SpecterOps · d3vzer0 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025
diff --git a/Queries.json b/Queries.json
diff --git a/queries/ACEs across trusts.yml b/queries/ACEs across trusts.yml
@@ -1,7 +1,7 @@
 name: ACEs across trusts
 guid: c902d3b4-1a75-4335-acd7-28246dab746d
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: ACEs granted across a trust, the ACEs are set on trusting objects and the rights are granted to objects from trusted domains.
 query: |-

diff --git a/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml b/queries/AS-REP Roastable Tier Zero users (DontReqPreAuth).yml
@@ -1,7 +1,7 @@
 name: AS-REP Roastable Tier Zero users (DontReqPreAuth)
 guid: 6d51e4dc-e1ad-477a-b6c6-324f18f03120
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/AS-REP Roastable users (DontReqPreAuth).yml b/queries/AS-REP Roastable users (DontReqPreAuth).yml
@@ -1,7 +1,7 @@
 name: AS-REP Roastable users (DontReqPreAuth)
 guid: 2570e359-dec1-419d-b0dc-a204bd64ee42
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Kerberos Interaction
 description: 
 query: |-

diff --git a/queries/Accounts with SID History to a non-existent domain.yml b/queries/Accounts with SID History to a non-existent domain.yml
@@ -1,7 +1,7 @@
 name: Accounts with SID History to a non-existent domain
 guid: 2710401a-c4c2-4d2c-9edb-d7625045f2e8
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/Accounts with SID History to a same-domain account.yml b/queries/Accounts with SID History to a same-domain account.yml
@@ -1,7 +1,7 @@
 name: Accounts with SID History to a same-domain account
 guid: 275d2d58-0cad-4cad-8103-e0874cece666
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-

diff --git a/queries/Accounts with SID History.yml b/queries/Accounts with SID History.yml
@@ -1,7 +1,7 @@
 name: Accounts with SID History
 guid: 8172d52c-a975-49bd-9180-5b6efc59c9ab
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/Accounts with clear-text password attributes.yml b/queries/Accounts with clear-text password attributes.yml
@@ -1,7 +1,7 @@
 name: Accounts with clear-text password attributes
 guid: e303498f-e3d4-489d-8a34-b68e187bc4e7
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/AdminSDHolder protected Accounts and Groups.yml b/queries/AdminSDHolder protected Accounts and Groups.yml
@@ -1,7 +1,7 @@
 name: AdminSDHolder protected Accounts and Groups
 guid: 5ee2f40e-a55c-4140-ab8a-91746ba3752b
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: Objects whose permissions are set by SDProp to the template AdminSDHolder object as per MS-ADTS 3.1.1.6.1.2 Protected Objects. Does not exclude objects if specified in dSHeuristics dwAdminSDExMask
 query: |-

diff --git a/queries/All ADCS ESC privilege escalation edges.yml b/queries/All ADCS ESC privilege escalation edges.yml
@@ -1,7 +1,7 @@
 name: All ADCS ESC privilege escalation edges
 guid: 49db8edc-8421-438f-b97b-23c042959bef
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Certificate Services
 description: 
 query: |-

diff --git a/queries/All DNSAdmins.yml b/queries/All DNSAdmins.yml
@@ -1,7 +1,7 @@
 name: All DNSAdmins
 guid: 183fb320-f3ae-4ab3-a090-3f9a7db692e1
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: 
 query: |-

diff --git a/queries/All Domain Admins.yml b/queries/All Domain Admins.yml
@@ -1,7 +1,7 @@
 name: All Domain Admins
 guid: 0596dba7-9180-49a0-aa54-00243240037c
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: 
 query: |-

diff --git a/queries/All Global Administrators.yml b/queries/All Global Administrators.yml
@@ -1,7 +1,7 @@
 name: All Global Administrators
 guid: 94d7d765-6837-4eb8-aa33-e1c9ef262cdc
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: General
 description: 
 query: |-

diff --git a/queries/All Kerberoastable users.yml b/queries/All Kerberoastable users.yml
@@ -1,7 +1,7 @@
 name: All Kerberoastable users
 guid: 14ab4eaa-b73b-49c4-b2d1-1e020757c995
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Kerberos Interaction
 description: 
 query: |-

diff --git a/queries/All Operator groups.yml b/queries/All Operator groups.yml
@@ -1,7 +1,7 @@
 name: All Operators
 guid: 3dfd0843-1ff9-4c21-aa67-feae08d109de
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: 
 query: |-

diff --git a/queries/All Schema Admins.yml b/queries/All Schema Admins.yml
@@ -1,7 +1,7 @@
 name: All Schema Admins
 guid: 76d8e61d-7a86-40ff-8a85-fd37f1e2563f
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: 
 query: |-

diff --git a/queries/All coerce and NTLM relay edges.yml b/queries/All coerce and NTLM relay edges.yml
@@ -1,7 +1,7 @@
 name: All coerce and NTLM relay edges
 guid: 15c5ff3b-856c-44d1-a731-a8cb72512dd1
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml
@@ -1,7 +1,7 @@
 name: All incoming and local paths for a specific computer
 guid: 1f67e538-19d4-4020-89c8-5b39b31571bd
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: All incoming and local paths for a specific computer; incoming from domain objects and paths local inside the computer.
 query: |-

diff --git a/queries/All members of high privileged roles.yml b/queries/All members of high privileged roles.yml
@@ -1,7 +1,7 @@
 name: All members of high privileged roles
 guid: 3df24d92-dd12-4125-811b-e696b098f60e
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: General
 description: 
 query: |-

diff --git a/queries/All paths crossing a specific trust.yml b/queries/All paths crossing a specific trust.yml
@@ -1,7 +1,7 @@
 name: All paths crossing a specific trust
 guid: 251fc893-7a6b-4a0a-8650-9d5408d38c3c
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: All paths crossing a specific trust from a trusted to a trusting domain.
 query: |-

diff --git a/queries/All service principals with Microsoft Graph App Role assignments.yml b/queries/All service principals with Microsoft Graph App Role assignments.yml
@@ -1,7 +1,7 @@
 name: All service principals with Microsoft Graph App Role assignments
 guid: 74440269-eb41-476b-8dec-b4095569b029
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: Microsoft Graph
 description: 
 query: |-

diff --git a/...es/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml b/...es/All service principals with Microsoft Graph privilege to grant arbitrary App Roles.yml
@@ -1,7 +1,7 @@
 name: All service principals with Microsoft Graph privilege to grant arbitrary App Roles
 guid: e6d6b5da-89da-4514-a409-2d6e368397da
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: Microsoft Graph
 description: 
 query: |-

diff --git a/queries/CA administrators and CA managers.yml b/queries/CA administrators and CA managers.yml
@@ -1,7 +1,7 @@
 name: CA administrators and CA managers
 guid: fd35e3d8-0c74-4b5a-a847-c0dd1f1c9f19
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Certificate Services
 description: 
 query: |-

diff --git a/queries/Computer owners who can obtain LAPS passwords.yml b/queries/Computer owners who can obtain LAPS passwords.yml
@@ -1,7 +1,7 @@
 name: Computer owners who can obtain LAPS passwords
 guid: 92aa81d6-b08e-4abb-ae39-ecbe5735a74c
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: Creators of computer objects get abusable rights on the computer object. If the owner is not explicitly granted ReadLAPSPassword they can still compromise the computer with the abusable owner rights.
 query: |-

diff --git a/queries/Computers not requiring inbound SMB signing.yml b/queries/Computers not requiring inbound SMB signing.yml
@@ -1,7 +1,7 @@
 name: Computers not requiring inbound SMB signing
 guid: 6b1fcfb6-b010-41a2-9d31-f9872fe994ff
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Computers where Domain Users are local administrators.yml b/queries/Computers where Domain Users are local administrators.yml
@@ -1,7 +1,7 @@
 name: Computers where Domain Users are local administrators
 guid: d43a7bdc-33c6-4a39-a3bb-24115749e595
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-

diff --git a/queries/Computers where Domain Users can read LAPS passwords.yml b/queries/Computers where Domain Users can read LAPS passwords.yml
@@ -1,7 +1,7 @@
 name: Computers where Domain Users can read LAPS passwords
 guid: aa4bfa95-e7b9-4d56-8f35-f34f04d7b6f4
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-

diff --git a/queries/Computers with membership in Protected Users.yml b/queries/Computers with membership in Protected Users.yml
@@ -1,7 +1,7 @@
 name: Computers with membership in Protected Users
 guid: a26372f4-2e92-49f6-8993-6657fbc1569a
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Computers with non-default Primary Group membership.yml b/queries/Computers with non-default Primary Group membership.yml
@@ -1,7 +1,7 @@
 name: Computers with non-default Primary Group membership
 guid: 5862dc4e-6f6f-4321-9474-d838968495ed
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/Computers with passwords older than the default maximum password age.yml b/queries/Computers with passwords older than the default maximum password age.yml
@@ -1,7 +1,7 @@
 name: Computers with passwords older than the default maximum password age
 guid: 185c5010-8d4f-4f9b-b24e-831707dddfca
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: Machine account passwords are regularly changed for security purposes. Starting with Windows 2000-based computers, the machine account password automatically changes every 30 days.
 query: |-

diff --git a/queries/Computers with the WebClient running.yml b/queries/Computers with the WebClient running.yml
@@ -1,7 +1,7 @@
 name: Computers with the WebClient running
 guid: 51107ad1-f0bc-43d3-a561-5cee471ca196
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Computers with the outgoing NTLM setting set to Deny all.yml b/queries/Computers with the outgoing NTLM setting set to Deny all.yml
@@ -1,7 +1,7 @@
 name: Computers with the outgoing NTLM setting set to Deny all
 guid: a9ddca74-feeb-4dbf-8b0f-de08b3cfa8a6
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Computers with unsupported operating systems.yml b/queries/Computers with unsupported operating systems.yml
@@ -1,7 +1,7 @@
 name: Computers with unsupported operating systems
 guid: d06d3b14-0318-4fa9-9639-4b79ccaf3c2c
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/Cross-forest trusts with abusable configuration.yml b/queries/Cross-forest trusts with abusable configuration.yml
@@ -1,7 +1,7 @@
 name: Cross-forest trusts with abusable configuration
 guid: 5cf1f354-80d4-420e-bc4b-424fabc21a56
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml b/queries/DCs vulnerable to NTLM relay to LDAP attacks.yml
@@ -1,7 +1,7 @@
 name: DCs vulnerable to NTLM relay to LDAP attacks
 guid: 3f87e0b0-fc06-4986-a94c-e08781253dc8
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Dangerous privileges for Domain Users groups.yml b/queries/Dangerous privileges for Domain Users groups.yml
@@ -1,7 +1,7 @@
 name: Dangerous privileges for Domain Users groups
 guid: 9b8b9c18-f8c6-4c54-a20f-de0f7a7edbe0
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-

diff --git a/queries/Devices with unsupported operating systems.yml b/queries/Devices with unsupported operating systems.yml
@@ -1,7 +1,7 @@
 name: Devices with unsupported operating systems
 guid: e3f2b53a-7ce6-4e52-9c74-68b69338288b
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: Azure Hygiene
 description: 
 query: |-

diff --git a/queries/Disabled Tier Zero High Value principals - AD.yml b/queries/Disabled Tier Zero High Value principals - AD.yml
@@ -1,7 +1,7 @@
 name: Disabled Tier Zero / High Value principals
 guid: d65a801f-d3ef-4b7e-8030-99ebfd6dad12
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-

diff --git a/queries/Disabled Tier Zero High Value principals - AZ.yml b/queries/Disabled Tier Zero High Value principals - AZ.yml
@@ -1,7 +1,7 @@
 name: Disabled Tier Zero / High Value principals
 guid: 860d5c2d-84fe-4c85-80de-e0a9badbd0e7
 prebuilt: true
-platform: Azure
+platforms: Azure
 category: Azure Hygiene
 description: 
 query: |-

diff --git a/queries/Domain Admins logons to non-Domain Controllers.yml b/queries/Domain Admins logons to non-Domain Controllers.yml
@@ -1,7 +1,7 @@
 name: Domain Admins logons to non-Domain Controllers
 guid: e2f3fd0a-1df2-4089-b0a4-272ad6e369a9
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-

diff --git a/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml b/queries/Domain Controllers allowing NTLMv1 or LM authentication.yml
@@ -1,7 +1,7 @@
 name: Domain Controllers allowing NTLMv1 or LM authentication
 guid: 4b42513c-f89d-47ff-8d98-908af49d2b48
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: NTLM Relay Attacks
 description: 
 query: |-

diff --git a/queries/Domain controllers with UPN certificate mapping enabled.yml b/queries/Domain controllers with UPN certificate mapping enabled.yml
@@ -1,7 +1,7 @@
 name: Domain controllers with UPN certificate mapping enabled
 guid: 799ea3ce-572b-4594-98c4-041aa2ae6176
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Certificate Services
 description: 
 query: |-

diff --git a/queries/Domain controllers with weak certificate binding enabled.yml b/queries/Domain controllers with weak certificate binding enabled.yml
@@ -1,7 +1,7 @@
 name: Domain controllers with weak certificate binding enabled
 guid: a2444d99-10b5-412d-8fea-4b063cfddd2c
 prebuilt: true
-platform: Active Directory
+platforms: Active Directory
 category: Active Directory Certificate Services
 description: 
 query: |-

diff --git a/queries/Domain migration groups.yml b/queries/Domain migration groups.yml
@@ -1,7 +1,7 @@
 name: Domain migration groups
 guid: f39c4953-ae92-4d67-bb50-eb1a161d4d3f
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: 
 query: |-

diff --git a/queries/Domains affected by AdPrep privilege escalation risk.yml b/queries/Domains affected by AdPrep privilege escalation risk.yml
@@ -1,7 +1,7 @@
 name: Domains affected by AdPrep privilege escalation risk
 guid: 815ff190-f6f3-4757-a516-2f4bf589b705
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-