From 3a73aebb534a33c1dffef100547d7ba97be339ee Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 13 Jun 2025 17:06:04 +0200 Subject: [PATCH] remove 'note' field --- docs/query-structure.yml | 1 - queries/ACEs across trusts.yml | 1 - ...-REP Roastable Tier Zero users (DontReqPreAuth).yml | 1 - queries/AS-REP Roastable users (DontReqPreAuth).yml | 1 - ...ounts with SID History to a non-existent domain.yml | 1 - ...ounts with SID History to a same-domain account.yml | 1 - queries/Accounts with SID History.yml | 1 - .../Accounts with clear-text password attributes.yml | 1 - .../Accounts with weak password storage encryption.yml | 1 - .../AdminSDHolder protected Accounts and Groups.yml | 1 - queries/All ADCS ESC privilege escalation edges.yml | 1 - queries/All DNSAdmins.yml | 1 - queries/All Domain Admins.yml | 1 - queries/All Global Administrators.yml | 1 - queries/All Kerberoastable users.yml | 1 - queries/All Operator groups.yml | 1 - queries/All Schema Admins.yml | 1 - queries/All coerce and NTLM relay edges.yml | 1 - ...ncoming and local paths for a specific computer.yml | 1 - queries/All members of high privileged roles.yml | 1 - queries/All paths crossing a specific trust.yml | 1 - ...ipals with Microsoft Graph App Role assignments.yml | 1 - ...ft Graph privilege to grant arbitrary App Roles.yml | 1 - queries/CA administrators and CA managers.yml | 1 - .../Computer owners who can obtain LAPS passwords.yml | 1 - .../Computers not requiring inbound SMB signing.yml | 1 - ...ers where Domain Users are local administrators.yml | 1 - ...ters where Domain Users can read LAPS passwords.yml | 1 - .../Computers with membership in Protected Users.yml | 1 - ...uters with non-default Primary Group membership.yml | 1 - ...rds older than the default maximum password age.yml | 1 - queries/Computers with the WebClient running.yml | 1 - ... with the outgoing NTLM setting set to Deny all.yml | 1 - .../Computers with unsupported operating systems.yml | 1 - queries/Computers without Windows LAPS.yml | 1 - ...Cross-forest trusts with abusable configuration.yml | 1 - .../DCs vulnerable to NTLM relay to LDAP attacks.yml | 1 - .../Dangerous privileges for Domain Users groups.yml | 1 - queries/Devices with unsupported operating systems.yml | 1 - .../Disabled Tier Zero High Value principals - AD.yml | 1 - .../Disabled Tier Zero High Value principals - AZ.yml | 1 - .../Domain Admins logons to non-Domain Controllers.yml | 1 - ...ontrollers allowing NTLMv1 or LM authentication.yml | 1 - ...ontrollers with UPN certificate mapping enabled.yml | 1 - ...ntrollers with weak certificate binding enabled.yml | 1 - queries/Domain migration groups.yml | 1 - ...ns affected by AdPrep privilege escalation risk.yml | 1 - ... affected by Exchange privilege escalation risk.yml | 1 - ...mains allowing authenticated domain enumeration.yml | 1 - ...Domains allowing unauthenticated NSPI RPC binds.yml | 1 - ...ins allowing unauthenticated domain enumeration.yml | 1 - ...wing unauthenticated rootDSE searches and binds.yml | 1 - ...rivileged groups from AdminSDHolder protections.yml | 1 - queries/Domains not mitigating CVE-2021-42291.yml | 1 - .../Domains not verifying UPN and SPN uniqueness.yml | 1 - ...here any user can join a computer to the domain.yml | 7 +++++-- queries/Domains with List Object mode enabled.yml | 1 - ... password policy length less than 15 characters.yml | 7 +++++-- ...ith a single-point-of-failure Domain Controller.yml | 1 - ...ns with functional level not the latest version.yml | 10 ++++------ .../Domains with more than 50 Tier Zero accounts.yml | 1 - ...nts where smart account passwords do not expire.yml | 1 - queries/Domains without Microsoft LAPS computers.yml | 1 - queries/Domains without Protected Users group.yml | 1 - queries/ESC8-vulnerable Enterprise CAs.yml | 1 - ...Zero High Value principals inactive for 60 days.yml | 1 - queries/Enabled built-in guest user accounts.yml | 1 - ... inactive for 180 days - MSSQL Failover Cluster.yml | 1 - queries/Enabled computers inactive for 180 days.yml | 1 - queries/Enabled users inactive for 180 days.yml | 1 - ...lment rights on CertTemplates with OIDGroupLink.yml | 1 - ...o Enterprise CA with User Specified SAN enabled.yml | 1 - ... rights on published ESC1 certificate templates.yml | 1 - ...rights on published ESC15 certificate templates.yml | 1 - ... rights on published ESC2 certificate templates.yml | 1 - ...ertificate templates with no security extension.yml | 1 - ...lment rights on published certificate templates.yml | 1 - ...ublished enrollment agent certificate templates.yml | 1 - ...SO accounts not rolling Kerberos decryption key.yml | 1 - ...from On-Prem Users added to Domain Admins group.yml | 1 - ...eign principals in Tier Zero High Value targets.yml | 1 - ...ounts with passwords not rotated in over 1 year.yml | 1 - ...oastable members of Tier Zero High Value groups.yml | 1 - ...Kerberoastable users with most admin privileges.yml | 1 - ...ervice account member of built-in Admins groups.yml | 1 - ...service accounts without AES encryption support.yml | 1 - ...rge default group added to computer-local group.yml | 1 - ...rge default groups with outbound control of OUs.yml | 1 - queries/Large default groups with outbound control.yml | 1 - queries/Locations of Tier Zero High Value objects.yml | 1 - queries/Map Azure Management structure.yml | 1 - queries/Map OU structure.yml | 1 - queries/Map domain trusts.yml | 1 - ...bers of Allowed RODC Password Replication Group.yml | 1 - ...unts with passwords not rotated in over 90 days.yml | 1 - queries/Nested groups within Tier Zero High Value.yml | 1 - .../Non-Tier Zero account with 'Admin Count' flag.yml | 1 - .../Non-Tier Zero account with excessive control.yml | 7 +++++-- ...Tier Zero account with unconstrained delegation.yml | 1 - ...accounts with SID History of Tier Zero accounts.yml | 1 - ...th BadSuccessor rights (no prerequisites check).yml | 1 - ... BadSuccessor rights (with prerequisites check).yml | 1 - ...r Zero principals with control of AdminSDHolder.yml | 1 - ...on-default delegation on MicrosoftDNS container.yml | 1 - ...t members in Pre-Windows 2000 Compatible Access.yml | 1 - ...Non-default permissions on IssuancePolicy nodes.yml | 1 - queries/Object name conflict.yml | 1 - ...rs synced to Entra Users that Own Entra Objects.yml | 1 - ...ced to Entra Users with Azure RM Roles (direct).yml | 1 - ...tra Users with Azure RM Roles (group delegated).yml | 1 - ... to Entra Users with Entra Admin Roles (direct).yml | 1 - ... Users with Entra Admin Roles (group delegated).yml | 1 - ...nced to Entra Users with Entra Group Membership.yml | 1 - ...Overprivileged Microsoft Entra Connect accounts.yml | 1 - queries/PKI hierarchy.yml | 1 - ...om Domain Users to Tier Zero High Value targets.yml | 1 - queries/Principal with SPN keyword.yml | 1 - queries/Principals with DCSync privileges.yml | 1 - ...rincipals with DES-only Kerberos authentication.yml | 1 - ...Principals with foreign domain group membership.yml | 1 - ...th passwords stored using reversible encryption.yml | 1 - ...s with weak supported Kerberos encryption types.yml | 1 - queries/Public Key Services container.yml | 1 - queries/Servers where Domain Users can RDP.yml | 1 - queries/Sessions across trusts.yml | 1 - ...re Applications to Tier Zero High Value targets.yml | 1 - ...om Domain Users to Tier Zero High Value targets.yml | 1 - ...rom Entra Users to Tier Zero High Value targets.yml | 1 - .../Shortest paths from Owned objects to Tier Zero.yml | 1 - queries/Shortest paths from Owned objects.yml | 1 - queries/Shortest paths to Azure Subscriptions.yml | 1 - ...aths to Domain Admins from Kerberoastable users.yml | 1 - queries/Shortest paths to Domain Admins.yml | 1 - .../Shortest paths to Tier Zero High Value targets.yml | 1 - queries/Shortest paths to privileged roles.yml | 1 - ...to systems trusted for unconstrained delegation.yml | 1 - ...ounts with passwords not rotated in over 1 year.yml | 1 - ...r Zero AD principals synchronized with Entra ID.yml | 1 - ...d users not requiring smart card authentication.yml | 1 - .../Tier Zero High Value external Entra ID users.yml | 1 - ...ro High Value users with non-expiring passwords.yml | 1 - ...mbers of Denied RODC Password Replication Group.yml | 1 - queries/Tier Zero accounts that can be delegated.yml | 1 - ...ero computers at risk of constrained delegation.yml | 1 - ...t risk of resource-based constrained delegation.yml | 1 - queries/Tier Zero computers not owned by Tier Zero.yml | 1 - ...ero computers not requiring inbound SMB signing.yml | 1 - ...rds older than the default maximum password age.yml | 1 - .../Tier Zero computers with the WebClient running.yml | 1 - ...ro computers with unsupported operating systems.yml | 1 - .../Tier Zero users not member of Protected Users.yml | 1 - queries/Tier Zero users with email.yml | 1 - ...users with passwords not rotated in over 1 year.yml | 1 - queries/Trace ACE inheritance.yml | 1 - queries/Unresolved SID with outbound control.yml | 1 - .../Usage of built-in domain Administrator account.yml | 1 - ...s which do not require password to authenticate.yml | 1 - ...s with logon scripts stored in a trusted domain.yml | 1 - ...Users with non-default Primary Group membership.yml | 1 - queries/Users with non-expiring passwords.yml | 1 - ...Users with passwords not rotated in over 1 year.yml | 1 - queries/Workstations where Domain Users can RDP.yml | 1 - tests/schema.py | 1 - 163 files changed, 19 insertions(+), 171 deletions(-) diff --git a/docs/query-structure.yml b/docs/query-structure.yml index 2ab6317..a1cee12 100644 --- a/docs/query-structure.yml +++ b/docs/query-structure.yml @@ -13,7 +13,6 @@ query: |- // My clean and well-commented Cypher query MATCH p = (b:BloodHoundUsers) - [h:ThinkIn] -> (e:Graphs) RETURN p -note: Note meant to be stored only in the yml file. revision: 1 # Version number integer starting at 1. resources: # URL references, for example related to Acknowledgements. # Use a list for multiple Resources: diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml index 364fd7c..08e633b 100644 --- a/queries/ACEs across trusts.yml +++ b/queries/ACEs across trusts.yml @@ -10,7 +10,6 @@ query: |- AND r.isacl RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml index 0333f1c..bc11168 100644 --- a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml +++ b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml @@ -9,7 +9,6 @@ query: |- WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') AND n.dontreqpreauth = true RETURN n -note: revision: 1 resources: https://attack.mitre.org/techniques/T1558/004/ acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/AS-REP Roastable users (DontReqPreAuth).yml b/queries/AS-REP Roastable users (DontReqPreAuth).yml index 7dd19da..36e4e4c 100644 --- a/queries/AS-REP Roastable users (DontReqPreAuth).yml +++ b/queries/AS-REP Roastable users (DontReqPreAuth).yml @@ -10,7 +10,6 @@ query: |- AND u.enabled = true RETURN u LIMIT 100 -note: revision: 1 resources: https://attack.mitre.org/techniques/T1558/004/ acknowledgements: diff --git a/queries/Accounts with SID History to a non-existent domain.yml b/queries/Accounts with SID History to a non-existent domain.yml index 942afb0..991a358 100644 --- a/queries/Accounts with SID History to a non-existent domain.yml +++ b/queries/Accounts with SID History to a non-existent domain.yml @@ -10,7 +10,6 @@ query: |- MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base) WHERE NOT n.domainsid IN domainSIDs RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Accounts with SID History to a same-domain account.yml b/queries/Accounts with SID History to a same-domain account.yml index 7060814..5a244ed 100644 --- a/queries/Accounts with SID History to a same-domain account.yml +++ b/queries/Accounts with SID History to a same-domain account.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base) WHERE n.domainsid = m.domainsid RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Accounts with SID History.yml b/queries/Accounts with SID History.yml index 3263635..1528745 100644 --- a/queries/Accounts with SID History.yml +++ b/queries/Accounts with SID History.yml @@ -7,7 +7,6 @@ description: query: |- MATCH p=(:Base)-[:HasSIDHistory]->(:Base) RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Accounts with clear-text password attributes.yml b/queries/Accounts with clear-text password attributes.yml index 6c5fe62..ff6cacd 100644 --- a/queries/Accounts with clear-text password attributes.yml +++ b/queries/Accounts with clear-text password attributes.yml @@ -11,7 +11,6 @@ query: |- OR n.unicodepwd IS NOT NULL OR n.msSFU30Password IS NOT NULL RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Accounts with weak password storage encryption.yml b/queries/Accounts with weak password storage encryption.yml index 0810373..5091caf 100644 --- a/queries/Accounts with weak password storage encryption.yml +++ b/queries/Accounts with weak password storage encryption.yml @@ -12,7 +12,6 @@ query: |- AND n.pwdlastset < g.whencreated RETURN n LIMIT 100 -note: revision: 1 resources: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml index 102696a..35bc2b4 100644 --- a/queries/AdminSDHolder protected Accounts and Groups.yml +++ b/queries/AdminSDHolder protected Accounts and Groups.yml @@ -12,7 +12,6 @@ query: |- OR n.objectid =~ ".*-(500|502|516|521)$" // Direct objects ) RETURN n -note: revision: 1 resources: - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a0d0b4fa-2895-4c64-b182-ba64ad0f84b8 diff --git a/queries/All ADCS ESC privilege escalation edges.yml b/queries/All ADCS ESC privilege escalation edges.yml index 574ec1e..71fad93 100644 --- a/queries/All ADCS ESC privilege escalation edges.yml +++ b/queries/All ADCS ESC privilege escalation edges.yml @@ -7,7 +7,6 @@ description: query: |- MATCH p=(:Base)-[:ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|GoldenCert|CoerceAndRelayNTLMToADCS]->(:Base) RETURN p -note: revision: 1 resources: - https://posts.specterops.io/certified-pre-owned-d95910965cd2 diff --git a/queries/All DNSAdmins.yml b/queries/All DNSAdmins.yml index 0ba9588..243b914 100644 --- a/queries/All DNSAdmins.yml +++ b/queries/All DNSAdmins.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(n:Base)-[:MemberOf]->(g:Group) WHERE n.name STARTS WITH "DNSADMINS@" RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All Domain Admins.yml b/queries/All Domain Admins.yml index e473090..f3671e2 100644 --- a/queries/All Domain Admins.yml +++ b/queries/All Domain Admins.yml @@ -9,7 +9,6 @@ query: |- WHERE (a:User or a:Computer) and t.objectid ENDS WITH '-512' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/All Global Administrators.yml b/queries/All Global Administrators.yml index 99b573f..7077923 100644 --- a/queries/All Global Administrators.yml +++ b/queries/All Global Administrators.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:AZBase)-[:AZGlobalAdmin*1..]->(:AZTenant) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/All Kerberoastable users.yml b/queries/All Kerberoastable users.yml index 065247b..9942a71 100644 --- a/queries/All Kerberoastable users.yml +++ b/queries/All Kerberoastable users.yml @@ -13,7 +13,6 @@ query: |- AND NOT COALESCE(u.msa, false) = true RETURN u LIMIT 100 -note: revision: 1 resources: https://attack.mitre.org/techniques/T1558/003/ acknowledgements: diff --git a/queries/All Operator groups.yml b/queries/All Operator groups.yml index a1cf9ff..4dbdcb9 100644 --- a/queries/All Operator groups.yml +++ b/queries/All Operator groups.yml @@ -16,7 +16,6 @@ query: |- n.objectid ENDS WITH 'S-1-5-32-550' // Print Operators ) RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All Schema Admins.yml b/queries/All Schema Admins.yml index a3bb08f..a2b14e8 100644 --- a/queries/All Schema Admins.yml +++ b/queries/All Schema Admins.yml @@ -9,7 +9,6 @@ query: |- WHERE (n:User OR n:Computer) AND m.objectid ENDS WITH "-518" // Schema Admins RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All coerce and NTLM relay edges.yml b/queries/All coerce and NTLM relay edges.yml index b7d3dc6..9f68ae7 100644 --- a/queries/All coerce and NTLM relay edges.yml +++ b/queries/All coerce and NTLM relay edges.yml @@ -7,7 +7,6 @@ description: query: |- MATCH p = (n:Base)-[:CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|CoerceAndRelayNTLMToADCS|CoerceAndRelayNTLMToSMB]->(:Base) RETURN p LIMIT 500 -note: revision: 1 resources: https://specterops.io/blog/2025/04/08/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know/ acknowledgements: diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml index 411ae80..e5604cf 100644 --- a/queries/All incoming and local paths for a specific computer.yml +++ b/queries/All incoming and local paths for a specific computer.yml @@ -10,7 +10,6 @@ query: |- WHERE m.name CONTAINS 'HOSTNAME' AND m.name CONTAINS '.' // Only see computer-related objects (eg. not AD Groups) RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All members of high privileged roles.yml b/queries/All members of high privileged roles.yml index 0d4d1d2..b056e28 100644 --- a/queries/All members of high privileged roles.yml +++ b/queries/All members of high privileged roles.yml @@ -9,7 +9,6 @@ query: |- WHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml index 573fce6..3a2372e 100644 --- a/queries/All paths crossing a specific trust.yml +++ b/queries/All paths crossing a specific trust.yml @@ -12,7 +12,6 @@ query: |- AND Trusting.domainsid = 'S-1-5-21-2222222222-2222222222-2222222222' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/All service principals with Microsoft Graph App Role assignments.yml b/queries/All service principals with Microsoft Graph App Role assignments.yml index d941ac4..f8a28e2 100644 --- a/queries/All service principals with Microsoft Graph App Role assignments.yml +++ b/queries/All service principals with Microsoft Graph App Role assignments.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(:AZServicePrincipal)-[:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All]->(:AZServicePrincipal) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml b/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml index bcd4eec..88babe1 100644 --- a/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml +++ b/queries/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(:AZServicePrincipal)-[:AZMGGrantAppRoles]->(:AZTenant) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/CA administrators and CA managers.yml b/queries/CA administrators and CA managers.yml index bbc4f91..318e59b 100644 --- a/queries/CA administrators and CA managers.yml +++ b/queries/CA administrators and CA managers.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Base)-[:ManageCertificates|ManageCA]->(:EnterpriseCA) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computer owners who can obtain LAPS passwords.yml b/queries/Computer owners who can obtain LAPS passwords.yml index a035f03..8fd33ee 100644 --- a/queries/Computer owners who can obtain LAPS passwords.yml +++ b/queries/Computer owners who can obtain LAPS passwords.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (c:Computer)<-[:GenericAll|Owns|WriteDacl|WriteOwner|AllExtendedRights]-(n:User) WHERE c.haslaps = true AND c.ownersid = n.objectid RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Computers not requiring inbound SMB signing.yml b/queries/Computers not requiring inbound SMB signing.yml index 319bc0e..e888fab 100644 --- a/queries/Computers not requiring inbound SMB signing.yml +++ b/queries/Computers not requiring inbound SMB signing.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Computer) WHERE n.smbsigning = False RETURN n -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers where Domain Users are local administrators.yml b/queries/Computers where Domain Users are local administrators.yml index a427de9..4f215ff 100644 --- a/queries/Computers where Domain Users are local administrators.yml +++ b/queries/Computers where Domain Users are local administrators.yml @@ -9,7 +9,6 @@ query: |- WHERE s.objectid ENDS WITH '-513' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers where Domain Users can read LAPS passwords.yml b/queries/Computers where Domain Users can read LAPS passwords.yml index 6c8200c..67f6ea3 100644 --- a/queries/Computers where Domain Users can read LAPS passwords.yml +++ b/queries/Computers where Domain Users can read LAPS passwords.yml @@ -9,7 +9,6 @@ query: |- WHERE s.objectid ENDS WITH '-513' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers with membership in Protected Users.yml b/queries/Computers with membership in Protected Users.yml index 09eaf2b..4fb7a4d 100644 --- a/queries/Computers with membership in Protected Users.yml +++ b/queries/Computers with membership in Protected Users.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Base)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH "-525" RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers with non-default Primary Group membership.yml b/queries/Computers with non-default Primary Group membership.yml index d5cc418..384d31b 100644 --- a/queries/Computers with non-default Primary Group membership.yml +++ b/queries/Computers with non-default Primary Group membership.yml @@ -11,7 +11,6 @@ query: |- AND NOT g.objectid ENDS WITH "-521" // Read-Only Domain Controllers AND r.isprimarygroup = true RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Computers with passwords older than the default maximum password age.yml b/queries/Computers with passwords older than the default maximum password age.yml index 6435bc8..591ea30 100644 --- a/queries/Computers with passwords older than the default maximum password age.yml +++ b/queries/Computers with passwords older than the default maximum password age.yml @@ -13,7 +13,6 @@ query: |- AND n.lastlogontimestamp > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Replicated value) AND n.lastlogon > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Non-replicated value) RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-machine-account-password acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Computers with the WebClient running.yml b/queries/Computers with the WebClient running.yml index dcf3f5f..8f7912b 100644 --- a/queries/Computers with the WebClient running.yml +++ b/queries/Computers with the WebClient running.yml @@ -8,7 +8,6 @@ query: |- MATCH (c:Computer) WHERE c.webclientrunning = True RETURN c LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers with the outgoing NTLM setting set to Deny all.yml b/queries/Computers with the outgoing NTLM setting set to Deny all.yml index 52bf176..6cc3ed5 100644 --- a/queries/Computers with the outgoing NTLM setting set to Deny all.yml +++ b/queries/Computers with the outgoing NTLM setting set to Deny all.yml @@ -8,7 +8,6 @@ query: |- MATCH (c:Computer) WHERE c.restrictoutboundntlm = True RETURN c LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers with unsupported operating systems.yml b/queries/Computers with unsupported operating systems.yml index ef5d794..48c606e 100644 --- a/queries/Computers with unsupported operating systems.yml +++ b/queries/Computers with unsupported operating systems.yml @@ -9,7 +9,6 @@ query: |- WHERE c.operatingsystem =~ '(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*' RETURN c LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Computers without Windows LAPS.yml b/queries/Computers without Windows LAPS.yml index dc26d0b..befbebe 100644 --- a/queries/Computers without Windows LAPS.yml +++ b/queries/Computers without Windows LAPS.yml @@ -11,7 +11,6 @@ query: |- AND c.enabled = true RETURN c LIMIT 100 -note: revision: 1 resources: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Cross-forest trusts with abusable configuration.yml b/queries/Cross-forest trusts with abusable configuration.yml index 578bdc5..3f4c9ca 100644 --- a/queries/Cross-forest trusts with abusable configuration.yml +++ b/queries/Cross-forest trusts with abusable configuration.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(n:Domain)-[:CrossForestTrust|SpoofSIDHistory|AbuseTGTDelegation]-(m:Domain) WHERE (n)-[:SpoofSIDHistory|AbuseTGTDelegation]-(m) RETURN p -note: revision: 1 resources: acknowledgements: diff --git a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml index ac0a9e2..e05a10c 100644 --- a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml +++ b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml @@ -10,7 +10,6 @@ query: |- OR (dc.ldapsavailable = True AND dc.ldapsepa = False) OR (dc.ldapavailable = True AND dc.ldapsavailable = True AND dc.ldapsigning = False and dc.ldapsepa = True) RETURN p -note: revision: 1 resources: acknowledgements: diff --git a/queries/Dangerous privileges for Domain Users groups.yml b/queries/Dangerous privileges for Domain Users groups.yml index b4d5c89..fe0c178 100644 --- a/queries/Dangerous privileges for Domain Users groups.yml +++ b/queries/Dangerous privileges for Domain Users groups.yml @@ -9,7 +9,6 @@ query: |- WHERE s.objectid ENDS WITH '-513' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Devices with unsupported operating systems.yml b/queries/Devices with unsupported operating systems.yml index 5c565e1..5cd4a24 100644 --- a/queries/Devices with unsupported operating systems.yml +++ b/queries/Devices with unsupported operating systems.yml @@ -10,7 +10,6 @@ query: |- AND n.operatingsystemversion =~ '(10.0.19044|10.0.22000|10.0.19043|10.0.19042|10.0.19041|10.0.18363|10.0.18362|10.0.17763|10.0.17134|10.0.16299|10.0.15063|10.0.14393|10.0.10586|10.0.10240|6.3.9600|6.2.9200|6.1.7601|6.0.6200|5.1.2600|6.0.6003|5.2.3790|5.0.2195).?.*' RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Disabled Tier Zero High Value principals - AD.yml b/queries/Disabled Tier Zero High Value principals - AD.yml index 3737895..c1ce266 100644 --- a/queries/Disabled Tier Zero High Value principals - AD.yml +++ b/queries/Disabled Tier Zero High Value principals - AD.yml @@ -12,7 +12,6 @@ query: |- AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Disabled Tier Zero High Value principals - AZ.yml b/queries/Disabled Tier Zero High Value principals - AZ.yml index e5631aa..d3f0899 100644 --- a/queries/Disabled Tier Zero High Value principals - AZ.yml +++ b/queries/Disabled Tier Zero High Value principals - AZ.yml @@ -10,7 +10,6 @@ query: |- AND n.enabled = false RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Domain Admins logons to non-Domain Controllers.yml b/queries/Domain Admins logons to non-Domain Controllers.yml index a32618d..8045f06 100644 --- a/queries/Domain Admins logons to non-Domain Controllers.yml +++ b/queries/Domain Admins logons to non-Domain Controllers.yml @@ -12,7 +12,6 @@ query: |- WHERE g.objectid ENDS WITH '-512' AND NOT c IN exclude RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml index de21eaf..1122ea0 100644 --- a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml +++ b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml @@ -9,7 +9,6 @@ query: |- WHERE dc.isdc = true AND (dc.lmcompatibilitylevel IS NOT NULL AND NOT dc.lmcompatibilitylevel = 5) RETURN dc -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domain controllers with UPN certificate mapping enabled.yml b/queries/Domain controllers with UPN certificate mapping enabled.yml index c90cca4..bf8ebe2 100644 --- a/queries/Domain controllers with UPN certificate mapping enabled.yml +++ b/queries/Domain controllers with UPN certificate mapping enabled.yml @@ -9,7 +9,6 @@ query: |- WHERE s.certificatemappingmethodsraw IN [4, 5, 6, 7, 12, 13, 14, 15, 20, 21, 22, 23, 28, 29, 30, 31] RETURN p LIMIT 1000 -note: revision: 1 resources: - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 diff --git a/queries/Domain controllers with weak certificate binding enabled.yml b/queries/Domain controllers with weak certificate binding enabled.yml index 6c40331..c83fc68 100644 --- a/queries/Domain controllers with weak certificate binding enabled.yml +++ b/queries/Domain controllers with weak certificate binding enabled.yml @@ -9,7 +9,6 @@ query: |- WHERE s.strongcertificatebindingenforcementraw = 0 OR s.strongcertificatebindingenforcementraw = 1 RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Domain migration groups.yml b/queries/Domain migration groups.yml index 3350622..298295d 100644 --- a/queries/Domain migration groups.yml +++ b/queries/Domain migration groups.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Group) WHERE n.name CONTAINS "$$$@" RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains affected by AdPrep privilege escalation risk.yml b/queries/Domains affected by AdPrep privilege escalation risk.yml index 48a700e..694d2a8 100644 --- a/queries/Domains affected by AdPrep privilege escalation risk.yml +++ b/queries/Domains affected by AdPrep privilege escalation risk.yml @@ -9,7 +9,6 @@ query: |- WHERE n.objectid ENDS WITH "-527" // Enterprise Key Admins AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains affected by Exchange privilege escalation risk.yml b/queries/Domains affected by Exchange privilege escalation risk.yml index 77e5bfe..5cd948a 100644 --- a/queries/Domains affected by Exchange privilege escalation risk.yml +++ b/queries/Domains affected by Exchange privilege escalation risk.yml @@ -9,7 +9,6 @@ query: |- WHERE n.name STARTS WITH "EXCHANGE " AND ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains allowing authenticated domain enumeration.yml b/queries/Domains allowing authenticated domain enumeration.yml index 3514ff1..bf181a1 100644 --- a/queries/Domains allowing authenticated domain enumeration.yml +++ b/queries/Domains allowing authenticated domain enumeration.yml @@ -9,7 +9,6 @@ query: |- WHERE n.objectid ENDS WITH "S-1-5-11" // Authenticated Users AND m.objectid ENDS WITH "S-1-5-32-554" // Pre-Windows 2000 Compatible Access RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains allowing unauthenticated NSPI RPC binds.yml b/queries/Domains allowing unauthenticated NSPI RPC binds.yml index ed4fb63..a41cf05 100644 --- a/queries/Domains allowing unauthenticated NSPI RPC binds.yml +++ b/queries/Domains allowing unauthenticated NSPI RPC binds.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{7}[^0].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains allowing unauthenticated domain enumeration.yml b/queries/Domains allowing unauthenticated domain enumeration.yml index dde5829..1373d6c 100644 --- a/queries/Domains allowing unauthenticated domain enumeration.yml +++ b/queries/Domains allowing unauthenticated domain enumeration.yml @@ -10,7 +10,6 @@ query: |- OR n.objectid ENDS WITH "S-1-1-0") // Everyone AND m.objectid ENDS WITH "S-1-5-32-554" // Pre-Windows 2000 Compatible Access RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml index b1cecf1..68edf90 100644 --- a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml +++ b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{6}[^2].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains exempting privileged groups from AdminSDHolder protections.yml b/queries/Domains exempting privileged groups from AdminSDHolder protections.yml index 2aaec66..adff7a2 100644 --- a/queries/Domains exempting privileged groups from AdminSDHolder protections.yml +++ b/queries/Domains exempting privileged groups from AdminSDHolder protections.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{15}[^0].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains not mitigating CVE-2021-42291.yml b/queries/Domains not mitigating CVE-2021-42291.yml index 115b2bc..4b858ff 100644 --- a/queries/Domains not mitigating CVE-2021-42291.yml +++ b/queries/Domains not mitigating CVE-2021-42291.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{27}[^1].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains not verifying UPN and SPN uniqueness.yml b/queries/Domains not verifying UPN and SPN uniqueness.yml index 6bd7e09..f9dd093 100644 --- a/queries/Domains not verifying UPN and SPN uniqueness.yml +++ b/queries/Domains not verifying UPN and SPN uniqueness.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{20}[^0].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml index 7569e59..0b52634 100644 --- a/queries/Domains where any user can join a computer to the domain.yml +++ b/queries/Domains where any user can join a computer to the domain.yml @@ -3,12 +3,15 @@ guid: 421921fa-bc0f-4659-9680-b7481adcb132 prebuilt: true platforms: Active Directory category: Active Directory Hygiene -description: Authenticated Users can by default create 10 domain computers as defined by the attribute 'ms-DS-MachineAccountQuota' and the DC URA Security Policy 'Add workstations to domain'. This query does not check the latter. +description: query: |- MATCH (n:Domain) WHERE n.machineaccountquota > 0 RETURN n -note: +<<<<<<< Updated upstream +note: Does not check the 'Add workstations to domain' URA Security Policy on DCs. +======= +>>>>>>> Stashed changes revision: 1 resources: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain diff --git a/queries/Domains with List Object mode enabled.yml b/queries/Domains with List Object mode enabled.yml index f8a4ed3..77f467d 100644 --- a/queries/Domains with List Object mode enabled.yml +++ b/queries/Domains with List Object mode enabled.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Domain) WHERE n.dsheuristics =~ ".{2}[^0].*" RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with a minimum default password policy length less than 15 characters.yml b/queries/Domains with a minimum default password policy length less than 15 characters.yml index 410d0bb..bb9cfec 100644 --- a/queries/Domains with a minimum default password policy length less than 15 characters.yml +++ b/queries/Domains with a minimum default password policy length less than 15 characters.yml @@ -3,12 +3,15 @@ guid: 7d258d2d-a43d-4a90-85d7-71c946ae5fd7 prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: Follows the NIST 800-63B recommendation of 15 characters. +description: query: |- MATCH (n:Domain) WHERE n.minpwdlength < 15 RETURN n -note: +<<<<<<< Updated upstream +note: NIST recommends 15 characters. +======= +>>>>>>> Stashed changes revision: 1 resources: https://pages.nist.gov/800-63-3/sp800-63b.html acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with a single-point-of-failure Domain Controller.yml b/queries/Domains with a single-point-of-failure Domain Controller.yml index bb89764..e2f2692 100644 --- a/queries/Domains with a single-point-of-failure Domain Controller.yml +++ b/queries/Domains with a single-point-of-failure Domain Controller.yml @@ -10,7 +10,6 @@ query: |- WITH n, COUNT(n) AS dcCount WHERE dcCount = 1 RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index b41767a..0ee7926 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -3,15 +3,13 @@ guid: 3da9d14a-f1cb-4df7-b3da-8d73ff5c401b prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: Check for functional level <4 +description: query: |- MATCH (n:Domain) - WHERE ( - n.functionallevel IS NULL - OR NOT n.functionallevel IN ["2016","2025"] - ) + WHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native'] RETURN n +note: Functional level <4 revision: 1 -resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels +resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with more than 50 Tier Zero accounts.yml b/queries/Domains with more than 50 Tier Zero accounts.yml index 034d7b5..fafb656 100644 --- a/queries/Domains with more than 50 Tier Zero accounts.yml +++ b/queries/Domains with more than 50 Tier Zero accounts.yml @@ -10,7 +10,6 @@ query: |- WITH d, COUNT(n) AS adminCount WHERE adminCount > 50 RETURN d -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with smart card accounts where smart account passwords do not expire.yml b/queries/Domains with smart card accounts where smart account passwords do not expire.yml index ef732df..2292c58 100644 --- a/queries/Domains with smart card accounts where smart account passwords do not expire.yml +++ b/queries/Domains with smart card accounts where smart account passwords do not expire.yml @@ -10,7 +10,6 @@ query: |- AND t.enabled = true AND t.smartcardrequired = true RETURN s -note: revision: 1 resources: acknowledgements: diff --git a/queries/Domains without Microsoft LAPS computers.yml b/queries/Domains without Microsoft LAPS computers.yml index 5a1a27d..9b4cf40 100644 --- a/queries/Domains without Microsoft LAPS computers.yml +++ b/queries/Domains without Microsoft LAPS computers.yml @@ -11,7 +11,6 @@ query: |- WITH d, COLLECT(c) AS computers WHERE SIZE(computers) = 0 RETURN d -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains without Protected Users group.yml b/queries/Domains without Protected Users group.yml index 5efd3be..9a77676 100644 --- a/queries/Domains without Protected Users group.yml +++ b/queries/Domains without Protected Users group.yml @@ -13,7 +13,6 @@ query: |- WITH n, m WHERE m IS NULL RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/ESC8-vulnerable Enterprise CAs.yml b/queries/ESC8-vulnerable Enterprise CAs.yml index 255008c..99d8173 100644 --- a/queries/ESC8-vulnerable Enterprise CAs.yml +++ b/queries/ESC8-vulnerable Enterprise CAs.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:EnterpriseCA) WHERE n.hasvulnerableendpoint=true RETURN n -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml b/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml index 87d971e..f7a4275 100644 --- a/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml +++ b/queries/Enabled Tier Zero High Value principals inactive for 60 days.yml @@ -16,7 +16,6 @@ query: |- AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator AND NOT n.name STARTS WITH 'AZUREADSSOACC.' // Removes false positive, Entra Seamless SSO RETURN n -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enabled built-in guest user accounts.yml b/queries/Enabled built-in guest user accounts.yml index 8c4b5e0..0b9c1ec 100644 --- a/queries/Enabled built-in guest user accounts.yml +++ b/queries/Enabled built-in guest user accounts.yml @@ -9,7 +9,6 @@ query: |- WHERE n.objectid ENDS WITH "-501" AND n.enabled = true RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml b/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml index a683a6c..520aacb 100644 --- a/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml +++ b/queries/Enabled computers inactive for 180 days - MSSQL Failover Cluster.yml @@ -17,7 +17,6 @@ query: |- toLower(type) CONTAINS 'msclustervirtualserver') RETURN n LIMIT 1000 -note: revision: 1 resources: https://learn.microsoft.com/en-us/troubleshoot/windows-server/high-availability/troubleshoot-issues-accounts-used-failover-clusters#troubleshoot-password-issues-with-the-cluster-name-account acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Enabled computers inactive for 180 days.yml b/queries/Enabled computers inactive for 180 days.yml index e19cd5e..51b5fb8 100644 --- a/queries/Enabled computers inactive for 180 days.yml +++ b/queries/Enabled computers inactive for 180 days.yml @@ -15,7 +15,6 @@ query: |- AND NOT n.name STARTS WITH 'AZUREADSSOACC.' // Removes false positive, Entra Seamless SSO RETURN n LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Enabled users inactive for 180 days.yml b/queries/Enabled users inactive for 180 days.yml index 208c5c3..902269d 100644 --- a/queries/Enabled users inactive for 180 days.yml +++ b/queries/Enabled users inactive for 180 days.yml @@ -14,7 +14,6 @@ query: |- AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator RETURN n LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml b/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml index a3af453..fa93830 100644 --- a/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml +++ b/queries/Enrollment rights on CertTemplates with OIDGroupLink.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(:CertTemplate)-[:ExtendedByPolicy]->(:IssuancePolicy)-[:OIDGroupLink]->(:Group) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml b/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml index d80a5bb..90f0056 100644 --- a/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml +++ b/queries/Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled.yml @@ -9,7 +9,6 @@ query: |- WHERE eca.isuserspecifiessanenabled = True RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on published ESC1 certificate templates.yml b/queries/Enrollment rights on published ESC1 certificate templates.yml index 7e02c1b..21ad599 100644 --- a/queries/Enrollment rights on published ESC1 certificate templates.yml +++ b/queries/Enrollment rights on published ESC1 certificate templates.yml @@ -12,7 +12,6 @@ query: |- AND (ct.authorizedsignatures = 0 OR ct.schemaversion = 1) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on published ESC15 certificate templates.yml b/queries/Enrollment rights on published ESC15 certificate templates.yml index aa16b85..96cb70a 100644 --- a/queries/Enrollment rights on published ESC15 certificate templates.yml +++ b/queries/Enrollment rights on published ESC15 certificate templates.yml @@ -11,7 +11,6 @@ query: |- AND ct.requiresmanagerapproval = False AND ct.schemaversion = 1 RETURN p -note: revision: 1 resources: - https://x.com/SpecterOps/status/1844800558151901639 diff --git a/queries/Enrollment rights on published ESC2 certificate templates.yml b/queries/Enrollment rights on published ESC2 certificate templates.yml index 1369cc6..22a94d3 100644 --- a/queries/Enrollment rights on published ESC2 certificate templates.yml +++ b/queries/Enrollment rights on published ESC2 certificate templates.yml @@ -11,7 +11,6 @@ query: |- AND (c.authorizedsignatures = 0 OR c.schemaversion = 1) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on published certificate templates with no security extension.yml b/queries/Enrollment rights on published certificate templates with no security extension.yml index 4c48f2f..25c71b1 100644 --- a/queries/Enrollment rights on published certificate templates with no security extension.yml +++ b/queries/Enrollment rights on published certificate templates with no security extension.yml @@ -9,7 +9,6 @@ query: |- WHERE ct.nosecurityextension = true RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on published certificate templates.yml b/queries/Enrollment rights on published certificate templates.yml index a2b0a0f..b7b8788 100644 --- a/queries/Enrollment rights on published certificate templates.yml +++ b/queries/Enrollment rights on published certificate templates.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(:CertTemplate)-[:PublishedTo]->(:EnterpriseCA) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Enrollment rights on published enrollment agent certificate templates.yml b/queries/Enrollment rights on published enrollment agent certificate templates.yml index 7993f52..fcd552b 100644 --- a/queries/Enrollment rights on published enrollment agent certificate templates.yml +++ b/queries/Enrollment rights on published enrollment agent certificate templates.yml @@ -11,7 +11,6 @@ query: |- OR SIZE(ct.effectiveekus) = 0 RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml b/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml index c05330d..fce7847 100644 --- a/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml +++ b/queries/Entra ID SSO accounts not rolling Kerberos decryption key.yml @@ -11,7 +11,6 @@ query: |- WHERE n.name STARTS WITH "AZUREADSSOACC." AND n.pwdlastset < (datetime().epochseconds - (30 * 86400)) RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account- acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml b/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml index cec5335..5998b78 100644 --- a/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml +++ b/queries/Entra Users synced from On-Prem Users added to Domain Admins group.yml @@ -11,7 +11,6 @@ query: |- WHERE t.objectid ENDS WITH '-512' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Foreign principals in Tier Zero High Value targets.yml b/queries/Foreign principals in Tier Zero High Value targets.yml index b0ab19e..e33cc7a 100644 --- a/queries/Foreign principals in Tier Zero High Value targets.yml +++ b/queries/Foreign principals in Tier Zero High Value targets.yml @@ -11,7 +11,6 @@ query: |- AND n.appownerorganizationid CONTAINS '-' RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml b/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml index 9d65401..4bca1d1 100644 --- a/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml +++ b/queries/KRBTGT accounts with passwords not rotated in over 1 year.yml @@ -11,7 +11,6 @@ query: |- OR n.name STARTS WITH 'KRBTGT_AZUREAD@') AND n.pwdlastset < (datetime().epochseconds - (365 * 86400)) RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Kerberoastable members of Tier Zero High Value groups.yml b/queries/Kerberoastable members of Tier Zero High Value groups.yml index 1452de6..08c6abe 100644 --- a/queries/Kerberoastable members of Tier Zero High Value groups.yml +++ b/queries/Kerberoastable members of Tier Zero High Value groups.yml @@ -13,7 +13,6 @@ query: |- AND NOT COALESCE(u.msa, false) = true RETURN u LIMIT 100 -note: revision: 1 resources: https://attack.mitre.org/techniques/T1558/003/ acknowledgements: diff --git a/queries/Kerberoastable users with most admin privileges.yml b/queries/Kerberoastable users with most admin privileges.yml index 20c6569..c90dad1 100644 --- a/queries/Kerberoastable users with most admin privileges.yml +++ b/queries/Kerberoastable users with most admin privileges.yml @@ -16,7 +16,6 @@ query: |- RETURN u ORDER BY adminCount DESC LIMIT 100 -note: revision: 1 resources: https://attack.mitre.org/techniques/T1558/003/ acknowledgements: diff --git a/queries/Kerberos-enabled service account member of built-in Admins groups.yml b/queries/Kerberos-enabled service account member of built-in Admins groups.yml index b491fef..4961f49 100644 --- a/queries/Kerberos-enabled service account member of built-in Admins groups.yml +++ b/queries/Kerberos-enabled service account member of built-in Admins groups.yml @@ -13,7 +13,6 @@ query: |- ) AND n.hasspn = true RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Kerberos-enabled service accounts without AES encryption support.yml b/queries/Kerberos-enabled service accounts without AES encryption support.yml index 98b1e28..dc6c2ef 100644 --- a/queries/Kerberos-enabled service accounts without AES encryption support.yml +++ b/queries/Kerberos-enabled service accounts without AES encryption support.yml @@ -17,7 +17,6 @@ query: |- )) RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Large default group added to computer-local group.yml b/queries/Large default group added to computer-local group.yml index 94ef483..75aba84 100644 --- a/queries/Large default group added to computer-local group.yml +++ b/queries/Large default group added to computer-local group.yml @@ -9,7 +9,6 @@ query: |- WHERE n.objectid =~ ".*-(S-1-5-11|S-1-1-0|S-1-5-32-545|S-1-5-7|-513|-515)$" // Authenticated Users, Everyone, Users, Anonymous, Domain Users, Domain Computers AND NOT m.objectid =~ ".*-(545|574|554)$" // Users, Certificate Service DCOM Access, Pre-Windows 2000 Compatible Access RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Large default groups with outbound control of OUs.yml b/queries/Large default groups with outbound control of OUs.yml index 5d9686a..68e69ae 100644 --- a/queries/Large default groups with outbound control of OUs.yml +++ b/queries/Large default groups with outbound control of OUs.yml @@ -14,7 +14,6 @@ query: |- OR n.objectid ENDS WITH "S-1-5-32-546" // GUESTS OR n.objectid ENDS WITH "S-1-5-7" // ANONYMOUS RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Large default groups with outbound control.yml b/queries/Large default groups with outbound control.yml index 99e2fc6..cfcb4ac 100644 --- a/queries/Large default groups with outbound control.yml +++ b/queries/Large default groups with outbound control.yml @@ -14,7 +14,6 @@ query: |- OR n.objectid ENDS WITH "S-1-5-32-546" // GUESTS OR n.objectid ENDS WITH "S-1-5-7" // ANONYMOUS RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Locations of Tier Zero High Value objects.yml b/queries/Locations of Tier Zero High Value objects.yml index 891a379..2b0febb 100644 --- a/queries/Locations of Tier Zero High Value objects.yml +++ b/queries/Locations of Tier Zero High Value objects.yml @@ -9,7 +9,6 @@ query: |- WHERE ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml index 7f92dab..a1b1049 100644 --- a/queries/Map Azure Management structure.yml +++ b/queries/Map Azure Management structure.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:AZTenant)-[:AZContains*1..]->(:AZResourceGroup) RETURN p LIMIT 1000 -note: revision: 1 resources: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Map OU structure.yml b/queries/Map OU structure.yml index 1b224da..55b4414 100644 --- a/queries/Map OU structure.yml +++ b/queries/Map OU structure.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Domain)-[:Contains*1..]->(:OU) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Map domain trusts.yml b/queries/Map domain trusts.yml index 88f3c36..f2a90e2 100644 --- a/queries/Map domain trusts.yml +++ b/queries/Map domain trusts.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (:Domain)-[:SameForestTrust|CrossForestTrust]->(:Domain) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Members of Allowed RODC Password Replication Group.yml b/queries/Members of Allowed RODC Password Replication Group.yml index 513c6e0..f6f7ffd 100644 --- a/queries/Members of Allowed RODC Password Replication Group.yml +++ b/queries/Members of Allowed RODC Password Replication Group.yml @@ -9,7 +9,6 @@ query: |- WHERE m.objectid ENDS WITH "-571" AND (n:User or n:Computer) RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml b/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml index 2f2bd91..52ad6d9 100644 --- a/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml +++ b/queries/Microsoft Entra Connect accounts with passwords not rotated in over 90 days.yml @@ -13,7 +13,6 @@ query: |- AND u.pwdlastset < (datetime().epochseconds - (days_since_change * 86400)) AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u -note: revision: 1 resources: https://learn.microsoft.com/en-us/defender-for-identity/rotate-password-microsoft-entra-connect acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Nested groups within Tier Zero High Value.yml b/queries/Nested groups within Tier Zero High Value.yml index b9714f1..7e16b7b 100644 --- a/queries/Nested groups within Tier Zero High Value.yml +++ b/queries/Nested groups within Tier Zero High Value.yml @@ -11,7 +11,6 @@ query: |- AND NOT s.objectid ENDS WITH '-519' // Enterprise Admins RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Non-Tier Zero account with 'Admin Count' flag.yml b/queries/Non-Tier Zero account with 'Admin Count' flag.yml index c11078b..032b7b0 100644 --- a/queries/Non-Tier Zero account with 'Admin Count' flag.yml +++ b/queries/Non-Tier Zero account with 'Admin Count' flag.yml @@ -9,7 +9,6 @@ query: |- WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') AND n.admincount = true RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/windows/win32/adschema/a-admincount acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero account with excessive control.yml b/queries/Non-Tier Zero account with excessive control.yml index 844eec1..7e1a740 100644 --- a/queries/Non-Tier Zero account with excessive control.yml +++ b/queries/Non-Tier Zero account with excessive control.yml @@ -3,7 +3,7 @@ guid: 944cecfe-519b-4318-b226-e8520161b454 prebuilt: false platforms: Active Directory category: Dangerous Privileges -description: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals +description: query: |- MATCH (d:Domain)-[:Contains*1..]->(u:User) WHERE u.enabled = true @@ -13,7 +13,10 @@ query: |- WITH n, enabledUserCount, COLLECT(DISTINCT(m)) AS endNodes WHERE SIZE(endNodes) >= 1000 RETURN n -note: +<<<<<<< Updated upstream +note: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals +======= +>>>>>>> Stashed changes revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero account with unconstrained delegation.yml b/queries/Non-Tier Zero account with unconstrained delegation.yml index 67cee47..c869023 100644 --- a/queries/Non-Tier Zero account with unconstrained delegation.yml +++ b/queries/Non-Tier Zero account with unconstrained delegation.yml @@ -9,7 +9,6 @@ query: |- WHERE n.unconstraineddelegation = true AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml b/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml index 12195c0..95b9bb9 100644 --- a/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml +++ b/queries/Non-Tier Zero accounts with SID History of Tier Zero accounts.yml @@ -9,7 +9,6 @@ query: |- WHERE ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0') AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml index 4f18803..29039d6 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (no prerequisites check).yml @@ -10,7 +10,6 @@ query: |- // Exclude Tier Zero WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml index c298fde..438ad2a 100644 --- a/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml +++ b/queries/Non-Tier Zero principals with BadSuccessor rights (with prerequisites check).yml @@ -20,7 +20,6 @@ query: |- // Exclude Tier Zero AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: https://bsky.app/profile/specterops.io/post/3lpua65qeu22l acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero principals with control of AdminSDHolder.yml b/queries/Non-Tier Zero principals with control of AdminSDHolder.yml index 0ab25ca..a31af43 100644 --- a/queries/Non-Tier Zero principals with control of AdminSDHolder.yml +++ b/queries/Non-Tier Zero principals with control of AdminSDHolder.yml @@ -9,7 +9,6 @@ query: |- WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') AND m.name STARTS WITH "ADMINSDHOLDER@" RETURN p -note: revision: 1 resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-default delegation on MicrosoftDNS container.yml b/queries/Non-default delegation on MicrosoftDNS container.yml index 91c6134..0142355 100644 --- a/queries/Non-default delegation on MicrosoftDNS container.yml +++ b/queries/Non-default delegation on MicrosoftDNS container.yml @@ -11,7 +11,6 @@ query: |- AND NOT n.objectid =~ "-(512|544|519|9)$" AND r.isacl RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml b/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml index eb1f482..2fd4c60 100644 --- a/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml +++ b/queries/Non-default members in Pre-Windows 2000 Compatible Access.yml @@ -11,7 +11,6 @@ query: |- AND NOT n.objectid ENDS WITH "S-1-1-0") // Everyone AND m.objectid ENDS WITH "S-1-5-32-554" // Pre-Windows 2000 Compatible Access RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-default permissions on IssuancePolicy nodes.yml b/queries/Non-default permissions on IssuancePolicy nodes.yml index 02dec05..197012e 100644 --- a/queries/Non-default permissions on IssuancePolicy nodes.yml +++ b/queries/Non-default permissions on IssuancePolicy nodes.yml @@ -9,7 +9,6 @@ query: |- WHERE NOT s.objectid ENDS WITH '-512' AND NOT s.objectid ENDS WITH '-519' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Object name conflict.yml b/queries/Object name conflict.yml index 7b1733a..9df91da 100644 --- a/queries/Object name conflict.yml +++ b/queries/Object name conflict.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Base) WHERE n.distinguishedname CONTAINS 'CNF:' RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/archive/technet-wiki/15435.active-directory-duplicate-object-name-resolution acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml b/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml index f9419e2..97fda7f 100644 --- a/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml +++ b/queries/On-Prem Users synced to Entra Users that Own Entra Objects.yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwns]->(:AZBase) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml index e2791f0..e8d96df 100644 --- a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml +++ b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (direct).yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml index 28060c5..7a507ad 100644 --- a/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml +++ b/queries/On-Prem Users synced to Entra Users with Azure RM Roles (group delegated).yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml index 54614d8..8cdbad2 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (direct).yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZHasRole]->(:AZRole) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml index c636026..56fbeee 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated).yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZHasRole]->(:AZRole) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml b/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml index c1d6da8..f0c8c3f 100644 --- a/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml +++ b/queries/On-Prem Users synced to Entra Users with Entra Group Membership.yml @@ -10,7 +10,6 @@ query: |- MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Overprivileged Microsoft Entra Connect accounts.yml b/queries/Overprivileged Microsoft Entra Connect accounts.yml index 0d1db4e..aab8ca8 100644 --- a/queries/Overprivileged Microsoft Entra Connect accounts.yml +++ b/queries/Overprivileged Microsoft Entra Connect accounts.yml @@ -12,7 +12,6 @@ query: |- AND (g.objectid ENDS WITH "-512" // Domain Admins OR g.objectid ENDS WITH "-519") // Entterprise Admins RETURN p -note: revision: 1 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/PKI hierarchy.yml b/queries/PKI hierarchy.yml index 0b6c22f..b690330 100644 --- a/queries/PKI hierarchy.yml +++ b/queries/PKI hierarchy.yml @@ -8,7 +8,6 @@ query: |- MATCH p=()-[:HostsCAService|IssuedSignedBy|EnterpriseCAFor|RootCAFor|TrustedForNTAuth|NTAuthStoreFor*..]->(:Domain) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Paths from Domain Users to Tier Zero High Value targets.yml b/queries/Paths from Domain Users to Tier Zero High Value targets.yml index 175da53..e8d5e0c 100644 --- a/queries/Paths from Domain Users to Tier Zero High Value targets.yml +++ b/queries/Paths from Domain Users to Tier Zero High Value targets.yml @@ -10,7 +10,6 @@ query: |- AND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Principal with SPN keyword.yml b/queries/Principal with SPN keyword.yml index 0ab8091..2974ab8 100644 --- a/queries/Principal with SPN keyword.yml +++ b/queries/Principal with SPN keyword.yml @@ -10,7 +10,6 @@ query: |- MATCH (n:User) WHERE ANY(keyword IN n.serviceprincipalnames WHERE toUpper(keyword) CONTAINS toUpper(SPNKeyword)) RETURN n -note: revision: 1 resources: https://adsecurity.org/?page_id=183 acknowledgements: Ryan, @haus3c diff --git a/queries/Principals with DCSync privileges.yml b/queries/Principals with DCSync privileges.yml index 33309b3..3636a15 100644 --- a/queries/Principals with DCSync privileges.yml +++ b/queries/Principals with DCSync privileges.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(:Base)-[:DCSync|AllExtendedRights|GenericAll]->(:Domain) RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Principals with DES-only Kerberos authentication.yml b/queries/Principals with DES-only Kerberos authentication.yml index a2e01ef..26fb69c 100644 --- a/queries/Principals with DES-only Kerberos authentication.yml +++ b/queries/Principals with DES-only Kerberos authentication.yml @@ -9,7 +9,6 @@ query: |- WHERE n.enabled = true AND n.usedeskeyonly = true RETURN n -note: revision: 1 resources: acknowledgements: diff --git a/queries/Principals with foreign domain group membership.yml b/queries/Principals with foreign domain group membership.yml index f9a15a5..96a1212 100644 --- a/queries/Principals with foreign domain group membership.yml +++ b/queries/Principals with foreign domain group membership.yml @@ -9,7 +9,6 @@ query: |- WHERE s.domainsid<>t.domainsid RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Principals with passwords stored using reversible encryption.yml b/queries/Principals with passwords stored using reversible encryption.yml index ce7caa3..5ba8b48 100644 --- a/queries/Principals with passwords stored using reversible encryption.yml +++ b/queries/Principals with passwords stored using reversible encryption.yml @@ -8,7 +8,6 @@ query: |- MATCH (n:Base) WHERE n.encryptedtextpwdallowed = true RETURN n -note: revision: 1 resources: acknowledgements: diff --git a/queries/Principals with weak supported Kerberos encryption types.yml b/queries/Principals with weak supported Kerberos encryption types.yml index bacb090..c8d2554 100644 --- a/queries/Principals with weak supported Kerberos encryption types.yml +++ b/queries/Principals with weak supported Kerberos encryption types.yml @@ -10,7 +10,6 @@ query: |- OR 'DES-CBC-MD5' IN u.supportedencryptiontypes OR 'RC4-HMAC-MD5' IN u.supportedencryptiontypes RETURN u -note: revision: 1 resources: acknowledgements: diff --git a/queries/Public Key Services container.yml b/queries/Public Key Services container.yml index 6c38e0a..e4dc47f 100644 --- a/queries/Public Key Services container.yml +++ b/queries/Public Key Services container.yml @@ -9,7 +9,6 @@ query: |- WHERE c.distinguishedname starts with 'CN=PUBLIC KEY SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Servers where Domain Users can RDP.yml b/queries/Servers where Domain Users can RDP.yml index b5429e9..306f29f 100644 --- a/queries/Servers where Domain Users can RDP.yml +++ b/queries/Servers where Domain Users can RDP.yml @@ -9,7 +9,6 @@ query: |- WHERE s.objectid ENDS WITH '-513' AND toUpper(t.operatingsystem) CONTAINS 'SERVER' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Sessions across trusts.yml b/queries/Sessions across trusts.yml index b4c72b3..27d68db 100644 --- a/queries/Sessions across trusts.yml +++ b/queries/Sessions across trusts.yml @@ -9,7 +9,6 @@ query: |- WHERE trustedDomainPrincipal.domainsid <> trustingDomainPrincipal.domainsid RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml b/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml index 48a5b47..ea5177d 100644 --- a/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Azure Applications to Tier Zero High Value targets.yml @@ -9,7 +9,6 @@ query: |- WHERE ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') AND s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml b/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml index b5a7a8b..c1ce7c9 100644 --- a/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Domain Users to Tier Zero High Value targets.yml @@ -10,7 +10,6 @@ query: |- AND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml b/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml index 45359b8..e1763eb 100644 --- a/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml +++ b/queries/Shortest paths from Entra Users to Tier Zero High Value targets.yml @@ -10,7 +10,6 @@ query: |- AND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths from Owned objects to Tier Zero.yml b/queries/Shortest paths from Owned objects to Tier Zero.yml index a31e89c..7ffb256 100644 --- a/queries/Shortest paths from Owned objects to Tier Zero.yml +++ b/queries/Shortest paths from Owned objects to Tier Zero.yml @@ -11,7 +11,6 @@ query: |- AND ((t:Tag_Tier_Zero) OR COALESCE(t.system_tags, '') CONTAINS 'admin_tier_0') RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths from Owned objects.yml b/queries/Shortest paths from Owned objects.yml index 20a103d..071cea8 100644 --- a/queries/Shortest paths from Owned objects.yml +++ b/queries/Shortest paths from Owned objects.yml @@ -10,7 +10,6 @@ query: |- AND s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to Azure Subscriptions.yml b/queries/Shortest paths to Azure Subscriptions.yml index 0758049..1d0033a 100644 --- a/queries/Shortest paths to Azure Subscriptions.yml +++ b/queries/Shortest paths to Azure Subscriptions.yml @@ -9,7 +9,6 @@ query: |- WHERE s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to Domain Admins from Kerberoastable users.yml b/queries/Shortest paths to Domain Admins from Kerberoastable users.yml index 4724c02..08be552 100644 --- a/queries/Shortest paths to Domain Admins from Kerberoastable users.yml +++ b/queries/Shortest paths to Domain Admins from Kerberoastable users.yml @@ -14,7 +14,6 @@ query: |- AND t.objectid ENDS WITH '-512' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to Domain Admins.yml b/queries/Shortest paths to Domain Admins.yml index e18a226..45748a6 100644 --- a/queries/Shortest paths to Domain Admins.yml +++ b/queries/Shortest paths to Domain Admins.yml @@ -9,7 +9,6 @@ query: |- WHERE t.objectid ENDS WITH '-512' AND s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to Tier Zero High Value targets.yml b/queries/Shortest paths to Tier Zero High Value targets.yml index 78bba46..cc165f3 100644 --- a/queries/Shortest paths to Tier Zero High Value targets.yml +++ b/queries/Shortest paths to Tier Zero High Value targets.yml @@ -9,7 +9,6 @@ query: |- WHERE s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to privileged roles.yml b/queries/Shortest paths to privileged roles.yml index 18bbcd8..35d4474 100644 --- a/queries/Shortest paths to privileged roles.yml +++ b/queries/Shortest paths to privileged roles.yml @@ -9,7 +9,6 @@ query: |- WHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator' AND s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Shortest paths to systems trusted for unconstrained delegation.yml b/queries/Shortest paths to systems trusted for unconstrained delegation.yml index 3a7ea4d..de3ae5b 100644 --- a/queries/Shortest paths to systems trusted for unconstrained delegation.yml +++ b/queries/Shortest paths to systems trusted for unconstrained delegation.yml @@ -9,7 +9,6 @@ query: |- WHERE t.unconstraineddelegation = true AND s<>t RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Smart card accounts with passwords not rotated in over 1 year.yml b/queries/Smart card accounts with passwords not rotated in over 1 year.yml index 20e8dcf..955bab9 100644 --- a/queries/Smart card accounts with passwords not rotated in over 1 year.yml +++ b/queries/Smart card accounts with passwords not rotated in over 1 year.yml @@ -10,7 +10,6 @@ query: |- AND n.enabled = true AND n.smartcardrequired = true RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero AD principals synchronized with Entra ID.yml b/queries/Tier Zero AD principals synchronized with Entra ID.yml index 3b58dbc..d5c426f 100644 --- a/queries/Tier Zero AD principals synchronized with Entra ID.yml +++ b/queries/Tier Zero AD principals synchronized with Entra ID.yml @@ -13,7 +13,6 @@ query: |- RETURN ENTRA // Replace 'RETURN ENTRA' with 'RETURN AD' to see the corresponding AD principals LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml b/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml index 400f080..9e69169 100644 --- a/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml +++ b/queries/Tier Zero High Value enabled users not requiring smart card authentication.yml @@ -13,7 +13,6 @@ query: |- AND NOT u.name STARTS WITH 'PROVAGENTGMSA' // Removes false positive, Entra sync AND NOT u.name STARTS WITH 'ADSYNCMSA_' // Removes false positive, Entra sync RETURN u -note: revision: 1 resources: acknowledgements: diff --git a/queries/Tier Zero High Value external Entra ID users.yml b/queries/Tier Zero High Value external Entra ID users.yml index d7c0744..06e73af 100644 --- a/queries/Tier Zero High Value external Entra ID users.yml +++ b/queries/Tier Zero High Value external Entra ID users.yml @@ -10,7 +10,6 @@ query: |- AND n.name CONTAINS '#EXT#@' RETURN n LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Tier Zero High Value users with non-expiring passwords.yml b/queries/Tier Zero High Value users with non-expiring passwords.yml index 52bffb7..663ab98 100644 --- a/queries/Tier Zero High Value users with non-expiring passwords.yml +++ b/queries/Tier Zero High Value users with non-expiring passwords.yml @@ -10,7 +10,6 @@ query: |- AND u.pwdneverexpires = true RETURN u LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml b/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml index eccbfc3..2831cc1 100644 --- a/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml +++ b/queries/Tier Zero accounts not members of Denied RODC Password Replication Group.yml @@ -14,7 +14,6 @@ query: |- WITH n, m WHERE m IS NULL RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero accounts that can be delegated.yml b/queries/Tier Zero accounts that can be delegated.yml index 6446fdb..f9f56bb 100644 --- a/queries/Tier Zero accounts that can be delegated.yml +++ b/queries/Tier Zero accounts that can be delegated.yml @@ -14,7 +14,6 @@ query: |- WITH m, COLLECT(n) AS matchingNs WHERE NONE(n IN matchingNs WHERE n.objectid = m.objectid) RETURN m -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers at risk of constrained delegation.yml b/queries/Tier Zero computers at risk of constrained delegation.yml index 31229a7..e7b9644 100644 --- a/queries/Tier Zero computers at risk of constrained delegation.yml +++ b/queries/Tier Zero computers at risk of constrained delegation.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (n:Computer)<-[:AllowedToDelegate]-(:Base) WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers at risk of resource-based constrained delegation.yml b/queries/Tier Zero computers at risk of resource-based constrained delegation.yml index d8d7c1f..68101d8 100644 --- a/queries/Tier Zero computers at risk of resource-based constrained delegation.yml +++ b/queries/Tier Zero computers at risk of resource-based constrained delegation.yml @@ -8,7 +8,6 @@ query: |- MATCH p = (n:Computer)<-[:AllowedToAct]-(:Base) WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers not owned by Tier Zero.yml b/queries/Tier Zero computers not owned by Tier Zero.yml index fa14b45..58377e4 100644 --- a/queries/Tier Zero computers not owned by Tier Zero.yml +++ b/queries/Tier Zero computers not owned by Tier Zero.yml @@ -8,7 +8,6 @@ query: |- MATCH p=(n:Base)-[:Owns]->(:Computer) WHERE NOT coalesce(n.system_tags, "") CONTAINS "admin_tier_0" RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers not requiring inbound SMB signing.yml b/queries/Tier Zero computers not requiring inbound SMB signing.yml index dc77455..49357d0 100644 --- a/queries/Tier Zero computers not requiring inbound SMB signing.yml +++ b/queries/Tier Zero computers not requiring inbound SMB signing.yml @@ -9,7 +9,6 @@ query: |- WHERE n.smbsigning = False AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers with passwords older than the default maximum password age.yml b/queries/Tier Zero computers with passwords older than the default maximum password age.yml index b038387..9dcbec7 100644 --- a/queries/Tier Zero computers with passwords older than the default maximum password age.yml +++ b/queries/Tier Zero computers with passwords older than the default maximum password age.yml @@ -11,7 +11,6 @@ query: |- AND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400)) AND coalesce(n.system_tags, "") CONTAINS "admin_tier_0" RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers with the WebClient running.yml b/queries/Tier Zero computers with the WebClient running.yml index c87bca4..816baf1 100644 --- a/queries/Tier Zero computers with the WebClient running.yml +++ b/queries/Tier Zero computers with the WebClient running.yml @@ -9,7 +9,6 @@ query: |- WHERE c.webclientrunning = True AND ((c:Tag_Tier_Zero) OR COALESCE(c.system_tags, '') CONTAINS 'admin_tier_0') RETURN c LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers with unsupported operating systems.yml b/queries/Tier Zero computers with unsupported operating systems.yml index 9252812..665a6ba 100644 --- a/queries/Tier Zero computers with unsupported operating systems.yml +++ b/queries/Tier Zero computers with unsupported operating systems.yml @@ -10,7 +10,6 @@ query: |- AND ((c:Tag_Tier_Zero) OR COALESCE(c.system_tags, '') CONTAINS 'admin_tier_0') RETURN c LIMIT 100 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero users not member of Protected Users.yml b/queries/Tier Zero users not member of Protected Users.yml index 99a1c70..2f05a72 100644 --- a/queries/Tier Zero users not member of Protected Users.yml +++ b/queries/Tier Zero users not member of Protected Users.yml @@ -12,7 +12,6 @@ query: |- WITH m, COLLECT(n) AS matchingNs WHERE NONE(n IN matchingNs WHERE n.objectid = m.objectid) RETURN m -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero users with email.yml b/queries/Tier Zero users with email.yml index d12dd0a..8d3d336 100644 --- a/queries/Tier Zero users with email.yml +++ b/queries/Tier Zero users with email.yml @@ -23,7 +23,6 @@ query: |- OR n.name STARTS WITH "HEALTHMAILBOX") ) RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero users with passwords not rotated in over 1 year.yml b/queries/Tier Zero users with passwords not rotated in over 1 year.yml index ffa03e4..c82c40f 100644 --- a/queries/Tier Zero users with passwords not rotated in over 1 year.yml +++ b/queries/Tier Zero users with passwords not rotated in over 1 year.yml @@ -12,7 +12,6 @@ query: |- AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u LIMIT 100 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Trace ACE inheritance.yml b/queries/Trace ACE inheritance.yml index 55b3dba..a8f01a6 100644 --- a/queries/Trace ACE inheritance.yml +++ b/queries/Trace ACE inheritance.yml @@ -11,7 +11,6 @@ query: |- MATCH p=()-[:GenericAll {isacl:true,isinherited:false}]->()-[:Contains*1..]->(:Base{objectid:OID}) WHERE NONE(ou in NODES(p) WHERE ou:OU AND ou.isaclprotected IS NOT NULL) RETURN p -note: revision: 1 resources: acknowledgements: Walter.Legowski, @SadProcessor diff --git a/queries/Unresolved SID with outbound control.yml b/queries/Unresolved SID with outbound control.yml index 58fa6de..652a0e0 100644 --- a/queries/Unresolved SID with outbound control.yml +++ b/queries/Unresolved SID with outbound control.yml @@ -10,7 +10,6 @@ query: |- AND n.name CONTAINS "S-1-5-21-" // Unresolved SID RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Usage of built-in domain Administrator account.yml b/queries/Usage of built-in domain Administrator account.yml index 1a6713a..867404a 100644 --- a/queries/Usage of built-in domain Administrator account.yml +++ b/queries/Usage of built-in domain Administrator account.yml @@ -13,7 +13,6 @@ query: |- ) AND NOT n.whencreated > (datetime().epochseconds - (60 * 86400)) RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Users which do not require password to authenticate.yml b/queries/Users which do not require password to authenticate.yml index 9ab6688..617f746 100644 --- a/queries/Users which do not require password to authenticate.yml +++ b/queries/Users which do not require password to authenticate.yml @@ -9,7 +9,6 @@ query: |- WHERE u.passwordnotreqd = true RETURN u LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Users with logon scripts stored in a trusted domain.yml b/queries/Users with logon scripts stored in a trusted domain.yml index 6dbba8d..0df3640 100644 --- a/queries/Users with logon scripts stored in a trusted domain.yml +++ b/queries/Users with logon scripts stored in a trusted domain.yml @@ -11,7 +11,6 @@ query: |- WITH n,last(split(d.name, '@')) AS domain WHERE toUpper(n.logonscript) STARTS WITH ("\\\\" + domain + "\\") RETURN n -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Users with non-default Primary Group membership.yml b/queries/Users with non-default Primary Group membership.yml index ae9a6f6..190f7aa 100644 --- a/queries/Users with non-default Primary Group membership.yml +++ b/queries/Users with non-default Primary Group membership.yml @@ -12,7 +12,6 @@ query: |- AND (n.gmsa IS NULL OR n.gmsa = false) // Not gMSA, as it has primaryGroup to Domain Computers AND (n.msa IS NULL OR n.msa = false) // Not MSA, as it has primaryGroup to Domain Computers RETURN p -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Users with non-expiring passwords.yml b/queries/Users with non-expiring passwords.yml index 83613f0..9f070d7 100644 --- a/queries/Users with non-expiring passwords.yml +++ b/queries/Users with non-expiring passwords.yml @@ -10,7 +10,6 @@ query: |- AND u.pwdneverexpires = true RETURN u LIMIT 100 -note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Users with passwords not rotated in over 1 year.yml b/queries/Users with passwords not rotated in over 1 year.yml index 1c86bc2..5d92b81 100644 --- a/queries/Users with passwords not rotated in over 1 year.yml +++ b/queries/Users with passwords not rotated in over 1 year.yml @@ -11,7 +11,6 @@ query: |- AND NOT u.pwdlastset IN [-1.0, 0.0] RETURN u LIMIT 100 -note: revision: 1 resources: acknowledgements: diff --git a/queries/Workstations where Domain Users can RDP.yml b/queries/Workstations where Domain Users can RDP.yml index b688bd9..3674fd8 100644 --- a/queries/Workstations where Domain Users can RDP.yml +++ b/queries/Workstations where Domain Users can RDP.yml @@ -9,7 +9,6 @@ query: |- WHERE s.objectid ENDS WITH '-513' AND NOT toUpper(t.operatingsystem) CONTAINS 'SERVER' RETURN p LIMIT 1000 -note: revision: 1 resources: acknowledgements: diff --git a/tests/schema.py b/tests/schema.py index fff9509..0cfbbaa 100644 --- a/tests/schema.py +++ b/tests/schema.py @@ -13,7 +13,6 @@ class CypherQuery(BaseModel): description: Optional[str] = None query: str revision: int - note: Optional[str] = None resources: Optional[Union[str, list[str]]] = None acknowledgements: Optional[Union[str, list[str]]] = None