From 6ff4c2f145bc914183defcb0434d25e8fe2bf009 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 29 Oct 2025 11:25:16 +0100 Subject: [PATCH 1/7] Update Map Azure Management structure.yml Ensure results also include empty AZManagementGroup or AZSubscription that are still relevant to understand the structure. Previously, the query would only end at AZResourceGroup, the query can end at any: AZManagementGroup, AZSubscription, AZResourceGroup. --- queries/Map Azure Management structure.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/queries/Map Azure Management structure.yml b/queries/Map Azure Management structure.yml index 180e1a2..993b1b1 100644 --- a/queries/Map Azure Management structure.yml +++ b/queries/Map Azure Management structure.yml @@ -3,12 +3,14 @@ guid: c1bb109e-e6a4-4c91-864f-f78e1e42615e prebuilt: false platforms: Azure category: General -description: Maps the structure of Azure Management +description: Maps the structure of the Azure resource hierarchy from Azure tenants to the resource group level query: |- - MATCH p = (:AZTenant)-[:AZContains*1..]->(:AZResourceGroup) + MATCH p = (:AZTenant)-[:AZContains*1..]->(n:AZBase) + WHERE (n:AZManagementGroup) + OR (n:AZSubscription) + OR (n:AZResourceGroup) RETURN p LIMIT 1000 -revision: 2 +revision: 3 resources: https://learn.microsoft.com/en-us/azure/governance/management-groups/overview acknowledgements: Martin Sohn Christensen, @martinsohndk - From 03d94e8e4fde3912121655631fd8d3919572b137 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 13:48:33 +0000 Subject: [PATCH 2/7] Update Potential GPO 'Apply' misconfiguration.yml Fixes https://github.com/SpecterOps/BloodHoundQueryLibrary/issues/40 --- queries/Potential GPO 'Apply' misconfiguration.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/queries/Potential GPO 'Apply' misconfiguration.yml b/queries/Potential GPO 'Apply' misconfiguration.yml index b2a9901..80a2b33 100644 --- a/queries/Potential GPO 'Apply' misconfiguration.yml +++ b/queries/Potential GPO 'Apply' misconfiguration.yml @@ -3,12 +3,12 @@ guid: f5f2455e-afdc-4708-9a34-98f539ce52d8 prebuilt: true platforms: Active Directory category: Dangerous Privileges -description: In Active Directory, GPO's are applied to objects in the Group Policy Management Console by ticking "Allow - Apply group policy", but administrators can mistakenly tick "Allow - Write" or "Allow - Full Control" resulting in a misconfigured GPO that allows a principal to compromise other principals the GPO also applies to. Results are potential risks and must be audited for for correctness. +description: In Active Directory, GPO's are applied to objects in the Group Policy Management Console by ticking "Allow - Apply group policy", but administrators can mistakenly tick "Allow - Write" or "Allow - Full Control" resulting in a misconfigured GPO that allows a principal to compromise other principals the GPO also applies to. Results are potential risks and should be verified. query: |- MATCH p=(n:Base)-[:GenericAll|GenericWrite]->(g:GPO) // Exclude Enterprise Admins and Domain Admins - WHERE NOT n.objectid =~ "-(519|512)$" + WHERE NOT n.objectid =~ ".*-(519|512)$" // Exclude unresolved SIDs AND NOT (n.distinguishedname IS NULL) @@ -19,7 +19,7 @@ query: |- RETURN p LIMIT 1000 -revision: 2 +revision: 3 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk From 410a4786379c2bf7b0bd1e5ec1e08379a28ca545 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 14:24:49 +0000 Subject: [PATCH 3/7] Update Collection health of DC Registry Data.yml Improve description. --- queries/Collection health of DC Registry Data.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/queries/Collection health of DC Registry Data.yml b/queries/Collection health of DC Registry Data.yml index 29106cd..12c3e65 100644 --- a/queries/Collection health of DC Registry Data.yml +++ b/queries/Collection health of DC Registry Data.yml @@ -3,7 +3,7 @@ guid: 3f0fa2f3-fbdf-42c0-9e7d-97e689009161 prebuilt: false platforms: Active Directory category: Domain Information -description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have not been collected. +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have an incomplete collection for one or more of the queried attributes. query: |- MATCH p=(:Domain)<-[:DCFor]-(c:Computer) WHERE c.strongcertificatebindingenforcementraw IS NULL @@ -11,7 +11,7 @@ query: |- AND c.enabled = true AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) RETURN p -revision: 1 +revision: 2 resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#dc-registry acknowledgements: Martin Sohn Christensen, @martinsohndk From e005489491b2d7be51af4734993c393624a07622 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 14:25:06 +0000 Subject: [PATCH 4/7] Update Collection health of CA Registry Data.yml Improve description & query accuracy. --- queries/Collection health of CA Registry Data.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/queries/Collection health of CA Registry Data.yml b/queries/Collection health of CA Registry Data.yml index 3b084ad..a50e48e 100644 --- a/queries/Collection health of CA Registry Data.yml +++ b/queries/Collection health of CA Registry Data.yml @@ -3,20 +3,20 @@ guid: c8dd3479-8063-450a-9456-557bc5f39e10 prebuilt: false platforms: Active Directory category: Domain Information -description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. CAs returned by this query have not been collected. +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. EnterpriseCAs returned by this query have an incomplete collection for one or more of the queried attributes. query: |- MATCH p=(eca:EnterpriseCA)<-[:HostsCAService]-(c:Computer) WHERE ( - eca.isuserspecifiessanenabledcollected = false - OR eca.casecuritycollected = false - OR eca.enrollmentagentrestrictionscollected = false - OR eca.roleseparationenabledcollected = false + NOT eca.casecuritycollected = true + OR NOT eca.enrollmentagentrestrictionscollected = true + OR NOT eca.isuserspecifiessanenabledcollected = true + OR NOT eca.roleseparationenabledcollected = true ) // Exclude inactive CAs AND c.enabled = true AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) RETURN p -revision: 1 +revision: 2 resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#ca-registry acknowledgements: Martin Sohn Christensen, @martinsohndk From c00ac9d5551cb88fe9e02b897bc9ed81aac933cf Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 14:25:51 +0000 Subject: [PATCH 5/7] Update Domains allowing unauthenticated rootDSE searches and binds.yml Fixes https://github.com/SpecterOps/BloodHoundQueryLibrary/issues/39 dsheuristics of 2 means unauthenticated rootDSE searches and binds are allowed --- ...ns allowing unauthenticated rootDSE searches and binds.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml index 68edf90..1c4281f 100644 --- a/queries/Domains allowing unauthenticated rootDSE searches and binds.yml +++ b/queries/Domains allowing unauthenticated rootDSE searches and binds.yml @@ -6,9 +6,9 @@ category: Active Directory Hygiene description: Checks the fLDAPBlockAnonOps flag of dSHeuristics. query: |- MATCH (n:Domain) - WHERE n.dsheuristics =~ ".{6}[^2].*" + WHERE n.dsheuristics =~ ".{6}2.*" RETURN n -revision: 1 +revision: 2 resources: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 acknowledgements: Martin Sohn Christensen, @martinsohndk From eb32e694b240c2b88121dd56731953457492af03 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 14:39:08 +0000 Subject: [PATCH 6/7] Rename & improve 'Direct Principal Rights Assignment' Rename to 'Principals With Direct Rights Assignment'. Fixes https://github.com/SpecterOps/BloodHoundQueryLibrary/issues/37 Added new edges: WriteOwnerLimitedRights|OwnsLimitedRights|CanApplyGPO|ManageCA|ManageCertificates --- .../Direct Principal Rights Assignment.yml | 15 --------------- ...incipals With Direct Rights Assignment.yml | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 15 deletions(-) delete mode 100644 queries/Direct Principal Rights Assignment.yml create mode 100644 queries/Principals With Direct Rights Assignment.yml diff --git a/queries/Direct Principal Rights Assignment.yml b/queries/Direct Principal Rights Assignment.yml deleted file mode 100644 index a2d08ab..0000000 --- a/queries/Direct Principal Rights Assignment.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Direct Principal Rights Assignment -guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec -prebuilt: false -platforms: Active Directory -category: Active Directory Hygiene -description: This query identifies rights assigned directly to users or computers instead of groups. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level. -query: |- - MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base) - WHERE (n:User OR n:Computer) - RETURN p - LIMIT 1000 -revision: 1 -resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references -acknowledgements: Martin Sohn Christensen, @martinsohndk - diff --git a/queries/Principals With Direct Rights Assignment.yml b/queries/Principals With Direct Rights Assignment.yml new file mode 100644 index 0000000..8141476 --- /dev/null +++ b/queries/Principals With Direct Rights Assignment.yml @@ -0,0 +1,19 @@ +name: Principals With Direct Rights Assignment +guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec +prebuilt: false +platforms: Active Directory +category: Active Directory Hygiene +description: Identifies principals with rights assigned directly to them instead of to groups they are a member of. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level. +query: |- + MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|WriteOwnerLimitedRights|OwnsLimitedRights|CanApplyGPO|ManageCA|ManageCertificates]->(:Base) + WHERE (n:User OR n:Computer) + + // Uncomment the below to only search enabled principals. + // AND n.enabled = true + + RETURN p + LIMIT 1000 +revision: 2 +resources: https://csrc.nist.gov/Projects/Role-Based-Access-Control +acknowledgements: Martin Sohn Christensen, @martinsohndk + From bd59811c40b985c36fab08ca6d0112c9c8e61b68 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 3 Jan 2026 14:50:57 +0000 Subject: [PATCH 7/7] Update Non-Tier Zero account with unconstrained delegation.yml Fixes https://github.com/SpecterOps/BloodHoundQueryLibrary/issues/38 Add option/comments to change exclusions --- ...Non-Tier Zero account with unconstrained delegation.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/queries/Non-Tier Zero account with unconstrained delegation.yml b/queries/Non-Tier Zero account with unconstrained delegation.yml index c869023..1492393 100644 --- a/queries/Non-Tier Zero account with unconstrained delegation.yml +++ b/queries/Non-Tier Zero account with unconstrained delegation.yml @@ -7,9 +7,14 @@ description: query: |- MATCH (n:Base) WHERE n.unconstraineddelegation = true + + // The query excludes all Tier Zero objects by default + // Exclude only DCs by removing the line below and uncomment the 'NOT n.isdc' line after AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') + //AND NOT n.isdc = true + RETURN n -revision: 1 +revision: 2 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk