifying UPN and SPN uniqueness.yml index bd76063..6bd7e09 100644 --- a/queries/Domains not verifying UPN and SPN uniqueness.yml +++ b/queries/Domains not verifying UPN and SPN uniqueness.yml @@ -1,7 +1,7 @@ name: Domains not verifying UPN and SPN uniqueness guid: cb0b1591-5c3e-45f1-afb7-984e5ad865d0 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Checks the DoNotVerifyUPNAndOrSPNUniqueness flag of dSHeuristics. query: |- diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml index 5b5feec..a428cfc 100644 --- a/queries/Domains where any user can join a computer to the domain.yml +++ b/queries/Domains where any user can join a computer to the domain.yml @@ -1,7 +1,7 @@ name: Domains where any user can join a computer to the domain guid: 421921fa-bc0f-4659-9680-b7481adcb132 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains with List Object mode enabled.yml b/queries/Domains with List Object mode enabled.yml index f1435a2..f8a4ed3 100644 --- a/queries/Domains with List Object mode enabled.yml +++ b/queries/Domains with List Object mode enabled.yml @@ -1,7 +1,7 @@ name: Domains with List Object mode enabled guid: 05e2a94b-5ee6-47ec-b715-3982f30af01b prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: Checks the fDoListObject flag of dSHeuristics. query: |- diff --git a/queries/Domains with a minimum default password policy length less than 15 characters.yml b/queries/Domains with a minimum default password policy length less than 15 characters.yml index 3256332..ad902b0 100644 --- a/queries/Domains with a minimum default password policy length less than 15 characters.yml +++ b/queries/Domains with a minimum default password policy length less than 15 characters.yml @@ -1,7 +1,7 @@ name: Domains with a minimum default password policy length less than 15 characters guid: 7d258d2d-a43d-4a90-85d7-71c946ae5fd7 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains with a single-point-of-failure Domain Controller.yml b/queries/Domains with a single-point-of-failure Domain Controller.yml index e40697e..bb89764 100644 --- a/queries/Domains with a single-point-of-failure Domain Controller.yml +++ b/queries/Domains with a single-point-of-failure Domain Controller.yml @@ -1,7 +1,7 @@ name: Domains with a single-point-of-failure Domain Controller guid: 3359a295-7cfd-491f-976b-c5a68647431c prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index 0829167..0ee7926 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -1,7 +1,7 @@ name: Domains with functional level not the latest version guid: 3da9d14a-f1cb-4df7-b3da-8d73ff5c401b prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains with more than 50 Tier Zero accounts.yml b/queries/Domains with more than 50 Tier Zero accounts.yml index 47caf20..034d7b5 100644 --- a/queries/Domains with more than 50 Tier Zero accounts.yml +++ b/queries/Domains with more than 50 Tier Zero accounts.yml @@ -1,7 +1,7 @@ name: Domains with more than 50 Tier Zero accounts guid: f046e95a-5f84-4e83-bcda-6e83f3d8e21a prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains with smart card accounts where smart account passwords do not expire.yml b/queries/Domains with smart card accounts where smart account passwords do not expire.yml index 26fe8fc..ef732df 100644 --- a/queries/Domains with smart card accounts where smart account passwords do not expire.yml +++ b/queries/Domains with smart card accounts where smart account passwords do not expire.yml @@ -1,7 +1,7 @@ name: Domains with smart card accounts where smart account passwords do not expire guid: 97e05e67-5961-4aba-a8e7-fe5f92334035 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Domains without Microsoft LAPS computers.yml b/queries/Domains without Microsoft LAPS computers.yml index 2f15ddb..5a1a27d 100644 --- a/queries/Domains without Microsoft LAPS computers.yml +++ b/queries/Domains without Microsoft LAPS computers.yml @@ -1,7 +1,7 @@ name: Domains without Microsoft LAPS computers guid: f9b440b5-732c-4ed3-b6d2-83857db17e1a prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Domains without Protected Users group.yml b/queries/Domains without Protected Users group.yml index 0d3ba54..5efd3be 100644 --- a/queries/Domains without Protected Users group.yml +++ b/queries/Domains without Protected Users group.yml @@ -1,7 +1,7 @@ name: Domains without Protected Users group guid: 8c3e0811-a31b-45b4-a29d-1dce80fa2c5f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Domains without automatic password rotation on smart card accounts.yml b/queries/Domains without automatic password rotation on smart card accounts.yml deleted file mode 100644 index e8f6863..0000000 --- a/queries/Domains without automatic password rotation on smart card accounts.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Domains with smart card accounts where smart account passwords do not expire -guid: 97e05e67-5961-4aba-a8e7-fe5f92334035 -prebuilt: false -platform: Active Directory -category: Active Directory Hygiene -description: -query: |- - MATCH (s:Domain)-[:Contains*1..]->(t:Base) - WHERE s.expirepasswordsonsmartcardonlyaccounts = false - AND t.enabled = true - AND t.smartcardrequired = true - RETURN s -note: -revision: 1 -resources: -acknowledgements: Martin Sohn Christensen, @martinsohndk - diff --git a/queries/ESC8-vulnerable Enterprise CAs.yml b/queries/ESC8-vulnerable Enterprise CAs.yml index 6f28d01..255008c 100644 --- a/queries/ESC8-vulnerable Enterprise CAs.yml +++ b/queries/ESC8-vulnerable Enterprise CAs.yml @@ -1,7 +1,7 @@ name: ESC8-vulnerable Enterprise CAs guid: 60881923-296c-4702-adf7-a4f059dc9bb8 prebuilt: true -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml b/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml index 6cc410d..87d971e 100644 --- a/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml +++ b/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml @@ -1,7 +1,7 @@ name: Enabled Tier Zero / High Value principals inactive for 60 days guid: 72550bcb-3c4f-463d-8973-91a49163dc5a prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Enabled built-in guest user accounts.yml b/queries/Enabled built-in guest user accounts.yml index 795a0ed..8c4b5e0 100644 --- a/queries/Enabled built-in guest user accounts.yml +++ b/queries/Enabled built-in guest user accounts.yml @@ -1,7 +1,7 @@ name: Enabled built-in guest user accounts guid: bb0f620d-6a55-4413-ac74-4c82905e8598 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml b/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml index 1001a07..a683a6c 100644 --- a/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml +++ b/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml @@ -1,7 +1,7 @@ name: Enabled computers inactive for 180 days - MSSQL Failover Cluster guid: d263e621-7f1b-4efb-ad25-098fc7d4fb72 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Enabled computers inactive for 180 days.yml b/queries/Enabled computers inactive for 180 days.yml index fd6bc42..e19cd5e 100644 --- a/queries/Enabled computers inactive for 180 days.yml +++ b/queries/Enabled computers inactive for 180 days.yml @@ -1,7 +1,7 @@ name: Enabled computers inactive for 180 days guid: 0768e810-1e1e-4319-a216-76d9c2058644 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Enabled users inactive for 180 days.yml b/queries/Enabled users inactive for 180 days.yml index dca249d..208c5c3 100644 --- a/queries/Enabled users inactive for 180 days.yml +++ b/queries/Enabled users inactive for 180 days.yml @@ -1,7 +1,7 @@ name: Enabled users inactive for 180 days guid: 71972f3c-b32d-4023-a841-5cc8cc1c1867 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml b/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml index 408e774..a3af453 100644 --- a/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml +++ b/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml @@ -1,7 +1,7 @@ name: Enrollment rights on CertTemplates with OIDGroupLink guid: 140a68eb-d21c-4b75-971f-309225fb2d75 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml b/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml index c214ae8..d80a5bb 100644 --- a/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml +++ b/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml @@ -1,7 +1,7 @@ name: Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled guid: 96e70597-2d74-4503-a624-f1e30b642894 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on published ESC1 certificate templates.yml b/queries/Enrollment rights on published ESC1 certificate templates.yml index 62839fe..7e02c1b 100644 --- a/queries/Enrollment rights on published ESC1 certificate templates.yml +++ b/queries/Enrollment rights on published ESC1 certificate templates.yml @@ -1,7 +1,7 @@ name: Enrollment rights on published ESC1 certificate templates guid: 2af855bc-f48f-4b22-9839-627d8231e425 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on published ESC2 certificate templates.yml b/queries/Enrollment rights on published ESC2 certificate templates.yml index a6ea12b..1369cc6 100644 --- a/queries/Enrollment rights on published ESC2 certificate templates.yml +++ b/queries/Enrollment rights on published ESC2 certificate templates.yml @@ -1,7 +1,7 @@ name: Enrollment rights on published ESC2 certificate templates guid: ebc77984-1ceb-4ed2-a395-ce1067847941 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on published certificate templates with no security extension.yml b/queries/Enrollment rights on published certificate templates with no security extension.yml index f781a6c..4c48f2f 100644 --- a/queries/Enrollment rights on published certificate templates with no security extension.yml +++ b/queries/Enrollment rights on published certificate templates with no security extension.yml @@ -1,7 +1,7 @@ name: Enrollment rights on published certificate templates with no security extension guid: 0677b70c-4e04-4e89-a6a2-f5764604a6a7 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on published certificate templates.yml b/queries/Enrollment rights on published certificate templates.yml index e95e17c..a2b0a0f 100644 --- a/queries/Enrollment rights on published certificate templates.yml +++ b/queries/Enrollment rights on published certificate templates.yml @@ -1,7 +1,7 @@ name: Enrollment rights on published certificate templates guid: a4ae2e54-aad3-4bfd-a12d-90cb8a9cbc86 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Enrollment rights on published enrollment agent certificate templates.yml b/queries/Enrollment rights on published enrollment agent certificate templates.yml index e872839..7993f52 100644 --- a/queries/Enrollment rights on published enrollment agent certificate templates.yml +++ b/queries/Enrollment rights on published enrollment agent certificate templates.yml @@ -1,7 +1,7 @@ name: Enrollment rights on published enrollment agent certificate templates guid: 8483bf5b-89f1-4723-abb2-c48295f6393e prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml b/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml index dfd6158..c05330d 100644 --- a/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml +++ b/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml @@ -1,7 +1,7 @@ name: Entra ID SSO accounts not rolling Kerberos decryption key guid: 1867abf8-08e3-4ea8-8f65-8366079d35c4 prebuilt: false -platform: +platforms: - Active Directory - Azure category: Configuration Weakness diff --git a/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml b/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml index 0257d15..cec5335 100644 --- a/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml +++ b/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml @@ -1,7 +1,7 @@ name: Entra Users synced from On-Prem Users added to Domain Admins group guid: 62722d5f-bd93-4d11-beeb-9be261827e4e prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/Foreign principals in Tier Zero High Value targets.yml b/queries/Foreign principals in Tier Zero High Value targets.yml index 8bddf70..b0ab19e 100644 --- a/queries/Foreign principals in Tier Zero High Value targets.yml +++ b/queries/Foreign principals in Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Foreign principals in Tier Zero / High Value targets guid: 95bec736-86ef-4017-8465-9b9b66548b17 prebuilt: true -platform: Azure +platforms: Azure category: Azure Hygiene description: query: |- diff --git a/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml b/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml index 3e1b19e..9d65401 100644 --- a/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml +++ b/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml @@ -1,7 +1,7 @@ name: KRBTGT accounts with passwords not rotated in over 1 year guid: 1b3ae310-ffa7-4ce5-a37f-6111aef600c8 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Kerberoastable members of Tier Zero High Value groups.yml b/queries/Kerberoastable members of Tier Zero High Value groups.yml index cee48d6..1452de6 100644 --- a/queries/Kerberoastable members of Tier Zero High Value groups.yml +++ b/queries/Kerberoastable members of Tier Zero High Value groups.yml @@ -1,7 +1,7 @@ name: Kerberoastable members of Tier Zero / High Value groups guid: e6da7800-ae06-41cb-80a6-d5421ab2143a prebuilt: true -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: query: |- diff --git a/queries/Kerberoastable users with most admin privileges.yml b/queries/Kerberoastable users with most admin privileges.yml index a9bc680..20c6569 100644 --- a/queries/Kerberoastable users with most admin privileges.yml +++ b/queries/Kerberoastable users with most admin privileges.yml @@ -1,7 +1,7 @@ name: Kerberoastable users with most admin privileges guid: 9907b208-494c-4ba6-846d-485e6de14e17 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: query: |- diff --git a/queries/Kerberos-enabled service account member of built-in Admins groups.yml b/queries/Kerberos-enabled service account member of built-in Admins groups.yml index 35f2e6d..b491fef 100644 --- a/queries/Kerberos-enabled service account member of built-in Admins groups.yml +++ b/queries/Kerberos-enabled service account member of built-in Admins groups.yml @@ -1,7 +1,7 @@ name: Kerberos-enabled service account member of built-in Admins groups guid: 42a856fc-257a-4142-9592-ca95fd49e579 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Kerberos-enabled service accounts without AES encryption support.yml b/queries/Kerberos-enabled service accounts without AES encryption support.yml index fdbbe2d..98b1e28 100644 --- a/queries/Kerberos-enabled service accounts without AES encryption support.yml +++ b/queries/Kerberos-enabled service accounts without AES encryption support.yml @@ -1,7 +1,7 @@ name: Kerberos-enabled service accounts without AES encryption support guid: cb8cf96e-21c9-422b-9439-390a13446ca6 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Large default group added to computer-local group.yml b/queries/Large default group added to computer-local group.yml index ad8efec..94ef483 100644 --- a/queries/Large default group added to computer-local group.yml +++ b/queries/Large default group added to computer-local group.yml @@ -1,7 +1,7 @@ name: Large default group added to computer-local group guid: dde133d2-b4d2-4de9-a656-905f3bf066f3 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Large default groups with outbound control of OUs.yml b/queries/Large default groups with outbound control of OUs.yml index 4dfe3f1..5d9686a 100644 --- a/queries/Large default groups with outbound control of OUs.yml +++ b/queries/Large default groups with outbound control of OUs.yml @@ -1,7 +1,7 @@ name: Large default groups with outbound control of OUs guid: 310b3626-f8e6-4ab0-832c-72df6048597f prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Large default groups with outbound control.yml b/queries/Large default groups with outbound control.yml index 93812ed..99e2fc6 100644 --- a/queries/Large default groups with outbound control.yml +++ b/queries/Large default groups with outbound control.yml @@ -1,7 +1,7 @@ name: Large default groups with outbound control guid: a334f21a-3d7f-448e-b7ea-1465a3127bce prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Locations of Tier Zero High Value objects.yml b/queries/Locations of Tier Zero High Value objects.yml index 81bf199..891a379 100644 --- a/queries/Locations of Tier Zero High Value objects.yml +++ b/queries/Locations of Tier Zero High Value objects.yml @@ -1,7 +1,7 @@ name: Locations of Tier Zero / High Value objects guid: 18a83a17-b451-4343-acfe-7620516e2968 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml index c101a5f..7f92dab 100644 --- a/queries/Map Azure Management structure.yml +++ b/queries/Map Azure Management structure.yml @@ -1,7 +1,7 @@ name: Map Azure Management structure guid: c1bb109e-e6a4-4c91-864f-f78e1e42615e prebuilt: false -platform: Azure +platforms: Azure category: Kerberos Interaction description: Maps the structure of Azure Management query: |- diff --git a/queries/Map OU structure.yml b/queries/Map OU structure.yml index 2b1b5ea..1b224da 100644 --- a/queries/Map OU structure.yml +++ b/queries/Map OU structure.yml @@ -1,7 +1,7 @@ name: Map OU structure guid: 8f14084b-5065-43d8-865a-a6ac52da25d1 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Map domain trusts.yml b/queries/Map domain trusts.yml index 2046ed0..88f3c36 100644 --- a/queries/Map domain trusts.yml +++ b/queries/Map domain trusts.yml @@ -1,7 +1,7 @@ name: Map domain trusts guid: 268d3d26-5bc2-4820-a6ed-09d20f3d5413 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Members of Allowed RODC Password Replication Group.yml b/queries/Members of Allowed RODC Password Replication Group.yml index 71e7aad..513c6e0 100644 --- a/queries/Members of Allowed RODC Password Replication Group.yml +++ b/queries/Members of Allowed RODC Password Replication Group.yml @@ -1,7 +1,7 @@ name: Members of Allowed RODC Password Replication Group guid: 19fc5acd-e30a-4038-a5b5-2e0494f93373 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: query: |- diff --git a/queries/Nested groups within Tier Zero High Value.yml b/queries/Nested groups within Tier Zero High Value.yml index 155baa4..b9714f1 100644 --- a/queries/Nested groups within Tier Zero High Value.yml +++ b/queries/Nested groups within Tier Zero High Value.yml @@ -1,7 +1,7 @@ name: Nested groups within Tier Zero / High Value guid: 8e541e75-df1d-423f-b429-4bbf0403a338 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Non-Tier Zero account with 'Admin Count' flag.yml b/queries/Non-Tier Zero account with 'Admin Count' flag.yml index b7fcdf4..c11078b 100644 --- a/queries/Non-Tier Zero account with 'Admin Count' flag.yml +++ b/queries/Non-Tier Zero account with 'Admin Count' flag.yml @@ -1,7 +1,7 @@ name: Non-Tier Zero account with 'Admin Count' flag guid: e7f703b3-5dba-4aef-8346-4d589be2c828 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Users who were a member of one of AD's built-in administrative groups but are not currently Tier Zero. query: |- diff --git a/queries/Non-Tier Zero account with excessive control.yml b/queries/Non-Tier Zero account with excessive control.yml index fcc2725..ebec5a0 100644 --- a/queries/Non-Tier Zero account with excessive control.yml +++ b/queries/Non-Tier Zero account with excessive control.yml @@ -1,7 +1,7 @@ name: Non-Tier Zero account with excessive control guid: 944cecfe-519b-4318-b226-e8520161b454 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Non-Tier Zero account with unconstrained delegation.yml b/queries/Non-Tier Zero account with unconstrained delegation.yml index b543012..67cee47 100644 --- a/queries/Non-Tier Zero account with unconstrained delegation.yml +++ b/queries/Non-Tier Zero account with unconstrained delegation.yml @@ -1,7 +1,7 @@ name: Non-Tier Zero account with unconstrained delegation guid: e7e9a927-3f34-42c7-b921-d8bcf626011e prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml b/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml index 53e8ea9..12195c0 100644 --- a/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml +++ b/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml @@ -1,7 +1,7 @@ name: Non-Tier Zero accounts with SID History of Tier Zero accounts guid: 59744dfe-9411-4daf-b342-1203dc62acd4 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml index 0c532d7..4f18803 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml @@ -1,7 +1,7 @@ name: Non-Tier Zero principals with BadSuccessor rights (no prerequisites check) guid: 2b9fb71e-73ad-4061-a2df-40c7132b044d prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: Finds non-Tier Zero principals with BadSuccessor rights with no prerequisites check (DC2025 & KDC key). query: |- diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml index e6d518b..c298fde 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml @@ -1,7 +1,7 @@ name: Non-Tier Zero principals with BadSuccessor rights (with prerequisites check) guid: 74daaebe-6040-4f7a-9c9a-416faf73dcc3 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: Finds non-Tier Zero principals with BadSuccessor rights after checking prerequisites check (DC2025 & KDC key). query: |- diff --git a/queries/Non-Tier Zero principals with control of AdminSDHolder.yml b/queries/Non-Tier Zero principals with control of AdminSDHolder.yml index a47b7e5..0ab25ca 100644 --- a/queries/Non-Tier Zero principals with control of AdminSDHolder.yml +++ b/queries/Non-Tier Zero principals with control of AdminSDHolder.yml @@ -1,7 +1,7 @@ name: Non-Tier Zero principals with control of AdminSDHolder guid: 4c1e0137-5b7f-48d8-bd09-9db7674bca61 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Non-default delegation on MicrosoftDNS container.yml b/queries/Non-default delegation on MicrosoftDNS container.yml index f21e4d3..91c6134 100644 --- a/queries/Non-default delegation on MicrosoftDNS container.yml +++ b/queries/Non-default delegation on MicrosoftDNS container.yml @@ -1,7 +1,7 @@ name: Non-default delegation on MicrosoftDNS container guid: 008792c0-4458-46a1-a10d-50cdaf95af1e prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml b/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml index 757620c..eb1f482 100644 --- a/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml +++ b/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml @@ -1,7 +1,7 @@ name: Non-default members in Pre-Windows 2000 Compatible Access guid: 091995b9-7254-473a-996f-6b8368d20431 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Non-default permissions on IssuancePolicy nodes.yml b/queries/Non-default permissions on IssuancePolicy nodes.yml index 5000a04..02dec05 100644 --- a/queries/Non-default permissions on IssuancePolicy nodes.yml +++ b/queries/Non-default permissions on IssuancePolicy nodes.yml @@ -1,7 +1,7 @@ name: Non-default permissions on IssuancePolicy nodes guid: b2280665-c91b-448c-8c0f-97d1f38b6f59 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Object name conflict.yml b/queries/Object name conflict.yml index 12a117f..7b1733a 100644 --- a/queries/Object name conflict.yml +++ b/queries/Object name conflict.yml @@ -1,7 +1,7 @@ name: Object name conflict guid: c561c4f8-ea45-453f-85a2-3fc2e20e7f8c prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: When two objects are created with the same Relative Distinguished Name (RDN) in the same parent Organizational Unit or container, the conflict is recognized by the system when one of the new objects replicates to another domain controller. When this happens, one of the objects is renamed with 'CNF' query: |- diff --git a/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml b/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml index 095e292..f9419e2 100644 --- a/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml +++ b/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users that Own Entra Objects guid: 4baf1026-e64c-4e31-afeb-2090b8090130 prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml index e254257..e2791f0 100644 --- a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml +++ b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users with Azure RM Roles (direct) guid: 8569113b-e42e-49b0-a968-53bcf0ccd970 prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml index f400a7b..28060c5 100644 --- a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml +++ b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users with Azure RM Roles (group delegated) guid: e4f2eada-8a89-4ba9-89eb-abbee4efbc7a prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml index c26aaf3..54614d8 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users with Entra Admin Roles (direct) guid: de717635-d31f-4fbd-930b-b4dac0f22118 prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml index ff9310a..c636026 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated) guid: 609d648f-7fb8-42d3-ad99-626f9ce1f121 prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml b/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml index 2c7255d..c1d6da8 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml @@ -1,7 +1,7 @@ name: On-Prem Users synced to Entra Users with Entra Group Membership guid: edb575df-2048-4ef0-a0e4-168544a496e9 prebuilt: true -platform: +platforms: - Active Directory - Azure category: Cross Platform Attack Paths diff --git a/queries/PKI hierarchy.yml b/queries/PKI hierarchy.yml index d096694..0b6c22f 100644 --- a/queries/PKI hierarchy.yml +++ b/queries/PKI hierarchy.yml @@ -1,7 +1,7 @@ name: PKI hierarchy guid: 928acc23-ee4c-40a5-bde7-64c05cc1491d prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Paths from Domain Users to Tier Zero High Value targets.yml b/queries/Paths from Domain Users to Tier Zero High Value targets.yml index 3f31944..175da53 100644 --- a/queries/Paths from Domain Users to Tier Zero High Value targets.yml +++ b/queries/Paths from Domain Users to Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Paths from Domain Users to Tier Zero / High Value targets guid: 977bec40-565c-40b8-90c8-e3e122c291cd prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Principal with SPN keyword.yml b/queries/Principal with SPN keyword.yml index f7fdfbc..0ab8091 100644 --- a/queries/Principal with SPN keyword.yml +++ b/queries/Principal with SPN keyword.yml @@ -1,7 +1,7 @@ name: Principal with SPN keyword guid: 38a9c4c9-3d70-453f-a017-cbfd35ed9917 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: Finds service accounts used with a specific Kerberos-enabled service or all service accounts running on a Kerberos-enabled service on a specific server. query: |- @@ -13,6 +13,5 @@ query: |- note: revision: 1 resources: https://adsecurity.org/?page_id=183 -acknowledgement: Ryan, @haus3c -acknowledgements: Martin Sohn Christensen, @martinsohndk +acknowledgements: Ryan, @haus3c diff --git a/queries/Principals with DCSync privileges.yml b/queries/Principals with DCSync privileges.yml index 3fbf826..33309b3 100644 --- a/queries/Principals with DCSync privileges.yml +++ b/queries/Principals with DCSync privileges.yml @@ -1,7 +1,7 @@ name: Principals with DCSync privileges guid: 6e9beb8a-ad14-43de-bda1-644d174a5906 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Principals with DES-only Kerberos authentication.yml b/queries/Principals with DES-only Kerberos authentication.yml index 31da9ed..a2e01ef 100644 --- a/queries/Principals with DES-only Kerberos authentication.yml +++ b/queries/Principals with DES-only Kerberos authentication.yml @@ -1,7 +1,7 @@ name: Principals with DES-only Kerberos authentication guid: d03ea1ef-70f0-439b-b1ef-d7f94ceb2af3 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Principals with foreign domain group membership.yml b/queries/Principals with foreign domain group membership.yml index 776f3f6..f9a15a5 100644 --- a/queries/Principals with foreign domain group membership.yml +++ b/queries/Principals with foreign domain group membership.yml @@ -1,7 +1,7 @@ name: Principals with foreign domain group membership guid: 8fb3214a-5a75-4ecd-b293-c121abd94b4b prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Principals with passwords stored using reversible encryption.yml b/queries/Principals with passwords stored using reversible encryption.yml index 51a679e..ce7caa3 100644 --- a/queries/Principals with passwords stored using reversible encryption.yml +++ b/queries/Principals with passwords stored using reversible encryption.yml @@ -1,7 +1,7 @@ name: Principals with passwords stored using reversible encryption guid: ab900835-b2b8-4674-87b4-8b5141e80439 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Principals with weak supported Kerberos encryption types.yml b/queries/Principals with weak supported Kerberos encryption types.yml index 2d42f6f..bacb090 100644 --- a/queries/Principals with weak supported Kerberos encryption types.yml +++ b/queries/Principals with weak supported Kerberos encryption types.yml @@ -1,7 +1,7 @@ name: Principals with weak supported Kerberos encryption types guid: ca329573-2157-41da-ab17-4d122c54b11d prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Public Key Services container.yml b/queries/Public Key Services container.yml index e6217af..6c38e0a 100644 --- a/queries/Public Key Services container.yml +++ b/queries/Public Key Services container.yml @@ -1,7 +1,7 @@ name: Public Key Services container guid: 07e94492-71aa-4665-ab8c-e7aec25906cd prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Certificate Services description: query: |- diff --git a/queries/Servers where Domain Users can RDP.yml b/queries/Servers where Domain Users can RDP.yml index 9613e54..b5429e9 100644 --- a/queries/Servers where Domain Users can RDP.yml +++ b/queries/Servers where Domain Users can RDP.yml @@ -1,7 +1,7 @@ name: Servers where Domain Users can RDP guid: b9a330ae-1d89-44d4-8f74-9ca18e93eb92 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Sessions across trusts.yml b/queries/Sessions across trusts.yml index 9925207..b4c72b3 100644 --- a/queries/Sessions across trusts.yml +++ b/queries/Sessions across trusts.yml @@ -1,7 +1,7 @@ name: Sessions across trusts guid: aea7ac64-1f51-407b-b0ee-19fd30075794 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: Users logging on across a trust, the users originate from trusted domains. query: |- diff --git a/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml b/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml index 551ebae..48a5b47 100644 --- a/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Shortest paths from Azure Applications to Tier Zero / High Value targets guid: 60ff7c58-a98e-4bc1-9e32-8378d2db0c43 prebuilt: true -platform: Azure +platforms: Azure category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml b/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml index 6911caf..b5a7a8b 100644 --- a/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Shortest paths from Domain Users to Tier Zero / High Value targets guid: 469dc0f3-71b8-41b0-a03b-b4af7874665d prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml b/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml index abe9454..45359b8 100644 --- a/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Shortest paths from Entra Users to Tier Zero / High Value targets guid: 58089b28-54e0-4fd2-bf66-3db480b00e2f prebuilt: true -platform: Azure +platforms: Azure category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths from Owned objects to Tier Zero.yml b/queries/Shortest paths from Owned objects to Tier Zero.yml index 9b4d700..a31e89c 100644 --- a/queries/Shortest paths from Owned objects to Tier Zero.yml +++ b/queries/Shortest paths from Owned objects to Tier Zero.yml @@ -1,7 +1,7 @@ name: Shortest paths from Owned objects to Tier Zero guid: dfaa8e8f-2c79-4e92-a291-b1347f6e83b0 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths from Owned objects.yml b/queries/Shortest paths from Owned objects.yml index d1057ba..20a103d 100644 --- a/queries/Shortest paths from Owned objects.yml +++ b/queries/Shortest paths from Owned objects.yml @@ -1,7 +1,7 @@ name: Shortest paths from Owned objects guid: e370a01d-c129-4f19-b88d-9479cbe00028 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to Azure Subscriptions.yml b/queries/Shortest paths to Azure Subscriptions.yml index 4f770e4..0758049 100644 --- a/queries/Shortest paths to Azure Subscriptions.yml +++ b/queries/Shortest paths to Azure Subscriptions.yml @@ -1,7 +1,7 @@ name: Shortest paths to Azure Subscriptions guid: 4785b305-c101-461c-80fc-3fb3ff67a8ce prebuilt: true -platform: Azure +platforms: Azure category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to Domain Admins from Kerberoastable users.yml b/queries/Shortest paths to Domain Admins from Kerberoastable users.yml index a506e65..4724c02 100644 --- a/queries/Shortest paths to Domain Admins from Kerberoastable users.yml +++ b/queries/Shortest paths to Domain Admins from Kerberoastable users.yml @@ -1,7 +1,7 @@ name: Shortest paths to Domain Admins from Kerberoastable users guid: bd163361-1e05-47c7-908b-962aef251535 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to Domain Admins.yml b/queries/Shortest paths to Domain Admins.yml index cd9786f..e18a226 100644 --- a/queries/Shortest paths to Domain Admins.yml +++ b/queries/Shortest paths to Domain Admins.yml @@ -1,7 +1,7 @@ name: Shortest paths to Domain Admins guid: f40cb34b-5ec7-44bc-9aa8-a200a4a41f22 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to Tier Zero High Value targets.yml b/queries/Shortest paths to Tier Zero High Value targets.yml index 008462b..78bba46 100644 --- a/queries/Shortest paths to Tier Zero High Value targets.yml +++ b/queries/Shortest paths to Tier Zero High Value targets.yml @@ -1,7 +1,7 @@ name: Shortest paths to Tier Zero / High Value targets guid: 237aac58-8641-4703-a9f7-001d69546fd8 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to privileged roles.yml b/queries/Shortest paths to privileged roles.yml index d402819..18bbcd8 100644 --- a/queries/Shortest paths to privileged roles.yml +++ b/queries/Shortest paths to privileged roles.yml @@ -1,7 +1,7 @@ name: Shortest paths to privileged roles guid: 3dc73dd8-4873-4aeb-a88f-56a58c77f512 prebuilt: true -platform: Azure +platforms: Azure category: Shortest Paths description: query: |- diff --git a/queries/Shortest paths to systems trusted for unconstrained delegation.yml b/queries/Shortest paths to systems trusted for unconstrained delegation.yml index 6b0c80e..3a7ea4d 100644 --- a/queries/Shortest paths to systems trusted for unconstrained delegation.yml +++ b/queries/Shortest paths to systems trusted for unconstrained delegation.yml @@ -1,7 +1,7 @@ name: Shortest paths to systems trusted for unconstrained delegation guid: 16a9e47b-45f8-4514-b409-771bb5186142 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Shortest Paths description: query: |- diff --git a/queries/Smart card accounts with passwords not rotated in over 1 year.yml b/queries/Smart card accounts with passwords not rotated in over 1 year.yml index 4ee2ad1..20e8dcf 100644 --- a/queries/Smart card accounts with passwords not rotated in over 1 year.yml +++ b/queries/Smart card accounts with passwords not rotated in over 1 year.yml @@ -1,7 +1,7 @@ name: Smart card accounts with passwords not rotated in over 1 year guid: 7e56f2e7-79c3-4f0d-aa3e-14cf3de7ab73 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero AD principals synchronized with Entra ID.yml b/queries/Tier Zero AD principals synchronized with Entra ID.yml index 89c7ec6..3b58dbc 100644 --- a/queries/Tier Zero AD principals synchronized with Entra ID.yml +++ b/queries/Tier Zero AD principals synchronized with Entra ID.yml @@ -1,7 +1,7 @@ name: Tier Zero AD principals synchronized with Entra ID guid: a8b6ec67-21aa-4dd2-8906-47bb81bf5262 prebuilt: true -platform: Azure +platforms: Azure category: Azure Hygiene description: query: |- diff --git a/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml b/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml index fd907e6..400f080 100644 --- a/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml +++ b/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml @@ -1,7 +1,7 @@ name: Tier Zero / High Value enabled users not requiring smart card authentication guid: 867f9f17-c149-4c4b-ad84-9a807622ff8c prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero High Value external Entra ID users.yml b/queries/Tier Zero High Value external Entra ID users.yml index 200134b..d7c0744 100644 --- a/queries/Tier Zero High Value external Entra ID users.yml +++ b/queries/Tier Zero High Value external Entra ID users.yml @@ -1,7 +1,7 @@ name: Tier Zero / High Value external Entra ID users guid: 20e07417-d286-4dca-a962-568f2b262f65 prebuilt: true -platform: Azure +platforms: Azure category: Azure Hygiene description: query: |- diff --git a/queries/Tier Zero High Value users with non-expiring passwords.yml b/queries/Tier Zero High Value users with non-expiring passwords.yml index b03a263..52bffb7 100644 --- a/queries/Tier Zero High Value users with non-expiring passwords.yml +++ b/queries/Tier Zero High Value users with non-expiring passwords.yml @@ -1,7 +1,7 @@ name: Tier Zero / High Value users with non-expiring passwords guid: 4eca1b69-00a2-48a0-abb3-b94ea647cf6b prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml b/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml index 6264980..eccbfc3 100644 --- a/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml +++ b/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml @@ -1,7 +1,7 @@ name: Tier Zero accounts not members of Denied RODC Password Replication Group guid: e9613406-e346-410b-a033-690a6cf0c708 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero accounts that can be delegated.yml b/queries/Tier Zero accounts that can be delegated.yml index 08bb0a7..6446fdb 100644 --- a/queries/Tier Zero accounts that can be delegated.yml +++ b/queries/Tier Zero accounts that can be delegated.yml @@ -1,7 +1,7 @@ name: Tier Zero accounts that can be delegated guid: 4316eaf1-6af0-4879-8f55-ac2633a711c3 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Kerberos Interaction description: query: |- diff --git a/queries/Tier Zero computers at risk of constrained delegation.yml b/queries/Tier Zero computers at risk of constrained delegation.yml index 8b52703..31229a7 100644 --- a/queries/Tier Zero computers at risk of constrained delegation.yml +++ b/queries/Tier Zero computers at risk of constrained delegation.yml @@ -1,7 +1,7 @@ name: Tier Zero computers at risk of constrained delegation guid: 8641e593-f2f2-48ba-bd45-fbc86e9f632a prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Tier Zero computers at risk of resource-based constrained delegation.yml b/queries/Tier Zero computers at risk of resource-based constrained delegation.yml index 313944e..d8d7c1f 100644 --- a/queries/Tier Zero computers at risk of resource-based constrained delegation.yml +++ b/queries/Tier Zero computers at risk of resource-based constrained delegation.yml @@ -1,7 +1,7 @@ name: Tier Zero computers at risk of resource-based constrained delegation guid: 4dc97cf4-3c03-4fe6-8a8b-4f665c67e1e5 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Tier Zero computers not owned by Tier Zero.yml b/queries/Tier Zero computers not owned by Tier Zero.yml index a81257f..fa14b45 100644 --- a/queries/Tier Zero computers not owned by Tier Zero.yml +++ b/queries/Tier Zero computers not owned by Tier Zero.yml @@ -1,7 +1,7 @@ name: Tier Zero computers not owned by Tier Zero guid: 99d29ded-223a-442b-a0e0-f8b5694c6441 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/queries/Tier Zero computers not requiring inbound SMB signing.yml b/queries/Tier Zero computers not requiring inbound SMB signing.yml index 7ed91b5..dc77455 100644 --- a/queries/Tier Zero computers not requiring inbound SMB signing.yml +++ b/queries/Tier Zero computers not requiring inbound SMB signing.yml @@ -1,7 +1,7 @@ name: Tier Zero omputers not requiring inbound SMB signing guid: 13485477-f026-4b1f-906d-4f2e37364ba4 prebuilt: false -platform: Active Directory +platforms: Active Directory category: NTLM Relay Attacks description: query: |- diff --git a/queries/Tier Zero computers with passwords older than the default maximum password age.yml b/queries/Tier Zero computers with passwords older than the default maximum password age.yml index ad2febb..b038387 100644 --- a/queries/Tier Zero computers with passwords older than the default maximum password age.yml +++ b/queries/Tier Zero computers with passwords older than the default maximum password age.yml @@ -1,7 +1,7 @@ name: Tier Zero computers with passwords older than the default maximum password age guid: b6d6d0bf-130e-4719-996b-adc29bba36e9 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero computers with the WebClient running.yml b/queries/Tier Zero computers with the WebClient running.yml index ba0ec58..c87bca4 100644 --- a/queries/Tier Zero computers with the WebClient running.yml +++ b/queries/Tier Zero computers with the WebClient running.yml @@ -1,7 +1,7 @@ name: Tier Zero computers with the WebClient running guid: 27a6f917-8ed4-4e2e-9b38-41a4b6de1b14 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero computers with unsupported operating systems.yml b/queries/Tier Zero computers with unsupported operating systems.yml index db861e1..9252812 100644 --- a/queries/Tier Zero computers with unsupported operating systems.yml +++ b/queries/Tier Zero computers with unsupported operating systems.yml @@ -1,7 +1,7 @@ name: Tier Zero computers with unsupported operating systems guid: a87b558c-5746-4a90-9f83-c86e7b924a52 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero users not member of Protected Users.yml b/queries/Tier Zero users not member of Protected Users.yml index ccddd5d..99a1c70 100644 --- a/queries/Tier Zero users not member of Protected Users.yml +++ b/queries/Tier Zero users not member of Protected Users.yml @@ -1,7 +1,7 @@ name: Tier Zero users not member of Protected Users guid: 543eb01d-9fa3-4b8f-a936-b46bbfdaa2ae prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Tier Zero users with email.yml b/queries/Tier Zero users with email.yml index c6c207b..d12dd0a 100644 --- a/queries/Tier Zero users with email.yml +++ b/queries/Tier Zero users with email.yml @@ -1,7 +1,7 @@ name: Tier Zero users with email guid: 9654c0d4-f1e8-4393-a2d1-53a5554a9de8 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Tier Zero accounts with email access have an increased attack surface. query: |- diff --git a/queries/Tier Zero users with passwords not rotated in over 1 year.yml b/queries/Tier Zero users with passwords not rotated in over 1 year.yml index c3b898b..ffa03e4 100644 --- a/queries/Tier Zero users with passwords not rotated in over 1 year.yml +++ b/queries/Tier Zero users with passwords not rotated in over 1 year.yml @@ -1,7 +1,7 @@ name: Tier Zero users with passwords not rotated in over 1 year guid: 5e0d69b1-37d1-43ae-ac5d-f297f312fab5 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Trace ACE inheritance.yml b/queries/Trace ACE inheritance.yml index 2eaf422..55b3dba 100644 --- a/queries/Trace ACE inheritance.yml +++ b/queries/Trace ACE inheritance.yml @@ -1,7 +1,7 @@ name: Trace ACE inheritance guid: 8c5454df-3ae8-412c-b271-3c4c55df7141 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Domain Information description: When BloodHound shows that an inherited ACE applies to an object it does not show the source/where it is inherited from from (OU, Container, Domain root) - the source is where it should be remediated. This query can sometimes find the source of an inherited ACE, but only works if the ACE is set to also apply to the source itself. query: |- @@ -15,4 +15,3 @@ note: revision: 1 resources: acknowledgements: Walter.Legowski, @SadProcessor - diff --git a/queries/Unresolved SID with outbound control.yml b/queries/Unresolved SID with outbound control.yml index a20402d..58fa6de 100644 --- a/queries/Unresolved SID with outbound control.yml +++ b/queries/Unresolved SID with outbound control.yml @@ -1,7 +1,7 @@ name: Unresolved SID with outbound control guid: 4e8429f9-cba2-41e9-bac6-0c42f96b2c57 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Usage of built-in domain Administrator account.yml b/queries/Usage of built-in domain Administrator account.yml index e3b4272..1a6713a 100644 --- a/queries/Usage of built-in domain Administrator account.yml +++ b/queries/Usage of built-in domain Administrator account.yml @@ -1,7 +1,7 @@ name: Usage of built-in domain Administrator account guid: 35b1206f-871b-44aa-a601-c5258060dfcf prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: Usage of Active Directory's built-in Administrator account is a sign that the account is not only used for break-glass purposes. query: |- diff --git a/queries/Users which do not require password to authenticate.yml b/queries/Users which do not require password to authenticate.yml index d54acb2..9ab6688 100644 --- a/queries/Users which do not require password to authenticate.yml +++ b/queries/Users which do not require password to authenticate.yml @@ -1,7 +1,7 @@ name: Users which do not require password to authenticate guid: 23bdc2ad-6739-4b2b-85d3-258e3f424eb2 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Users with logon scripts stored in a trusted domain.yml b/queries/Users with logon scripts stored in a trusted domain.yml index 2fc4a45..6dbba8d 100644 --- a/queries/Users with logon scripts stored in a trusted domain.yml +++ b/queries/Users with logon scripts stored in a trusted domain.yml @@ -1,7 +1,7 @@ name: Users with logon scripts stored in a trusted domain guid: 8d94d3f3-3d53-4939-a206-3c0a4dd3f646 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Users with non-default Primary Group membership.yml b/queries/Users with non-default Primary Group membership.yml index 57df438..ae9a6f6 100644 --- a/queries/Users with non-default Primary Group membership.yml +++ b/queries/Users with non-default Primary Group membership.yml @@ -1,7 +1,7 @@ name: Users with non-default Primary Group membership guid: 93890f88-df2c-4167-a945-a53961d08d00 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Users with non-expiring passwords.yml b/queries/Users with non-expiring passwords.yml index 697cf8c..83613f0 100644 --- a/queries/Users with non-expiring passwords.yml +++ b/queries/Users with non-expiring passwords.yml @@ -1,7 +1,7 @@ name: Users with non-expiring passwords guid: 212c2a98-53d9-4dfa-b177-42c601452dd1 prebuilt: false -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Users with passwords not rotated in over 1 year.yml b/queries/Users with passwords not rotated in over 1 year.yml index c9b8c23..1c86bc2 100644 --- a/queries/Users with passwords not rotated in over 1 year.yml +++ b/queries/Users with passwords not rotated in over 1 year.yml @@ -1,7 +1,7 @@ name: Users with passwords not rotated in over 1 year guid: be70d1bd-b7eb-40b0-971c-eefc50eca032 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Active Directory Hygiene description: query: |- diff --git a/queries/Workstations where Domain Users can RDP.yml b/queries/Workstations where Domain Users can RDP.yml index 53f51b2..b688bd9 100644 --- a/queries/Workstations where Domain Users can RDP.yml +++ b/queries/Workstations where Domain Users can RDP.yml @@ -1,7 +1,7 @@ name: Workstations where Domain Users can RDP guid: 9486e0e6-2617-4595-b969-cf57ca21fc86 prebuilt: true -platform: Active Directory +platforms: Active Directory category: Dangerous Privileges description: query: |- diff --git a/tests/schema.py b/tests/schema.py index 4944e7b..fff9509 100644 --- a/tests/schema.py +++ b/tests/schema.py @@ -1,16 +1,33 @@ -from pydantic import BaseModel -from typing import Optional, Union, List +from pydantic import BaseModel, field_validator, ConfigDict +from typing import Optional, Union class CypherQuery(BaseModel): + model_config = ConfigDict(extra='forbid') + name: str guid: str prebuilt: bool = False - platform: Union[str, List[str]] + platforms: Union[str, list[str]] category: str description: Optional[str] = None query: str revision: int note: Optional[str] = None - resources: Optional[Union[str, List[str]]] = None - acknowledgement: Optional[Union[str, List[str]]] = None + resources: Optional[Union[str, list[str]]] = None + acknowledgements: Optional[Union[str, list[str]]] = None + + @field_validator('platforms', mode='after') + @classmethod + def platforms_is_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value] + + @field_validator('resources', mode='after') + @classmethod + def resources_is_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value] + + @field_validator('acknowledgements', mode='after') + @classmethod + def acknowledgementsis_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value] diff --git a/tests/test_cypher_syntax.py b/tests/test_cypher_syntax.py index 68d61f4..01d07a2 100644 --- a/tests/test_cypher_syntax.py +++ b/tests/test_cypher_syntax.py @@ -63,5 +63,20 @@ def test_cypher_validation(file_path: str, request: pytest.FixtureRequest) -> No pytest.fail(f"Parsing failed for file {file_path}: {str(e)}", pytrace=False) +def test_duplicate_guid() -> None: + query_files = get_query_files("Queries") + guids = set() + + # Iterate over all query files and check for duplicate GUIDs + for file_path in query_files: + with open(file_path, "r") as f: + yaml_object = yaml.safe_load(f) + + query_guid = yaml_object["guid"] + if query_guid in guids: + pytest.fail(f"Duplicate GUID found: {query_guid} in file {file_path}", pytrace=False) + guids.add(query_guid) + + if __name__ == "__main__": pytest.main(["-v", __file__]) diff --git a/utilities/python/convert.py b/utilities/python/convert.py index 62a44dc..3e92769 100644 --- a/utilities/python/convert.py +++ b/utilities/python/convert.py @@ -1,5 +1,6 @@ from typing_extensions import Annotated from pathlib import Path +from schema import CypherQuery import json import glob import typer @@ -27,7 +28,9 @@ def to_json( all_objects = [] for cypher_query in cypher_queries: with open(cypher_query, "r") as yaml_file: - all_objects.append(yaml.safe_load(yaml_file)) + yaml_obj = yaml.safe_load(yaml_file) + query = CypherQuery(**yaml_obj) + all_objects.append(query.model_dump()) output_file.write(json.dumps(all_objects, indent=2)) typer.echo(f"Finished converting Cypher queries to JSON to {output_file.name}") diff --git a/utilities/python/schema.py b/utilities/python/schema.py new file mode 100644 index 0000000..fff9509 --- /dev/null +++ b/utilities/python/schema.py @@ -0,0 +1,33 @@ +from pydantic import BaseModel, field_validator, ConfigDict +from typing import Optional, Union + + +class CypherQuery(BaseModel): + model_config = ConfigDict(extra='forbid') + + name: str + guid: str + prebuilt: bool = False + platforms: Union[str, list[str]] + category: str + description: Optional[str] = None + query: str + revision: int + note: Optional[str] = None + resources: Optional[Union[str, list[str]]] = None + acknowledgements: Optional[Union[str, list[str]]] = None + + @field_validator('platforms', mode='after') + @classmethod + def platforms_is_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value] + + @field_validator('resources', mode='after') + @classmethod + def resources_is_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value] + + @field_validator('acknowledgements', mode='after') + @classmethod + def acknowledgementsis_list(cls, value: str | list[str]) -> list[str]: + return value if isinstance(value, list) else [value]