diff --git a/queries/Accounts related to AAD Entra Connect.yml b/queries/Accounts related to AAD Entra Connect.yml new file mode 100644 index 0000000..fbbc9e8 --- /dev/null +++ b/queries/Accounts related to AAD Entra Connect.yml @@ -0,0 +1,17 @@ +name: Accounts related to AAD Entra Connect +guid: 5993208e-6189-40e6-be03-c23c872d0ca4 +prebuilt: false +platforms: +- Active Directory +- Azure +category: Active Directory Hygiene +description: Query to start reconnaissance about AADConnect / Entra Connect related accounts +query: |- + MATCH (u) + WHERE (u:User OR u:AZUser) + AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*|.*PROVAGENTGMSA.*' + OR u.userprincipalname =~ '(?i)^sync_.*') + RETURN u +revision: 1 +resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-adsync-service-account +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/All Azure VMs with a tied Managed Identity.yml b/queries/All Azure VMs with a tied Managed Identity.yml new file mode 100644 index 0000000..11c535e --- /dev/null +++ b/queries/All Azure VMs with a tied Managed Identity.yml @@ -0,0 +1,13 @@ +name: All Azure VMs with a tied Managed Identity +guid: 3ceca01a-226e-4e61-8692-a4b4611f2af0 +prebuilt: false +platforms: +- Azure +category: General +description: Return all Azure VMs with a tied Managed Identity. +query: |- + MATCH p=(:AZVM)-[:AZManagedIdentity]->(n) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/All direct Controllers of MS Graph.yml b/queries/All direct Controllers of MS Graph.yml new file mode 100644 index 0000000..4978285 --- /dev/null +++ b/queries/All direct Controllers of MS Graph.yml @@ -0,0 +1,14 @@ +name: All direct Controllers of MS Graph +guid: 45f949ca-ab69-43a4-adb2-796f9548beff +prebuilt: false +platforms: +- Azure +category: Microsoft Graph +description: Return all direct Controllers of MS Graph. +query: |- + MATCH p = (n)-[r:AZAddOwner|AZAddSecret|AZAppAdmin|AZCloudAppAdmin|AZMGAddOwner|AZMGAddSecret|AZOwns]->(g:AZServicePrincipal) + WHERE g.displayname = "MICROSOFT GRAPH" + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/All privileged Azure Service Principals.yml b/queries/All privileged Azure Service Principals.yml new file mode 100644 index 0000000..ddd9ba4 --- /dev/null +++ b/queries/All privileged Azure Service Principals.yml @@ -0,0 +1,14 @@ +name: All privileged Azure Service Principals +guid: 92f269ee-3727-4ffa-947b-aad492ac0fa2 +prebuilt: false +platforms: +- Azure +category: Azure Hygiene +description: Return all privileged Azure Service Principals. +query: |- + MATCH p=(n:AZServicePrincipal)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) + WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Owners of Azure Applications.yml b/queries/Owners of Azure Applications.yml new file mode 100644 index 0000000..4d66a57 --- /dev/null +++ b/queries/Owners of Azure Applications.yml @@ -0,0 +1,13 @@ +name: Owners of Azure Applications +guid: 3beb1260-61ad-42b5-819f-e1b619d28e22 +prebuilt: false +platforms: +- Azure +category: General +description: Return all Owners of Azure Applications to search for possible attack paths. Low privileged users should not be owners of applications. +query: |- + MATCH p = (n)-[r:AZOwns]->(g:AZApp) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Owners of Azure Subscriptions.yml b/queries/Owners of Azure Subscriptions.yml new file mode 100644 index 0000000..d04aa9c --- /dev/null +++ b/queries/Owners of Azure Subscriptions.yml @@ -0,0 +1,15 @@ +name: Owners of Azure Subscriptions +guid: bd0daafd-4256-4ce6-9b7f-a9e38509d81c +prebuilt: false +platforms: +- Azure +category: General +description: Return all Owners of Azure Subscriptions to search for possible attack paths. Low privileged users should not be owners of Subscriptions. +query: |- + MATCH p=shortestPath((s:AZBase)-[:AZOwner*1..]->(t:AZSubscription)) + WHERE s<>t + RETURN p + LIMIT 1000 +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml new file mode 100644 index 0000000..5773e92 --- /dev/null +++ b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml @@ -0,0 +1,13 @@ +name: Shortest Paths from Azure Users to Azure Keyvaults +guid: 6395428d-2deb-404b-85b5-edbac3a6e05d +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Azure Users to Azure Keyvaults to check for attack vectors. +query: |- + MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault)) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Shortest Paths from Azure Users to Azure VMs.yml b/queries/Shortest Paths from Azure Users to Azure VMs.yml new file mode 100644 index 0000000..0a1df47 --- /dev/null +++ b/queries/Shortest Paths from Azure Users to Azure VMs.yml @@ -0,0 +1,13 @@ +name: Shortest Paths from Azure Users to Azure VMs +guid: 912454f1-75a3-4813-b3df-7bddac0ff00d +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Azure Users to Azure VMs to check for attack vectors. +query: |- + MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM)) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml new file mode 100644 index 0000000..b14985a --- /dev/null +++ b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml @@ -0,0 +1,14 @@ +name: Shortest Paths from Owned Azure Users to Azure Keyvaults +guid: 53e73ae0-985e-4508-a82e-696d654f9538 +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Owned Azure Users to Azure Keyvaults to check for attack vectors. +query: |- + MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault)) + WHERE m.system_tags CONTAINS 'owned' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml new file mode 100644 index 0000000..506e97a --- /dev/null +++ b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml @@ -0,0 +1,14 @@ +name: Shortest Paths from Owned Azure Users to Azure VMs +guid: bab9fbec-7a46-4c1e-902e-a1b53a454610 +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Owned Azure Users to Azure VMs to check for attack vectors. +query: |- + MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM)) + WHERE m.system_tags CONTAINS 'owned' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel