From ef50cd4a639d1cf1cac55f91f4ca0d3f39aebf84 Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 13 Jun 2025 16:40:21 +0200 Subject: [PATCH 1/3] Move 'note' to 'description' --- ...mains where any user can join a computer to the domain.yml | 4 ++-- ...default password policy length less than 15 characters.yml | 4 ++-- .../Domains with functional level not the latest version.yml | 4 ++-- queries/Non-Tier Zero account with excessive control.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml index a428cfc..7569e59 100644 --- a/queries/Domains where any user can join a computer to the domain.yml +++ b/queries/Domains where any user can join a computer to the domain.yml @@ -3,12 +3,12 @@ guid: 421921fa-bc0f-4659-9680-b7481adcb132 prebuilt: true platforms: Active Directory category: Active Directory Hygiene -description: +description: Authenticated Users can by default create 10 domain computers as defined by the attribute 'ms-DS-MachineAccountQuota' and the DC URA Security Policy 'Add workstations to domain'. This query does not check the latter. query: |- MATCH (n:Domain) WHERE n.machineaccountquota > 0 RETURN n -note: Does not check the 'Add workstations to domain' URA Security Policy on DCs. +note: revision: 1 resources: - https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain diff --git a/queries/Domains with a minimum default password policy length less than 15 characters.yml b/queries/Domains with a minimum default password policy length less than 15 characters.yml index ad902b0..410d0bb 100644 --- a/queries/Domains with a minimum default password policy length less than 15 characters.yml +++ b/queries/Domains with a minimum default password policy length less than 15 characters.yml @@ -3,12 +3,12 @@ guid: 7d258d2d-a43d-4a90-85d7-71c946ae5fd7 prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: +description: Follows the NIST 800-63B recommendation of 15 characters. query: |- MATCH (n:Domain) WHERE n.minpwdlength < 15 RETURN n -note: NIST recommends 15 characters. +note: revision: 1 resources: https://pages.nist.gov/800-63-3/sp800-63b.html acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index 0ee7926..4d3d363 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -3,12 +3,12 @@ guid: 3da9d14a-f1cb-4df7-b3da-8d73ff5c401b prebuilt: false platforms: Active Directory category: Active Directory Hygiene -description: +description: Check for functional level <4 query: |- MATCH (n:Domain) WHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native'] RETURN n -note: Functional level <4 +note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk diff --git a/queries/Non-Tier Zero account with excessive control.yml b/queries/Non-Tier Zero account with excessive control.yml index ebec5a0..844eec1 100644 --- a/queries/Non-Tier Zero account with excessive control.yml +++ b/queries/Non-Tier Zero account with excessive control.yml @@ -3,7 +3,7 @@ guid: 944cecfe-519b-4318-b226-e8520161b454 prebuilt: false platforms: Active Directory category: Dangerous Privileges -description: +description: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals query: |- MATCH (d:Domain)-[:Contains*1..]->(u:User) WHERE u.enabled = true @@ -13,7 +13,7 @@ query: |- WITH n, enabledUserCount, COLLECT(DISTINCT(m)) AS endNodes WHERE SIZE(endNodes) >= 1000 RETURN n -note: Finds Non-Tier Zero principals with control of >1000 Non-Tier Zero principals +note: revision: 1 resources: acknowledgements: Martin Sohn Christensen, @martinsohndk From debccdaa62c6caea2fb9bc16514955f694e5034c Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 13 Jun 2025 16:40:29 +0200 Subject: [PATCH 2/3] Update Domains with functional level not the latest version.yml --- ...omains with functional level not the latest version.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index 4d3d363..1f369eb 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -6,10 +6,13 @@ category: Active Directory Hygiene description: Check for functional level <4 query: |- MATCH (n:Domain) - WHERE toString(n.functionallevel) IN ['2008','2003','2003 Interim','2000 Mixed/Native'] + WHERE ( + n.functionallevel IS NULL + OR NOT n.functionallevel = "2016" + ) RETURN n note: revision: 1 -resources: +resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels acknowledgements: Martin Sohn Christensen, @martinsohndk From 448a12a7143d7025280251afd659eadaeb0e9702 Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 13 Jun 2025 16:50:14 +0200 Subject: [PATCH 3/3] include 2025 func level --- .../Domains with functional level not the latest version.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/queries/Domains with functional level not the latest version.yml b/queries/Domains with functional level not the latest version.yml index 1f369eb..b41767a 100644 --- a/queries/Domains with functional level not the latest version.yml +++ b/queries/Domains with functional level not the latest version.yml @@ -8,10 +8,9 @@ query: |- MATCH (n:Domain) WHERE ( n.functionallevel IS NULL - OR NOT n.functionallevel = "2016" + OR NOT n.functionallevel IN ["2016","2025"] ) RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels acknowledgements: Martin Sohn Christensen, @martinsohndk