SpecterOps · d3vzer0 · Jun 13, 2025 · Jun 13, 2025
diff --git a/docs/query-structure.yml b/docs/query-structure.yml
@@ -13,7 +13,6 @@ query: |-
   // My clean and well-commented Cypher query
   MATCH p = (b:BloodHoundUsers) - [h:ThinkIn] -> (e:Graphs)
   RETURN p
-note: Note meant to be stored only in the yml file.
 revision: 1 # Version number integer starting at 1.
 resources:  # URL references, for example related to Acknowledgements.
 # Use a list for multiple Resources:

diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml
@@ -10,7 +10,6 @@ query: |-
   AND r.isacl
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml
@@ -9,7 +9,6 @@ query: |-
   WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
   AND n.dontreqpreauth = true
   RETURN n
-note: 
 revision: 1
 resources: https://attack.mitre.org/techniques/T1558/004/
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/AS-REP Roastable users (DontReqPreAuth).yml b/queries/AS-REP Roastable users (DontReqPreAuth).yml
@@ -10,7 +10,6 @@ query: |-
   AND u.enabled = true
   RETURN u
   LIMIT 100
-note: 
 revision: 1
 resources: https://attack.mitre.org/techniques/T1558/004/
 acknowledgements: 

diff --git a/queries/Accounts with SID History to a non-existent domain.yml b/queries/Accounts with SID History to a non-existent domain.yml
@@ -10,7 +10,6 @@ query: |-
   MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base)
   WHERE NOT n.domainsid IN domainSIDs
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Accounts with SID History to a same-domain account.yml b/queries/Accounts with SID History to a same-domain account.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p=(n:Base)-[:HasSIDHistory]->(m:Base)
   WHERE n.domainsid = m.domainsid
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Accounts with SID History.yml b/queries/Accounts with SID History.yml
@@ -7,7 +7,6 @@ description:
 query: |-
   MATCH p=(:Base)-[:HasSIDHistory]->(:Base)
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Accounts with clear-text password attributes.yml b/queries/Accounts with clear-text password attributes.yml
@@ -11,7 +11,6 @@ query: |-
   OR n.unicodepwd IS NOT NULL
   OR n.msSFU30Password IS NOT NULL
   RETURN n
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Accounts with weak password storage encryption.yml b/queries/Accounts with weak password storage encryption.yml
@@ -12,7 +12,6 @@ query: |-
   AND n.pwdlastset < g.whencreated
   RETURN n
   LIMIT 100
-note: 
 revision: 1
 resources: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml
@@ -12,7 +12,6 @@ query: |-
     OR n.objectid =~ ".*-(500|502|516|521)$" // Direct objects
   )
   RETURN n
-note: 
 revision: 1
 resources:
 - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a0d0b4fa-2895-4c64-b182-ba64ad0f84b8

diff --git a/queries/All ADCS ESC privilege escalation edges.yml b/queries/All ADCS ESC privilege escalation edges.yml
@@ -7,7 +7,6 @@ description:
 query: |-
   MATCH p=(:Base)-[:ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|GoldenCert|CoerceAndRelayNTLMToADCS]->(:Base)
   RETURN p
-note: 
 revision: 1
 resources:
 - https://posts.specterops.io/certified-pre-owned-d95910965cd2

diff --git a/queries/All DNSAdmins.yml b/queries/All DNSAdmins.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p=(n:Base)-[:MemberOf]->(g:Group) 
   WHERE n.name STARTS WITH "DNSADMINS@"
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/All Domain Admins.yml b/queries/All Domain Admins.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE (a:User or a:Computer) and t.objectid ENDS WITH '-512'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/All Global Administrators.yml b/queries/All Global Administrators.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p = (:AZBase)-[:AZGlobalAdmin*1..]->(:AZTenant)
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/All Kerberoastable users.yml b/queries/All Kerberoastable users.yml
@@ -13,7 +13,6 @@ query: |-
   AND NOT COALESCE(u.msa, false) = true
   RETURN u
   LIMIT 100
-note: 
 revision: 1
 resources: https://attack.mitre.org/techniques/T1558/003/
 acknowledgements: 

diff --git a/queries/All Operator groups.yml b/queries/All Operator groups.yml
@@ -16,7 +16,6 @@ query: |-
     n.objectid ENDS WITH 'S-1-5-32-550' // Print Operators
   )
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/All Schema Admins.yml b/queries/All Schema Admins.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE (n:User OR n:Computer)
   AND m.objectid ENDS WITH "-518" // Schema Admins
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/All coerce and NTLM relay edges.yml b/queries/All coerce and NTLM relay edges.yml
@@ -7,7 +7,6 @@ description:
 query: |-
   MATCH p = (n:Base)-[:CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|CoerceAndRelayNTLMToADCS|CoerceAndRelayNTLMToSMB]->(:Base)
   RETURN p LIMIT 500
-note: 
 revision: 1
 resources: https://specterops.io/blog/2025/04/08/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know/
 acknowledgements: 

diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml
@@ -10,7 +10,6 @@ query: |-
   WHERE m.name CONTAINS 'HOSTNAME'
   AND m.name CONTAINS '.' // Only see computer-related objects (eg. not AD Groups)
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/All members of high privileged roles.yml b/queries/All members of high privileged roles.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE t.name =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|Privileged Authentication Administrator'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml
@@ -12,7 +12,6 @@ query: |-
   AND Trusting.domainsid = 'S-1-5-21-2222222222-2222222222-2222222222'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/All service principals with Microsoft Graph App Role assignments.yml b/queries/All service principals with Microsoft Graph App Role assignments.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p=(:AZServicePrincipal)-[:AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All]->(:AZServicePrincipal)
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/...es/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml b/...es/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p=(:AZServicePrincipal)-[:AZMGGrantAppRoles]->(:AZTenant)
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/CA administrators and CA managers.yml b/queries/CA administrators and CA managers.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p = (:Base)-[:ManageCertificates|ManageCA]->(:EnterpriseCA)
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computer owners who can obtain LAPS passwords.yml b/queries/Computer owners who can obtain LAPS passwords.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p = (c:Computer)<-[:GenericAll|Owns|WriteDacl|WriteOwner|AllExtendedRights]-(n:User)
   WHERE c.haslaps = true AND c.ownersid = n.objectid
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Computers not requiring inbound SMB signing.yml b/queries/Computers not requiring inbound SMB signing.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH (n:Computer)
   WHERE n.smbsigning = False
   RETURN n
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers where Domain Users are local administrators.yml b/queries/Computers where Domain Users are local administrators.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE s.objectid ENDS WITH '-513'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers where Domain Users can read LAPS passwords.yml b/queries/Computers where Domain Users can read LAPS passwords.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE s.objectid ENDS WITH '-513'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers with membership in Protected Users.yml b/queries/Computers with membership in Protected Users.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p = (:Base)-[:MemberOf*1..]->(g:Group)
   WHERE g.objectid ENDS WITH "-525"
   RETURN p LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers with non-default Primary Group membership.yml b/queries/Computers with non-default Primary Group membership.yml
@@ -11,7 +11,6 @@ query: |-
   AND NOT g.objectid ENDS WITH "-521" // Read-Only Domain Controllers
   AND r.isprimarygroup = true
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Computers with passwords older than the default maximum password age.yml b/queries/Computers with passwords older than the default maximum password age.yml
@@ -13,7 +13,6 @@ query: |-
   AND n.lastlogontimestamp > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Replicated value)
   AND n.lastlogon > (datetime().epochseconds - (rotation_period * 86400)) // active computers (Non-replicated value)
   RETURN n
-note: 
 revision: 1
 resources: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-machine-account-password
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Computers with the WebClient running.yml b/queries/Computers with the WebClient running.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH (c:Computer)
   WHERE c.webclientrunning = True
   RETURN c LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers with the outgoing NTLM setting set to Deny all.yml b/queries/Computers with the outgoing NTLM setting set to Deny all.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH (c:Computer)
   WHERE c.restrictoutboundntlm = True
   RETURN c LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers with unsupported operating systems.yml b/queries/Computers with unsupported operating systems.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE c.operatingsystem =~ '(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*'
   RETURN c
   LIMIT 100
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Computers without Windows LAPS.yml b/queries/Computers without Windows LAPS.yml
@@ -11,7 +11,6 @@ query: |-
   AND c.enabled = true
   RETURN c
   LIMIT 100
-note: 
 revision: 1
 resources: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Cross-forest trusts with abusable configuration.yml b/queries/Cross-forest trusts with abusable configuration.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH p=(n:Domain)-[:CrossForestTrust|SpoofSIDHistory|AbuseTGTDelegation]-(m:Domain)
   WHERE (n)-[:SpoofSIDHistory|AbuseTGTDelegation]-(m)
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml
@@ -10,7 +10,6 @@ query: |-
   OR (dc.ldapsavailable = True AND dc.ldapsepa = False)
   OR (dc.ldapavailable = True AND dc.ldapsavailable = True AND dc.ldapsigning = False and dc.ldapsepa = True)
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Dangerous privileges for Domain Users groups.yml b/queries/Dangerous privileges for Domain Users groups.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE s.objectid ENDS WITH '-513'
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Devices with unsupported operating systems.yml b/queries/Devices with unsupported operating systems.yml
@@ -10,7 +10,6 @@ query: |-
   AND n.operatingsystemversion =~ '(10.0.19044|10.0.22000|10.0.19043|10.0.19042|10.0.19041|10.0.18363|10.0.18362|10.0.17763|10.0.17134|10.0.16299|10.0.15063|10.0.14393|10.0.10586|10.0.10240|6.3.9600|6.2.9200|6.1.7601|6.0.6200|5.1.2600|6.0.6003|5.2.3790|5.0.2195).?.*'
   RETURN n
   LIMIT 100
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Disabled Tier Zero High Value principals - AD.yml b/queries/Disabled Tier Zero High Value principals - AD.yml
@@ -12,7 +12,6 @@ query: |-
   AND NOT n.objectid ENDS WITH '-500' // Removes false positive, built-in Administrator
   RETURN n
   LIMIT 100
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Disabled Tier Zero High Value principals - AZ.yml b/queries/Disabled Tier Zero High Value principals - AZ.yml
@@ -10,7 +10,6 @@ query: |-
   AND n.enabled = false
   RETURN n
   LIMIT 100
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Domain Admins logons to non-Domain Controllers.yml b/queries/Domain Admins logons to non-Domain Controllers.yml
@@ -12,7 +12,6 @@ query: |-
   WHERE g.objectid ENDS WITH '-512' AND NOT c IN exclude
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE dc.isdc = true
   AND (dc.lmcompatibilitylevel IS NOT NULL AND NOT dc.lmcompatibilitylevel = 5)
   RETURN dc
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domain controllers with UPN certificate mapping enabled.yml b/queries/Domain controllers with UPN certificate mapping enabled.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE s.certificatemappingmethodsraw IN [4, 5, 6, 7, 12, 13, 14, 15, 20, 21, 22, 23, 28, 29, 30, 31]
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources:
 - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

diff --git a/queries/Domain controllers with weak certificate binding enabled.yml b/queries/Domain controllers with weak certificate binding enabled.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE s.strongcertificatebindingenforcementraw = 0 OR s.strongcertificatebindingenforcementraw = 1
   RETURN p
   LIMIT 1000
-note: 
 revision: 1
 resources: 
 acknowledgements: 

diff --git a/queries/Domain migration groups.yml b/queries/Domain migration groups.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH (n:Group)
   WHERE n.name CONTAINS "$$$@"
   RETURN n
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domains affected by AdPrep privilege escalation risk.yml b/queries/Domains affected by AdPrep privilege escalation risk.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE n.objectid ENDS WITH "-527" // Enterprise Key Admins
   AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domains affected by Exchange privilege escalation risk.yml b/queries/Domains affected by Exchange privilege escalation risk.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE n.name STARTS WITH "EXCHANGE "
   AND ((m:Tag_Tier_Zero) OR COALESCE(m.system_tags, '') CONTAINS 'admin_tier_0')
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domains allowing authenticated domain enumeration.yml b/queries/Domains allowing authenticated domain enumeration.yml
@@ -9,7 +9,6 @@ query: |-
   WHERE n.objectid ENDS WITH "S-1-5-11" // Authenticated Users
   AND m.objectid ENDS WITH "S-1-5-32-554" // Pre-Windows 2000 Compatible Access
   RETURN p
-note: 
 revision: 1
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk

diff --git a/queries/Domains allowing unauthenticated NSPI RPC binds.yml b/queries/Domains allowing unauthenticated NSPI RPC binds.yml
@@ -8,7 +8,6 @@ query: |-
   MATCH (n:Domain)
   WHERE n.dsheuristics =~ ".{7}[^0].*"
   RETURN n
-note: 
 revision: 1
 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
 acknowledgements: Martin Sohn Christensen, @martinsohndk