diff --git a/queries/Collection health of CA Registry Data.yml b/queries/Collection health of CA Registry Data.yml index 3b084ad..a50e48e 100644 --- a/queries/Collection health of CA Registry Data.yml +++ b/queries/Collection health of CA Registry Data.yml @@ -3,20 +3,20 @@ guid: c8dd3479-8063-450a-9456-557bc5f39e10 prebuilt: false platforms: Active Directory category: Domain Information -description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. CAs returned by this query have not been collected. +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. EnterpriseCAs returned by this query have an incomplete collection for one or more of the queried attributes. query: |- MATCH p=(eca:EnterpriseCA)<-[:HostsCAService]-(c:Computer) WHERE ( - eca.isuserspecifiessanenabledcollected = false - OR eca.casecuritycollected = false - OR eca.enrollmentagentrestrictionscollected = false - OR eca.roleseparationenabledcollected = false + NOT eca.casecuritycollected = true + OR NOT eca.enrollmentagentrestrictionscollected = true + OR NOT eca.isuserspecifiessanenabledcollected = true + OR NOT eca.roleseparationenabledcollected = true ) // Exclude inactive CAs AND c.enabled = true AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) RETURN p -revision: 1 +revision: 2 resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#ca-registry acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Collection health of DC Registry Data.yml b/queries/Collection health of DC Registry Data.yml index 29106cd..12c3e65 100644 --- a/queries/Collection health of DC Registry Data.yml +++ b/queries/Collection health of DC Registry Data.yml @@ -3,7 +3,7 @@ guid: 3f0fa2f3-fbdf-42c0-9e7d-97e689009161 prebuilt: false platforms: Active Directory category: Domain Information -description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have not been collected. +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have an incomplete collection for one or more of the queried attributes. query: |- MATCH p=(:Domain)<-[:DCFor]-(c:Computer) WHERE c.strongcertificatebindingenforcementraw IS NULL @@ -11,7 +11,7 @@ query: |- AND c.enabled = true AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) RETURN p -revision: 1 +revision: 2 resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#dc-registry acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Direct Principal Rights Assignment.yml b/queries/Direct Principal Rights Assignment.yml deleted file mode 100644 index a2d08ab..0000000 --- a/queries/Direct Principal Rights Assignment.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Direct Principal Rights Assignment -guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec -prebuilt: false -platforms: Active Directory -category: Active Directory Hygiene -description: This query identifies rights assigned directly to users or computers instead of groups. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level. -query: |- - MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base) - WHERE (n:User OR n:Computer) - RETURN p - LIMIT 1000 -revision: 1 -resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references -acknowledgements: Martin Sohn Christensen, @martinsohndk - diff --git a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml index 68edf90..1c4281f 100644 --- a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml +++ b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml @@ -6,9 +6,9 @@ category: Active Directory Hygiene description: Checks the fLDAPBlockAnonOps flag of dSHeuristics. query: |- MATCH (n:Domain) - WHERE n.dsheuristics =~ ".{6}[^2].*" + WHERE n.dsheuristics =~ ".{6}2.*" RETURN n -revision: 1 +revision: 2 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml index 180e1a2..993b1b1 100644 --- a/queries/Map Azure Management structure.yml +++ b/queries/Map Azure Management structure.yml @@ -3,12 +3,14 @@ guid: c1bb109e-e6a4-4c91-864f-f78e1e42615e prebuilt: false platforms: Azure category: General -description: Maps the structure of Azure Management +description: Maps the structure of the Azure resource hierarchy from Azure tenants to the resource group level query: |- - MATCH p = (:AZTenant)-[:AZContains*1..]->(:AZResourceGroup) + MATCH p = (:AZTenant)-[:AZContains*1..]->(n:AZBase) + WHERE (n:AZManagementGroup) + OR (n:AZSubscription) + OR (n:AZResourceGroup) RETURN p LIMIT 1000 -revision: 2 +revision: 3 resources: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview acknowledgements: Martin Sohn Christensen, @martinsohndk - diff --git a/queries/Non-Tier Zero account with unconstrained delegation.yml b/queries/Non-Tier Zero account with unconstrained delegation.yml index c869023..1492393 100644 --- a/queries/Non-Tier Zero account with unconstrained delegation.yml +++ b/queries/Non-Tier Zero account with unconstrained delegation.yml @@ -7,9 +7,14 @@ description: query: |- MATCH (n:Base) WHERE n.unconstraineddelegation = true + + // The query excludes all Tier Zero objects by default + // Exclude only DCs by removing the line below and uncomment the 'NOT n.isdc' line after AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') + //AND NOT n.isdc = true + RETURN n -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Potential GPO 'Apply' misconfiguration.yml b/queries/Potential GPO 'Apply' misconfiguration.yml index b2a9901..80a2b33 100644 --- a/queries/Potential GPO 'Apply' misconfiguration.yml +++ b/queries/Potential GPO 'Apply' misconfiguration.yml @@ -3,12 +3,12 @@ guid: f5f2455e-afdc-4708-9a34-98f539ce52d8 prebuilt: true platforms: Active Directory category: Dangerous Privileges -description: In Active Directory, GPO's are applied to objects in the Group Policy Management Console by ticking "Allow - Apply group policy", but administrators can mistakenly tick "Allow - Write" or "Allow - Full Control" resulting in a misconfigured GPO that allows a principal to compromise other principals the GPO also applies to. Results are potential risks and must be audited for for correctness. +description: In Active Directory, GPO's are applied to objects in the Group Policy Management Console by ticking "Allow - Apply group policy", but administrators can mistakenly tick "Allow - Write" or "Allow - Full Control" resulting in a misconfigured GPO that allows a principal to compromise other principals the GPO also applies to. Results are potential risks and should be verified. query: |- MATCH p=(n:Base)-[:GenericAll|GenericWrite]->(g:GPO) // Exclude Enterprise Admins and Domain Admins - WHERE NOT n.objectid =~ "-(519|512)$" + WHERE NOT n.objectid =~ ".*-(519|512)$" // Exclude unresolved SIDs AND NOT (n.distinguishedname IS NULL) @@ -19,7 +19,7 @@ query: |- RETURN p LIMIT 1000 -revision: 2 +revision: 3 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Principals With Direct Rights Assignment.yml b/queries/Principals With Direct Rights Assignment.yml new file mode 100644 index 0000000..8141476 --- /dev/null +++ b/queries/Principals With Direct Rights Assignment.yml @@ -0,0 +1,19 @@ +name: Principals With Direct Rights Assignment +guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec +prebuilt: false +platforms: Active Directory +category: Active Directory Hygiene +description: Identifies principals with rights assigned directly to them instead of to groups they are a member of. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level. +query: |- + MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|WriteOwnerLimitedRights|OwnsLimitedRights|CanApplyGPO|ManageCA|ManageCertificates]->(:Base) + WHERE (n:User OR n:Computer) + + // Uncomment the below to only search enabled principals. + // AND n.enabled = true + + RETURN p + LIMIT 1000 +revision: 2 +resources: https://csrc.nist.gov/Projects/Role-Based-Access-Control +acknowledgements: Martin Sohn Christensen, @martinsohndk +