From ba5cd1ed7279df2556ddb7bf7769425cf0531b87 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:04:13 +0200 Subject: [PATCH 01/21] Create Accounts related to AAD Entra Connect and their sessions.yml --- ...to AAD Entra Connect and their sessions.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 queries/Accounts related to AAD Entra Connect and their sessions.yml diff --git a/queries/Accounts related to AAD Entra Connect and their sessions.yml b/queries/Accounts related to AAD Entra Connect and their sessions.yml new file mode 100644 index 0000000..52696e8 --- /dev/null +++ b/queries/Accounts related to AAD Entra Connect and their sessions.yml @@ -0,0 +1,18 @@ +name: Accounts related to AAD Entra Connect and their sessions +guid: 5993208e-6189-40e6-be03-c23c872d0ca4 +prebuilt: false +platforms: +- Active Directory +- Azure +category: Active Directory Hygiene +description: Query to start reconnaissance about AADConnect / Entra Connect related accounts and their sessions +query: |- + MATCH (u) + WHERE (u:User OR u:AZUser) + AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*' + OR u.userprincipalname =~ '(?i)^sync_.*') + OPTIONAL MATCH (u)-[:HasSession]->(s:Session) + RETURN u, s +revision: 1 +resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-adsync-service-account +acknowledgements: Daniel Scheidt, @theluemmel From 400df32446b1681ca356794b0df9c2f2d0c76ea3 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:05:54 +0200 Subject: [PATCH 02/21] Update and rename Accounts related to AAD Entra Connect and their sessions.yml to Accounts related to AAD Entra Connect.yml --- ...sions.yml => Accounts related to AAD Entra Connect.yml} | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename queries/{Accounts related to AAD Entra Connect and their sessions.yml => Accounts related to AAD Entra Connect.yml} (75%) diff --git a/queries/Accounts related to AAD Entra Connect and their sessions.yml b/queries/Accounts related to AAD Entra Connect.yml similarity index 75% rename from queries/Accounts related to AAD Entra Connect and their sessions.yml rename to queries/Accounts related to AAD Entra Connect.yml index 52696e8..c299447 100644 --- a/queries/Accounts related to AAD Entra Connect and their sessions.yml +++ b/queries/Accounts related to AAD Entra Connect.yml @@ -1,18 +1,17 @@ -name: Accounts related to AAD Entra Connect and their sessions +name: Accounts related to AAD Entra Connect guid: 5993208e-6189-40e6-be03-c23c872d0ca4 prebuilt: false platforms: - Active Directory - Azure category: Active Directory Hygiene -description: Query to start reconnaissance about AADConnect / Entra Connect related accounts and their sessions +description: Query to start reconnaissance about AADConnect / Entra Connect related accounts query: |- MATCH (u) WHERE (u:User OR u:AZUser) AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*' OR u.userprincipalname =~ '(?i)^sync_.*') - OPTIONAL MATCH (u)-[:HasSession]->(s:Session) - RETURN u, s + RETURN u revision: 1 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-adsync-service-account acknowledgements: Daniel Scheidt, @theluemmel From 45503249a540a30ed38f99daba07a9b26cae9fff Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:38:34 +0200 Subject: [PATCH 03/21] Create Domain Admin to OU mapping .yml --- queries/Domain Admin to OU mapping .yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 queries/Domain Admin to OU mapping .yml diff --git a/queries/Domain Admin to OU mapping .yml b/queries/Domain Admin to OU mapping .yml new file mode 100644 index 0000000..431aead --- /dev/null +++ b/queries/Domain Admin to OU mapping .yml @@ -0,0 +1,14 @@ +name: Domain Admin to OU mapping +guid: 27e310ad-fe45-482e-8b17-fea7e795d9eb +prebuilt: false +platforms: +- Active Directory +category: Domain Information +description: Domain Admin to OU mapping +query: |- + MATCH p = (n:Domain)-[:Contains*1..]->(u:User)-[:MemberOf*1..]->(g:Group) + WHERE g.name CONTAINS "DOMAIN ADMINS@" + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 8d6702b3db3de01533e821121418978837b66365 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:44:24 +0200 Subject: [PATCH 04/21] Create Owners of Azure Applications.yml --- queries/Owners of Azure Applications.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 queries/Owners of Azure Applications.yml diff --git a/queries/Owners of Azure Applications.yml b/queries/Owners of Azure Applications.yml new file mode 100644 index 0000000..4d66a57 --- /dev/null +++ b/queries/Owners of Azure Applications.yml @@ -0,0 +1,13 @@ +name: Owners of Azure Applications +guid: 3beb1260-61ad-42b5-819f-e1b619d28e22 +prebuilt: false +platforms: +- Azure +category: General +description: Return all Owners of Azure Applications to search for possible attack paths. Low privileged users should not be owners of applications. +query: |- + MATCH p = (n)-[r:AZOwns]->(g:AZApp) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 34dcf6f5363319c034e68e70d5fb2f7f509ec9ff Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:50:05 +0200 Subject: [PATCH 05/21] Create Owners of Azure Subscriptions.yml --- queries/Owners of Azure Subscriptions.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 queries/Owners of Azure Subscriptions.yml diff --git a/queries/Owners of Azure Subscriptions.yml b/queries/Owners of Azure Subscriptions.yml new file mode 100644 index 0000000..d04aa9c --- /dev/null +++ b/queries/Owners of Azure Subscriptions.yml @@ -0,0 +1,15 @@ +name: Owners of Azure Subscriptions +guid: bd0daafd-4256-4ce6-9b7f-a9e38509d81c +prebuilt: false +platforms: +- Azure +category: General +description: Return all Owners of Azure Subscriptions to search for possible attack paths. Low privileged users should not be owners of Subscriptions. +query: |- + MATCH p=shortestPath((s:AZBase)-[:AZOwner*1..]->(t:AZSubscription)) + WHERE s<>t + RETURN p + LIMIT 1000 +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 2755bfd1f960b6ae522f3b4df5dadcf183e9217d Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 09:58:28 +0200 Subject: [PATCH 06/21] Create All Paths to Azure VMs.yml --- queries/All Paths to Azure VMs.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 queries/All Paths to Azure VMs.yml diff --git a/queries/All Paths to Azure VMs.yml b/queries/All Paths to Azure VMs.yml new file mode 100644 index 0000000..7724a1c --- /dev/null +++ b/queries/All Paths to Azure VMs.yml @@ -0,0 +1,13 @@ +name: All Paths to Azure VMs +guid: 912454f1-75a3-4813-b3df-7bddac0ff00d +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return all paths to Azure VMs to check for attack vectors. +query: |- + MATCH p = (n)-[r]->(g:AZVM) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 4cf7e60b41219acdab7614bd747b0131eeaa8d4e Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:09:35 +0200 Subject: [PATCH 07/21] Update and rename All Paths to Azure VMs.yml to Shortest Paths from Azure Users to Azure VMs.yml --- queries/All Paths to Azure VMs.yml | 13 ------------- ...Shortest Paths from Azure Users to Azure VMs.yml | 13 +++++++++++++ 2 files changed, 13 insertions(+), 13 deletions(-) delete mode 100644 queries/All Paths to Azure VMs.yml create mode 100644 queries/Shortest Paths from Azure Users to Azure VMs.yml diff --git a/queries/All Paths to Azure VMs.yml b/queries/All Paths to Azure VMs.yml deleted file mode 100644 index 7724a1c..0000000 --- a/queries/All Paths to Azure VMs.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: All Paths to Azure VMs -guid: 912454f1-75a3-4813-b3df-7bddac0ff00d -prebuilt: false -platforms: -- Azure -category: Shortest Paths -description: Return all paths to Azure VMs to check for attack vectors. -query: |- - MATCH p = (n)-[r]->(g:AZVM) - RETURN p -revision: 1 -resources: - -acknowledgements: Daniel Scheidt, @theluemmel diff --git a/queries/Shortest Paths from Azure Users to Azure VMs.yml b/queries/Shortest Paths from Azure Users to Azure VMs.yml new file mode 100644 index 0000000..f20836a --- /dev/null +++ b/queries/Shortest Paths from Azure Users to Azure VMs.yml @@ -0,0 +1,13 @@ +name: Shortest Paths from Azure Users to Azure VMs +guid: 912454f1-75a3-4813-b3df-7bddac0ff00d +prebuilt: false +platforms: +- Azure +category: General +description: Return shortest paths from Azure Users to Azure VMs to check for attack vectors. +query: |- + MATCH p = shortestPath((m:AZUser)-[*..]->(n:AZVM)) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 72e41a7c2fd8a3a50e60de4982d944cf820f8840 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:21:56 +0200 Subject: [PATCH 08/21] Update Shortest Paths from Azure Users to Azure VMs.yml --- queries/Shortest Paths from Azure Users to Azure VMs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Shortest Paths from Azure Users to Azure VMs.yml b/queries/Shortest Paths from Azure Users to Azure VMs.yml index f20836a..1cc2dc0 100644 --- a/queries/Shortest Paths from Azure Users to Azure VMs.yml +++ b/queries/Shortest Paths from Azure Users to Azure VMs.yml @@ -3,7 +3,7 @@ guid: 912454f1-75a3-4813-b3df-7bddac0ff00d prebuilt: false platforms: - Azure -category: General +category: Shortest Paths description: Return shortest paths from Azure Users to Azure VMs to check for attack vectors. query: |- MATCH p = shortestPath((m:AZUser)-[*..]->(n:AZVM)) From c4cc645541c778e27dab758b89cf5277c9abc076 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:22:18 +0200 Subject: [PATCH 09/21] Create Shortest Paths from Owned Azure Users to Azure VMs.yml --- ...t Paths from Owned Azure Users to Azure VMs.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 queries/Shortest Paths from Owned Azure Users to Azure VMs.yml diff --git a/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml new file mode 100644 index 0000000..8c318a3 --- /dev/null +++ b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml @@ -0,0 +1,14 @@ +name: Shortest Paths from Owned Azure Users to Azure VMs +guid: bab9fbec-7a46-4c1e-902e-a1b53a454610 +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Owned Azure Users to Azure VMs to check for attack vectors. +query: |- + MATCH p = shortestPath((m:AZUser)-[*..]->(n:AZVM)) + WHERE m.system_tags CONTAINS 'owned' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From ee00e43bd8408dfb33f8bfaa94850f624302086f Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:32:24 +0200 Subject: [PATCH 10/21] Create Shortest Paths from Owned Azure Users to Azure Keyvaults.yml --- ...s from Owned Azure Users to Azure Keyvaults.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml diff --git a/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml new file mode 100644 index 0000000..4c8358d --- /dev/null +++ b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml @@ -0,0 +1,14 @@ +name: Shortest Paths from Owned Azure Users to Azure Keyvaults +guid: 53e73ae0-985e-4508-a82e-696d654f9538 +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Owned Azure Users to Azure Keyvaults to check for attack vectors. +query: |- + MATCH p = shortestPath((n:AZUser)-[*..]->(g:AZKeyVault)) + WHERE m.system_tags CONTAINS 'owned' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From dff664180cf2d894bcc20866c1a6e0c7e19bcd56 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:33:07 +0200 Subject: [PATCH 11/21] Create Shortest Paths from Azure Users to Azure Keyvaults.yml --- ...st Paths from Azure Users to Azure Keyvaults.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 queries/Shortest Paths from Azure Users to Azure Keyvaults.yml diff --git a/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml new file mode 100644 index 0000000..6583f5b --- /dev/null +++ b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml @@ -0,0 +1,13 @@ +name: Shortest Paths from Azure Users to Azure Keyvaults +guid: 6395428d-2deb-404b-85b5-edbac3a6e05d +prebuilt: false +platforms: +- Azure +category: Shortest Paths +description: Return shortest paths from Azure Users to Azure Keyvaults to check for attack vectors. +query: |- + MATCH p = shortestPath((n:AZUser)-[*..]->(g:AZKeyVault)) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From aa26218f2e2f1994b93ad4f61b288e409d644c9a Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 10:44:48 +0200 Subject: [PATCH 12/21] Create All direct Controllers of MS Graph --- queries/All direct Controllers of MS Graph | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 queries/All direct Controllers of MS Graph diff --git a/queries/All direct Controllers of MS Graph b/queries/All direct Controllers of MS Graph new file mode 100644 index 0000000..4978285 --- /dev/null +++ b/queries/All direct Controllers of MS Graph @@ -0,0 +1,14 @@ +name: All direct Controllers of MS Graph +guid: 45f949ca-ab69-43a4-adb2-796f9548beff +prebuilt: false +platforms: +- Azure +category: Microsoft Graph +description: Return all direct Controllers of MS Graph. +query: |- + MATCH p = (n)-[r:AZAddOwner|AZAddSecret|AZAppAdmin|AZCloudAppAdmin|AZMGAddOwner|AZMGAddSecret|AZOwns]->(g:AZServicePrincipal) + WHERE g.displayname = "MICROSOFT GRAPH" + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 281eb3f21265abbf26e7f57afccc1269c1f61091 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 11:00:20 +0200 Subject: [PATCH 13/21] Create All privileged Azure Service Principals.yml --- .../All privileged Azure Service Principals.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 queries/All privileged Azure Service Principals.yml diff --git a/queries/All privileged Azure Service Principals.yml b/queries/All privileged Azure Service Principals.yml new file mode 100644 index 0000000..ddd9ba4 --- /dev/null +++ b/queries/All privileged Azure Service Principals.yml @@ -0,0 +1,14 @@ +name: All privileged Azure Service Principals +guid: 92f269ee-3727-4ffa-947b-aad492ac0fa2 +prebuilt: false +platforms: +- Azure +category: Azure Hygiene +description: Return all privileged Azure Service Principals. +query: |- + MATCH p=(n:AZServicePrincipal)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) + WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From 94040d62d098b0f9fb8cad9d0d04597439fd3f4d Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Fri, 20 Jun 2025 11:02:26 +0200 Subject: [PATCH 14/21] Create All Azure VMs with a tied Managed Identity.yml --- .../All Azure VMs with a tied Managed Identity.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 queries/All Azure VMs with a tied Managed Identity.yml diff --git a/queries/All Azure VMs with a tied Managed Identity.yml b/queries/All Azure VMs with a tied Managed Identity.yml new file mode 100644 index 0000000..11c535e --- /dev/null +++ b/queries/All Azure VMs with a tied Managed Identity.yml @@ -0,0 +1,13 @@ +name: All Azure VMs with a tied Managed Identity +guid: 3ceca01a-226e-4e61-8692-a4b4611f2af0 +prebuilt: false +platforms: +- Azure +category: General +description: Return all Azure VMs with a tied Managed Identity. +query: |- + MATCH p=(:AZVM)-[:AZManagedIdentity]->(n) + RETURN p +revision: 1 +resources: - +acknowledgements: Daniel Scheidt, @theluemmel From ab973622e11a230497f7819e2af95234b7ce7b7f Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Sat, 21 Jun 2025 13:40:51 +0200 Subject: [PATCH 15/21] Rename All direct Controllers of MS Graph to All direct Controllers of MS Graph.yml --- ...rollers of MS Graph => All direct Controllers of MS Graph.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename queries/{All direct Controllers of MS Graph => All direct Controllers of MS Graph.yml} (100%) diff --git a/queries/All direct Controllers of MS Graph b/queries/All direct Controllers of MS Graph.yml similarity index 100% rename from queries/All direct Controllers of MS Graph rename to queries/All direct Controllers of MS Graph.yml From 3f4ec4b233e6d4a0509d34e8b005f7d51070c44b Mon Sep 17 00:00:00 2001 From: Martin Sohn Christensen Date: Thu, 3 Jul 2025 14:32:21 +0200 Subject: [PATCH 16/21] Update Accounts related to AAD Entra Connect.yml Updated to also support Microsoft Entra Cloud Sync --- queries/Accounts related to AAD Entra Connect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Accounts related to AAD Entra Connect.yml b/queries/Accounts related to AAD Entra Connect.yml index c299447..fbbc9e8 100644 --- a/queries/Accounts related to AAD Entra Connect.yml +++ b/queries/Accounts related to AAD Entra Connect.yml @@ -9,7 +9,7 @@ description: Query to start reconnaissance about AADConnect / Entra Connect rela query: |- MATCH (u) WHERE (u:User OR u:AZUser) - AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*' + AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*|.*PROVAGENTGMSA.*' OR u.userprincipalname =~ '(?i)^sync_.*') RETURN u revision: 1 From 0a87d0f3fa76e340468c1a0d3f1d4da9eaeb88a1 Mon Sep 17 00:00:00 2001 From: Martin Sohn Christensen Date: Thu, 3 Jul 2025 14:35:38 +0200 Subject: [PATCH 17/21] Delete queries/Domain Admin to OU mapping .yml Query is redundant as it is a limited scope (only DA) compared to https://queries.specterops.io/?input=18a83a17-b451-4343-acfe-7620516e2968&name=Locations+of+Tier+Zero+%2F+High+Value+objects --- queries/Domain Admin to OU mapping .yml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 queries/Domain Admin to OU mapping .yml diff --git a/queries/Domain Admin to OU mapping .yml b/queries/Domain Admin to OU mapping .yml deleted file mode 100644 index 431aead..0000000 --- a/queries/Domain Admin to OU mapping .yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Domain Admin to OU mapping -guid: 27e310ad-fe45-482e-8b17-fea7e795d9eb -prebuilt: false -platforms: -- Active Directory -category: Domain Information -description: Domain Admin to OU mapping -query: |- - MATCH p = (n:Domain)-[:Contains*1..]->(u:User)-[:MemberOf*1..]->(g:Group) - WHERE g.name CONTAINS "DOMAIN ADMINS@" - RETURN p -revision: 1 -resources: - -acknowledgements: Daniel Scheidt, @theluemmel From 8b3d0a18da65a32f8e2b6cd9c600b01c9ec3b665 Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:02:56 +0200 Subject: [PATCH 18/21] Update Shortest Paths from Azure Users to Azure Keyvaults.yml --- queries/Shortest Paths from Azure Users to Azure Keyvaults.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml index 6583f5b..5773e92 100644 --- a/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml +++ b/queries/Shortest Paths from Azure Users to Azure Keyvaults.yml @@ -6,7 +6,7 @@ platforms: category: Shortest Paths description: Return shortest paths from Azure Users to Azure Keyvaults to check for attack vectors. query: |- - MATCH p = shortestPath((n:AZUser)-[*..]->(g:AZKeyVault)) + MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault)) RETURN p revision: 1 resources: - From 593faadf9a7bc7c4e6a3328c6771f4109c6c2b9e Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:03:19 +0200 Subject: [PATCH 19/21] Update Shortest Paths from Azure Users to Azure VMs.yml --- queries/Shortest Paths from Azure Users to Azure VMs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Shortest Paths from Azure Users to Azure VMs.yml b/queries/Shortest Paths from Azure Users to Azure VMs.yml index 1cc2dc0..0a1df47 100644 --- a/queries/Shortest Paths from Azure Users to Azure VMs.yml +++ b/queries/Shortest Paths from Azure Users to Azure VMs.yml @@ -6,7 +6,7 @@ platforms: category: Shortest Paths description: Return shortest paths from Azure Users to Azure VMs to check for attack vectors. query: |- - MATCH p = shortestPath((m:AZUser)-[*..]->(n:AZVM)) + MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM)) RETURN p revision: 1 resources: - From 09a0569d1a3165287be8a8bfe721f7c9c0cdfa2a Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:03:44 +0200 Subject: [PATCH 20/21] Update Shortest Paths from Owned Azure Users to Azure Keyvaults.yml --- ...Shortest Paths from Owned Azure Users to Azure Keyvaults.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml index 4c8358d..b14985a 100644 --- a/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml +++ b/queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml @@ -6,7 +6,7 @@ platforms: category: Shortest Paths description: Return shortest paths from Owned Azure Users to Azure Keyvaults to check for attack vectors. query: |- - MATCH p = shortestPath((n:AZUser)-[*..]->(g:AZKeyVault)) + MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault)) WHERE m.system_tags CONTAINS 'owned' RETURN p revision: 1 From acaa569568dfe2d0524781b04db3c2b0475b3a4f Mon Sep 17 00:00:00 2001 From: LuemmelSec <58529760+LuemmelSec@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:04:00 +0200 Subject: [PATCH 21/21] Update Shortest Paths from Owned Azure Users to Azure VMs.yml --- queries/Shortest Paths from Owned Azure Users to Azure VMs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml index 8c318a3..506e97a 100644 --- a/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml +++ b/queries/Shortest Paths from Owned Azure Users to Azure VMs.yml @@ -6,7 +6,7 @@ platforms: category: Shortest Paths description: Return shortest paths from Owned Azure Users to Azure VMs to check for attack vectors. query: |- - MATCH p = shortestPath((m:AZUser)-[*..]->(n:AZVM)) + MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM)) WHERE m.system_tags CONTAINS 'owned' RETURN p revision: 1