Some new queries

queries/Accounts related to AAD Entra Connect.yml

@@ -0,0 +1,17 @@
+name: Accounts related to AAD Entra Connect
+guid: 5993208e-6189-40e6-be03-c23c872d0ca4
+prebuilt: false
+platforms:
+- Active Directory
+- Azure
+category: Active Directory Hygiene
+description: Query to start reconnaissance about AADConnect / Entra Connect related accounts
+query: |-
+  MATCH (u) 
+  WHERE (u:User OR u:AZUser) 
+  AND (u.name =~ '(?i)^MSOL_|.*AADConnect.*|.*ADSyncMSA.*|.*AAD_.*|.*PROVAGENTGMSA.*' 
+  OR u.userprincipalname =~ '(?i)^sync_.*') 
+  RETURN u
+revision: 1
+resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/concept-adsync-service-account
+acknowledgements: Daniel Scheidt, @theluemmel

queries/All Azure VMs with a tied Managed Identity.yml

@@ -0,0 +1,13 @@
+name: All Azure VMs with a tied Managed Identity
+guid: 3ceca01a-226e-4e61-8692-a4b4611f2af0
+prebuilt: false
+platforms:
+- Azure
+category: General
+description: Return all Azure VMs with a tied Managed Identity.
+query: |-
+  MATCH p=(:AZVM)-[:AZManagedIdentity]->(n) 
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/All direct Controllers of MS Graph.yml

@@ -0,0 +1,14 @@
+name: All direct Controllers of MS Graph
+guid: 45f949ca-ab69-43a4-adb2-796f9548beff
+prebuilt: false
+platforms:
+- Azure
+category: Microsoft Graph
+description: Return all direct Controllers of MS Graph.
+query: |-
+  MATCH p = (n)-[r:AZAddOwner|AZAddSecret|AZAppAdmin|AZCloudAppAdmin|AZMGAddOwner|AZMGAddSecret|AZOwns]->(g:AZServicePrincipal)
+  WHERE g.displayname = "MICROSOFT GRAPH"
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/All privileged Azure Service Principals.yml

@@ -0,0 +1,14 @@
+name: All privileged Azure Service Principals
+guid: 92f269ee-3727-4ffa-947b-aad492ac0fa2
+prebuilt: false
+platforms:
+- Azure
+category: Azure Hygiene
+description: Return all privileged Azure Service Principals.
+query: |-
+  MATCH p=(n:AZServicePrincipal)-[:AZHasRole|AZMemberOf*1..2]->(r:AZRole) 
+  WHERE r.displayname =~ '(?i)Global Administrator|User Administrator|Cloud Application Administrator|Authentication Policy Administrator|Exchange Administrator|Helpdesk Administrator|PRIVILEGED AUTHENTICATION ADMINISTRATOR|Domain Name Administrator|Hybrid Identity Administrator|External Identity Provider Administrator|Privileged Role Administrator|Partner Tier2 Support|Application Administrator|Directory Synchronization Accounts' 
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Owners of Azure Applications.yml

@@ -0,0 +1,13 @@
+name: Owners of Azure Applications
+guid: 3beb1260-61ad-42b5-819f-e1b619d28e22
+prebuilt: false
+platforms:
+- Azure
+category: General
+description: Return all Owners of Azure Applications to search for possible attack paths. Low privileged users should not be owners of applications.
+query: |-
+  MATCH p = (n)-[r:AZOwns]->(g:AZApp) 
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Owners of Azure Subscriptions.yml

@@ -0,0 +1,15 @@
+name: Owners of Azure Subscriptions
+guid: bd0daafd-4256-4ce6-9b7f-a9e38509d81c
+prebuilt: false
+platforms:
+- Azure
+category: General
+description: Return all Owners of Azure Subscriptions to search for possible attack paths. Low privileged users should not be owners of Subscriptions.
+query: |-
+  MATCH p=shortestPath((s:AZBase)-[:AZOwner*1..]->(t:AZSubscription))
+  WHERE s<>t
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Shortest Paths from Azure Users to Azure Keyvaults.yml

@@ -0,0 +1,13 @@
+name: Shortest Paths from Azure Users to Azure Keyvaults
+guid: 6395428d-2deb-404b-85b5-edbac3a6e05d
+prebuilt: false
+platforms:
+- Azure
+category: Shortest Paths
+description: Return shortest paths from Azure Users to Azure Keyvaults to check for attack vectors.
+query: |-
+  MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault))
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Shortest Paths from Azure Users to Azure VMs.yml

@@ -0,0 +1,13 @@
+name: Shortest Paths from Azure Users to Azure VMs
+guid: 912454f1-75a3-4813-b3df-7bddac0ff00d
+prebuilt: false
+platforms:
+- Azure
+category: Shortest Paths
+description: Return shortest paths from Azure Users to Azure VMs to check for attack vectors.
+query: |-
+  MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM)) 
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Shortest Paths from Owned Azure Users to Azure Keyvaults.yml

@@ -0,0 +1,14 @@
+name: Shortest Paths from Owned Azure Users to Azure Keyvaults
+guid: 53e73ae0-985e-4508-a82e-696d654f9538
+prebuilt: false
+platforms:
+- Azure
+category: Shortest Paths
+description: Return shortest paths from Owned Azure Users to Azure Keyvaults to check for attack vectors.
+query: |-
+  MATCH p = shortestPath((n:AZUser)-[:AZ_ATTACK_PATHS*..]->(g:AZKeyVault))
+  WHERE m.system_tags CONTAINS 'owned'
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel

queries/Shortest Paths from Owned Azure Users to Azure VMs.yml

@@ -0,0 +1,14 @@
+name: Shortest Paths from Owned Azure Users to Azure VMs
+guid: bab9fbec-7a46-4c1e-902e-a1b53a454610
+prebuilt: false
+platforms:
+- Azure
+category: Shortest Paths
+description: Return shortest paths from Owned Azure Users to Azure VMs to check for attack vectors.
+query: |-
+  MATCH p = shortestPath((m:AZUser)-[:AZ_ATTACK_PATHS*..]->(n:AZVM))
+  WHERE m.system_tags CONTAINS 'owned'
+  RETURN p
+revision: 1
+resources: -
+acknowledgements: Daniel Scheidt, @theluemmel