diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml index a428cfc..7569e59 100644 --- a/queries/Domains where any user can join a computer to the domain.yml +++ b/queries/Domains where any user can join a computer to the domain.yml @@ -3,12 +3,12 @@ guid: 421921fa-bc0f-4659-9680-b7481adcb132 prebuilt: true platforms: Active Directory category: Active Directory Hygiene -description: +description: Authenticated Users can by default create 10 domain computers as defined by the attribute 'ms-DS-MachineAccountQuota' and the DC URA Security Policy 'Add workstations to domain'. This query does not check the latter. query: |- MATCH (n:Domain) WHERE n.machineaccountquota > 0 RETURN n -note: Does not check the 'Add workstations to domain' URA Security Policy on DCs. +note: revision: 1 resources: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain diff --git a/queries/Domains with a minimum default password policy length less than 15 characters.yml b/queries/Domains with a minimum default password policy length less than 15 characters.yml index ad902b0..410d0bb 100644 --- a/queries/Domains with a minimum default password policy length less than 15 characters.yml +++ b/queries/Domains with a minimum default password policy length less than 15 characters.yml @@ -3,12 +3,12 @@ guid: 7d258d2d-a43d-4a90-85d7-71c946ae5fd7 prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: +description: Follows the NIST 800-63B recommendation of 15 characters. query: |- MATCH (n:Domain) WHERE n.minpwdlength < 15 RETURN n -note: NIST recommends 15 characters. +note: revision: 1 resources: https://pages.nist.gov/800-63-3/sp800-63b.html acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index 0ee7926..b41767a 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -3,13 +3,15 @@ guid: 3da9d14a-f1cb-4df7-b3da-8d73ff5c401b prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: +description: Check for functional level <4 query: |- MATCH (n:Domain) - WHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native'] + WHERE ( + n.functionallevel IS NULL + OR NOT n.functionallevel IN ["2016","2025"] + ) RETURN n -note: Functional level <4 revision: 1 -resources: +resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero account with excessive control.yml b/queries/Non-Tier Zero account with excessive control.yml index ebec5a0..844eec1 100644 --- a/queries/Non-Tier Zero account with excessive control.yml +++ b/queries/Non-Tier Zero account with excessive control.yml @@ -3,7 +3,7 @@ guid: 944cecfe-519b-4318-b226-e8520161b454 prebuilt: false platforms: Active Directory category: Dangerous Privileges -description: +description: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals query: |- MATCH (d:Domain)-[:Contains*1..]->(u:User) WHERE u.enabled = true @@ -13,7 +13,7 @@ query: |- WITH n, enabledUserCount, COLLECT(DISTINCT(m)) AS endNodes WHERE SIZE(endNodes) >= 1000 RETURN n -note: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals +note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk