From bf263f5a1f71ddd8f3658e7532e2b4709e54d6b7 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 18 Jun 2025 14:58:27 +0200 Subject: [PATCH 1/6] multi-version tier zero tag support --- queries/Tier Zero computers not owned by Tier Zero.yml | 2 +- ...th passwords older than the default maximum password age.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/queries/Tier Zero computers not owned by Tier Zero.yml b/queries/Tier Zero computers not owned by Tier Zero.yml index 58377e4..ed04935 100644 --- a/queries/Tier Zero computers not owned by Tier Zero.yml +++ b/queries/Tier Zero computers not owned by Tier Zero.yml @@ -6,7 +6,7 @@ category: Dangerous Privileges description: query: |- MATCH p=(n:Base)-[:Owns]->(:Computer) - WHERE NOT coalesce(n.system_tags, "") CONTAINS "admin_tier_0" + WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p revision: 1 resources: diff --git a/queries/Tier Zero computers with passwords older than the default maximum password age.yml b/queries/Tier Zero computers with passwords older than the default maximum password age.yml index 9dcbec7..a3ca48c 100644 --- a/queries/Tier Zero computers with passwords older than the default maximum password age.yml +++ b/queries/Tier Zero computers with passwords older than the default maximum password age.yml @@ -9,7 +9,7 @@ query: |- WHERE n.enabled = true AND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400)) AND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400)) - AND coalesce(n.system_tags, "") CONTAINS "admin_tier_0" + AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN n revision: 1 resources: From 611647038256fa1a13bc4259353eb234dd27f874 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 18 Jun 2025 13:01:59 +0000 Subject: [PATCH 2/6] Update combined queries --- Queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Queries.json b/Queries.json index 67df1ae..9996661 100644 --- a/Queries.json +++ b/Queries.json @@ -114,7 +114,7 @@ ], "category": "Dangerous Privileges", "description": null, - "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN p", + "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", "revision": 1, "resources": [], "acknowledgements": [ @@ -2613,7 +2613,7 @@ ], "category": "Active Directory Hygiene", "description": null, - "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN n", + "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n", "revision": 1, "resources": [], "acknowledgements": [ From 50da110ea9e1c82f92c455fb390945d546bbea6d Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 18 Jun 2025 16:01:54 +0200 Subject: [PATCH 3/6] version bump --- queries/Tier Zero computers not owned by Tier Zero.yml | 2 +- ...th passwords older than the default maximum password age.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/queries/Tier Zero computers not owned by Tier Zero.yml b/queries/Tier Zero computers not owned by Tier Zero.yml index ed04935..57872e2 100644 --- a/queries/Tier Zero computers not owned by Tier Zero.yml +++ b/queries/Tier Zero computers not owned by Tier Zero.yml @@ -8,7 +8,7 @@ query: |- MATCH p=(n:Base)-[:Owns]->(:Computer) WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN p -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Tier Zero computers with passwords older than the default maximum password age.yml b/queries/Tier Zero computers with passwords older than the default maximum password age.yml index a3ca48c..bd48f67 100644 --- a/queries/Tier Zero computers with passwords older than the default maximum password age.yml +++ b/queries/Tier Zero computers with passwords older than the default maximum password age.yml @@ -11,7 +11,7 @@ query: |- AND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400)) AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') RETURN n -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk From 0d79834d277b4315109f127a8e993266f62bf5ba Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 18 Jun 2025 14:03:26 +0000 Subject: [PATCH 4/6] Update combined queries --- Queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Queries.json b/Queries.json index 9996661..24ba28d 100644 --- a/Queries.json +++ b/Queries.json @@ -115,7 +115,7 @@ "category": "Dangerous Privileges", "description": null, "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p", - "revision": 1, + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk" @@ -2614,7 +2614,7 @@ "category": "Active Directory Hygiene", "description": null, "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n", - "revision": 1, + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk" From 5a18d6e6cb22d76869287be56d0a3b10c112fa33 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 18 Jun 2025 16:36:48 +0200 Subject: [PATCH 5/6] bug fix: include nested members --- .../Members of Allowed RODC Password Replication Group.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/queries/Members of Allowed RODC Password Replication Group.yml b/queries/Members of Allowed RODC Password Replication Group.yml index f6f7ffd..1b87ed5 100644 --- a/queries/Members of Allowed RODC Password Replication Group.yml +++ b/queries/Members of Allowed RODC Password Replication Group.yml @@ -5,11 +5,10 @@ platforms: Active Directory category: Domain Information description: query: |- - MATCH p=(n:Base)-[r:MemberOf]->(m:Group) + MATCH p=(:Base)-[:MemberOf*1..]->(m:Group) WHERE m.objectid ENDS WITH "-571" - AND (n:User or n:Computer) RETURN p -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk From b55b0cedbc2230be0122d007db26978fa9d71f53 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 18 Jun 2025 14:37:53 +0000 Subject: [PATCH 6/6] Update combined queries --- Queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Queries.json b/Queries.json index 24ba28d..429f14a 100644 --- a/Queries.json +++ b/Queries.json @@ -283,8 +283,8 @@ ], "category": "Domain Information", "description": null, - "query": "MATCH p=(n:Base)-[r:MemberOf]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nAND (n:User or n:Computer)\nRETURN p", - "revision": 1, + "query": "MATCH p=(:Base)-[:MemberOf*1..]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nRETURN p", + "revision": 2, "resources": [], "acknowledgements": [ "Martin Sohn Christensen, @martinsohndk"