SpecterOps · martinsohn · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025
diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml
@@ -3,12 +3,12 @@ guid: 421921fa-bc0f-4659-9680-b7481adcb132
 prebuilt: true
 platforms: Active Directory
 category: Active Directory Hygiene
-description: 
+description: Authenticated Users can by default create 10 domain computers as defined by the attribute 'ms-DS-MachineAccountQuota' and the DC URA Security Policy 'Add workstations to domain'. This query does not check the latter.
 query: |-
   MATCH (n:Domain)
   WHERE n.machineaccountquota > 0
   RETURN n
-note: Does not check the 'Add workstations to domain' URA Security Policy on DCs.
+note: 
 revision: 1
 resources: 
 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain

diff --git a/queries/Domains with a minimum default password policy length less than 15 characters.yml b/queries/Domains with a minimum default password policy length less than 15 characters.yml
@@ -3,12 +3,12 @@ guid: 7d258d2d-a43d-4a90-85d7-71c946ae5fd7
 prebuilt: false
 platforms: Active Directory
 category: Active Directory Hygiene
-description: 
+description: Follows the NIST 800-63B recommendation of 15 characters.
 query: |-
   MATCH (n:Domain)
   WHERE n.minpwdlength < 15
   RETURN n
-note: NIST recommends 15 characters.
+note: 
 revision: 1
 resources: https://pages.nist.gov/800-63-3/sp800-63b.html
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml
@@ -3,13 +3,15 @@ guid: 3da9d14a-f1cb-4df7-b3da-8d73ff5c401b
 prebuilt: false
 platforms: Active Directory
 category: Active Directory Hygiene
-description: 
+description: Check for functional level <4
 query: |-
   MATCH (n:Domain)
-  WHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native']
+  WHERE (
+    n.functionallevel IS NULL
+    OR NOT n.functionallevel IN ["2016","2025"]
+  )
   RETURN  n
-note: Functional level <4
 revision: 1
-resources: 
+resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/Non-Tier Zero account with excessive control.yml b/queries/Non-Tier Zero account with excessive control.yml
@@ -3,7 +3,7 @@ guid: 944cecfe-519b-4318-b226-e8520161b454
 prebuilt: false
 platforms: Active Directory
 category: Dangerous Privileges
-description: 
+description: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals
 query: |-
   MATCH (d:Domain)-[:Contains*1..]->(u:User)
   WHERE u.enabled = true
@@ -13,7 +13,7 @@ query: |-
   WITH n, enabledUserCount, COLLECT(DISTINCT(m)) AS endNodes
   WHERE SIZE(endNodes) >= 1000
   RETURN n
-note: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals
+note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk