diff --git a/Queries.json b/Queries.json index 67df1ae..429f14a 100644 --- a/Queries.json +++ b/Queries.json @@ -114,8 +114,8 @@ ], "category": "Dangerous Privileges", "description": null, - "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN p", - "revision": 1, + "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk" @@ -283,8 +283,8 @@ ], "category": "Domain Information", "description": null, - "query": "MATCH p=(n:Base)-[r:MemberOf]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nAND (n:User or n:Computer)\nRETURN p", - "revision": 1, + "query": "MATCH p=(:Base)-[:MemberOf*1..]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nRETURN p", + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk" @@ -2613,8 +2613,8 @@ ], "category": "Active Directory Hygiene", "description": null, - "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN n", - "revision": 1, + "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n", + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk" diff --git a/queries/Members of Allowed RODC Password Replication Group.yml b/queries/Members of Allowed RODC Password Replication Group.yml index f6f7ffd..1b87ed5 100644 --- a/queries/Members of Allowed RODC Password Replication Group.yml +++ b/queries/Members of Allowed RODC Password Replication Group.yml @@ -5,11 +5,10 @@ platforms: Active Directory category: Domain Information description: query: |- - MATCH p=(n:Base)-[r:MemberOf]->(m:Group) + MATCH p=(:Base)-[:MemberOf*1..]->(m:Group) WHERE m.objectid ENDS WITH "-571" - AND (n:User or n:Computer) RETURN p -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers not owned by Tier Zero.yml b/queries/Tier Zero computers not owned by Tier Zero.yml index 58377e4..57872e2 100644 --- a/queries/Tier Zero computers not owned by Tier Zero.yml +++ b/queries/Tier Zero computers not owned by Tier Zero.yml @@ -6,9 +6,9 @@ category: Dangerous Privileges description: query: |- MATCH p=(n:Base)-[:Owns]->(:Computer) - WHERE NOT coalesce(n.system_tags, "") CONTAINS "admin_tier_0" + WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers with passwords older than the default maximum password age.yml b/queries/Tier Zero computers with passwords older than the default maximum password age.yml index 9dcbec7..bd48f67 100644 --- a/queries/Tier Zero computers with passwords older than the default maximum password age.yml +++ b/queries/Tier Zero computers with passwords older than the default maximum password age.yml @@ -9,9 +9,9 @@ query: |- WHERE n.enabled = true AND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400)) AND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400)) - AND coalesce(n.system_tags, "") CONTAINS "admin_tier_0" + AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN n -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk