diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..4c0c795 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,133 @@ + +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official email address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +[@martinsohn.dk on BlueSky](https://bsky.app/profile/martinsohn.dk) or [@martinsohndk on X](https://x.com/martinsohndk). +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations \ No newline at end of file diff --git a/README.md b/README.md index 9ea7620..cb16860 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,39 @@ +

+ + Sponsored by SpecterOps + + + Slack + + + Syntax check + +

+ + # BloodHound Query Library -![Syntax test](https://github.com/SpecterOps/BloodHoundQueryLibrary/actions/workflows/syntax.yml/badge.svg) The BloodHound Query Library is a community-driven collection of [Cypher queries](https://support.bloodhoundenterprise.io/hc/en-us/articles/16721164740251) designed to help [BloodHound Community Edition](https://github.com/SpecterOps/BloodHound) and [BloodHound Enterprise](https://specterops.io/bloodhound-overview/) users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem. The library is a free tool for the community maintained in a human-readable format (YAML) through this repository and the sleek and searchable front-end is found at https://queries.specterops.io/ +![BloodHound Query Library frontend screenshot](queries.specterops.io.png) + +For an introduction to the project, please read our blog post: + +- [Introducing the BloodHound Query Library](https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/) + +# Overview + The library contains queries that demonstrate BloodHound's versatility beyond traditional attack path analysis. This includes: - All existing pre-built queries from BloodHound - Cherry-picked community queries - SpecterOps-created queries BloodHound Enterprise customers found valuable -- Novel queries to further showcase BloodHound's security assessment capabilities, see [security-assessment-mapping.md](/docs/security-assessment-mapping.md) +- Community contributed queries (see [Contributing](#contributing)) +- Novel queries to further showcase BloodHound's security assessment capabilities (see [security-assessment-mapping.md](/docs/security-assessment-mapping.md)) Individual query files are stored in stored in [/Queries](/Queries/) as `.yml` and are automatically combined into a single [Queries.json](/Queries.json) file that powers the front-end. @@ -19,7 +43,7 @@ The query files use the YAML structure found in [query-structure.yml](/docs/quer name: Entra ID SSO accounts not rolling Kerberos decryption key guid: 1867abf8-08e3-4ea8-8f65-8366079d35c4 prebuilt: false -platform: +platforms: - Active Directory - Azure category: Configuration Weakness @@ -29,13 +53,14 @@ query: |- WHERE n.name STARTS WITH "AZUREADSSOACC." AND n.pwdlastset < (datetime().epochseconds - (30 * 86400)) RETURN n -note: revision: 1 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account- acknowledgements: Martin Sohn Christensen, @martinsohndk ``` -## Learning Cypher +Whenever new queries are added, the syntax is automatically validated, ensuring that only syntactically compatible queries are added. + +## Learning Cypher Queries One of BloodHound’s key features is its flexibility through Cypher queries – a query language to search the BloodHound graph database. Queries can answer anything from simple questions (e.g., “*Which users haven’t reset their passwords in 180 days?*”), to complex identity attack path problems (e.g., “*Which low-privileged users can compromise computers hosting a gMSA with unconstrained delegation?*”). diff --git a/queries.specterops.io.png b/queries.specterops.io.png new file mode 100644 index 0000000..3ca8b0d Binary files /dev/null and b/queries.specterops.io.png differ diff --git a/queries/Circular AD group memberships.yml b/queries/Circular AD group memberships.yml new file mode 100644 index 0000000..7fffb30 --- /dev/null +++ b/queries/Circular AD group memberships.yml @@ -0,0 +1,15 @@ +name: Circular AD group memberships +guid: fcaa5ffc-3d22-481f-a2a2-18a4eec30058 +prebuilt: false +platforms: Active Directory +category: Active Directory Hygiene +description: Detects circular group membership chains where groups are members of themselves through one or more intermediate groups. This causes an administrative complexity. +query: |- + MATCH p=(x:Group)-[:MemberOf*2..]->(y:Group) + WHERE x.objectid=y.objectid + RETURN p + LIMIT 100 +revision: 1 +resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Circular AZ group memberships.yml b/queries/Circular AZ group memberships.yml new file mode 100644 index 0000000..d79b531 --- /dev/null +++ b/queries/Circular AZ group memberships.yml @@ -0,0 +1,15 @@ +name: Circular AZ group memberships +guid: b005669c-d8af-47ae-a0f1-4f36cd5334ab +prebuilt: false +platforms: Azure +category: Azure Hygiene +description: Detects circular group membership chains where groups are members of themselves through one or more intermediate groups. This causes an administrative complexity. +query: |- + MATCH p=(x:AZGroup)-[:AZMemberOf*2..]->(y:AZGroup) + WHERE x.objectid=y.objectid + RETURN p + LIMIT 100 +revision: 1 +resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Collection health of CA Registry Data.yml b/queries/Collection health of CA Registry Data.yml new file mode 100644 index 0000000..3b084ad --- /dev/null +++ b/queries/Collection health of CA Registry Data.yml @@ -0,0 +1,22 @@ +name: Collection health of CA Registry Data +guid: c8dd3479-8063-450a-9456-557bc5f39e10 +prebuilt: false +platforms: Active Directory +category: Domain Information +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. CAs returned by this query have not been collected. +query: |- + MATCH p=(eca:EnterpriseCA)<-[:HostsCAService]-(c:Computer) + WHERE ( + eca.isuserspecifiessanenabledcollected = false + OR eca.casecuritycollected = false + OR eca.enrollmentagentrestrictionscollected = false + OR eca.roleseparationenabledcollected = false + ) + // Exclude inactive CAs + AND c.enabled = true + AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) + RETURN p +revision: 1 +resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#ca-registry +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Collection health of DC Registry Data.yml b/queries/Collection health of DC Registry Data.yml new file mode 100644 index 0000000..29106cd --- /dev/null +++ b/queries/Collection health of DC Registry Data.yml @@ -0,0 +1,17 @@ +name: Collection health of DC Registry Data +guid: 3f0fa2f3-fbdf-42c0-9e7d-97e689009161 +prebuilt: false +platforms: Active Directory +category: Domain Information +description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have not been collected. +query: |- + MATCH p=(:Domain)<-[:DCFor]-(c:Computer) + WHERE c.strongcertificatebindingenforcementraw IS NULL + // Exclude inactive DCs + AND c.enabled = true + AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400)) + RETURN p +revision: 1 +resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#dc-registry +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Collection health of Tier Zero Inbound Execution Privileges.yml b/queries/Collection health of Tier Zero Inbound Execution Privileges.yml new file mode 100644 index 0000000..943d6f6 --- /dev/null +++ b/queries/Collection health of Tier Zero Inbound Execution Privileges.yml @@ -0,0 +1,17 @@ +name: Collection health of specific computer +guid: bb95c9c5-984c-4057-a430-000d684c069a +prebuilt: false +platforms: Active Directory +category: Domain Information +description: Returns Local groups and their members, and Principals with privileges +query: |- + MATCH p=(m:Base)-[:RemoteInteractiveLogonRight|AdminTo|CanRDP|LocalToComputer|MemberOfLocalGroup]-(n:Base) + + // Insert computer FQDN + WHERE m.name ENDS WITH "HOSTNAME.DOMAIN.LOCAL" + + RETURN p +revision: 1 +resources: +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Direct Principal Rights Assignment.yml b/queries/Direct Principal Rights Assignment.yml new file mode 100644 index 0000000..a2d08ab --- /dev/null +++ b/queries/Direct Principal Rights Assignment.yml @@ -0,0 +1,15 @@ +name: Direct Principal Rights Assignment +guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec +prebuilt: false +platforms: Active Directory +category: Active Directory Hygiene +description: This query identifies rights assigned directly to users or computers instead of groups. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level. +query: |- + MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base) + WHERE (n:User OR n:Computer) + RETURN p + LIMIT 1000 +revision: 1 +resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Foreign AZ Service Principals in Tier Zero.yml b/queries/Foreign AZ Service Principals in Tier Zero.yml new file mode 100644 index 0000000..274f8ff --- /dev/null +++ b/queries/Foreign AZ Service Principals in Tier Zero.yml @@ -0,0 +1,18 @@ +name: Foreign AZ Service Principals in Tier Zero +guid: 4d567239-2e68-43e2-8f26-97655b8a37fb +prebuilt: false +platforms: Azure +category: Azure Hygiene +description: +query: |- + MATCH (sp:AZServicePrincipal) + WHERE toUpper(sp.appownerorganizationid) <> toUpper(sp.tenantid) + AND ((sp:Tag_Tier_Zero) OR COALESCE(sp.system_tags, '') CONTAINS 'admin_tier_0') + // Ensure AZServicePrincipal has a valid appownerorganizationid + AND sp.appownerorganizationid CONTAINS "-" + RETURN sp + LIMIT 1000 +revision: 1 +resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65 +acknowledgements: Stephen Hinck + diff --git a/queries/Foreign AZ Service Principals in control of Azure tenant.yml b/queries/Foreign AZ Service Principals in control of Azure tenant.yml new file mode 100644 index 0000000..88a7e87 --- /dev/null +++ b/queries/Foreign AZ Service Principals in control of Azure tenant.yml @@ -0,0 +1,17 @@ +name: Foreign AZ Service Principals in control of Azure tenant +guid: c82c17f1-7253-4e3a-b5d2-3647aa388f4a +prebuilt: false +platforms: Azure +category: Dangerous Privileges +description: +query: |- + MATCH p = (sp:AZServicePrincipal)-[]->(t:AZTenant) + WHERE toUpper(sp.appownerorganizationid) <> toUpper(t.tenantid) + // Ensure AZServicePrincipal has a valid appownerorganizationid + AND sp.appownerorganizationid CONTAINS "-" + RETURN p + LIMIT 1000 +revision: 1 +resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65 +acknowledgements: Stephen Hinck + diff --git a/queries/Foreign External AZ users in Tier Zero.yaml b/queries/Foreign External AZ users in Tier Zero.yaml new file mode 100644 index 0000000..9e86343 --- /dev/null +++ b/queries/Foreign External AZ users in Tier Zero.yaml @@ -0,0 +1,16 @@ +name: Foreign External AZ users in Tier Zero +guid: 3a2b7588-522f-4039-8a07-d971e0b214cb +prebuilt: false +platforms: Azure +category: Azure Hygiene +description: +query: |- + MATCH (n:AZUser) + WHERE n.name CONTAINS "#EXT#@" + AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') + RETURN p + LIMIT 1000 +revision: 1 +resources: https://learn.microsoft.com/en-us/entra/external-id/user-properties#key-properties-of-the-microsoft-entra-b2b-collaboration-user +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Foreign Service Principals With Group Memberships.yml b/queries/Foreign Service Principals With Group Memberships.yml new file mode 100644 index 0000000..7c2573c --- /dev/null +++ b/queries/Foreign Service Principals With Group Memberships.yml @@ -0,0 +1,17 @@ +name: Foreign Service Principals With Group Memberships +guid: 327ef6a5-bfa8-4c92-b35a-d3df85264a24 +prebuilt: false +platforms: Azure +category: Azure Hygiene +description: Review each to validate whether their presence is expected and whether the assigned group memberships are appropriate for the foreign service principal. +query: |- + MATCH p = (sp:AZServicePrincipal)-[:AZMemberOf]->(g:AZGroup) + WHERE toUpper(sp.appownerorganizationid) <> toUpper(g.tenantid) + // Ensure AZServicePrincipal has a valid appownerorganizationid + AND sp.appownerorganizationid CONTAINS "-" + RETURN p + LIMIT 1000 +revision: 1 +resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65 +acknowledgements: Stephen Hinck + diff --git a/queries/Foreign Service Principals With an EntraID Admin Role.yml b/queries/Foreign Service Principals With an EntraID Admin Role.yml new file mode 100644 index 0000000..12fdec4 --- /dev/null +++ b/queries/Foreign Service Principals With an EntraID Admin Role.yml @@ -0,0 +1,17 @@ +name: Foreign Service Principals With an EntraID Admin Role +guid: b6235820-4e0d-4dfa-af5b-729b5644feb5 +prebuilt: false +platforms: Azure +category: Dangerous Privileges +description: Entra ID admin roles grant significant control over a tenant environment, even if the role is not a default Tier Zero / High Value role +query: |- + MATCH p = (sp:AZServicePrincipal)-[:AZHasRole]->(r:AZRole) + WHERE toUpper(sp.appownerorganizationid) <> toUpper(sp.tenantid) + // Ensure AZServicePrincipal has a valid appownerorganizationid + AND sp.appownerorganizationid CONTAINS "-" + RETURN p + LIMIT 1000 +revision: 1 +resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65 +acknowledgements: Stephen Hinck + diff --git a/queries/Foreign Service Principals With any Abusable MS Graph App Role Assignment.yml b/queries/Foreign Service Principals With any Abusable MS Graph App Role Assignment.yml new file mode 100644 index 0000000..12283da --- /dev/null +++ b/queries/Foreign Service Principals With any Abusable MS Graph App Role Assignment.yml @@ -0,0 +1,17 @@ +name: Foreign Service Principals With any Abusable MS Graph App Role Assignment +guid: d7a180c8-5624-4fc1-a407-deeb2ad3054c +prebuilt: false +platforms: Azure +category: Dangerous Privileges +description: MS Graph app role assignments provide significant power within an Entra ID tenant, similar to an Admin role. +query: |- + MATCH p = (sp1:AZServicePrincipal)-[r:AZMGGroupMember_ReadWrite_All|AZMGServicePrincipalEndpoint_ReadWrite_All|AZMGAppRoleAssignment_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory]->(sp2:AZServicePrincipal) + WHERE toUpper(sp1.appownerorganizationid) <> toUpper(sp1.tenantid) + // Ensure AZServicePrincipal has a valid appownerorganizationid + AND sp1.appownerorganizationid CONTAINS "-" + RETURN p + LIMIT 1000 +revision: 1 +resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65 +acknowledgements: Stephen Hinck + diff --git a/queries/Potential GPO 'Apply' misconfiguration.yml b/queries/Potential GPO 'Apply' misconfiguration.yml new file mode 100644 index 0000000..8da3809 --- /dev/null +++ b/queries/Potential GPO 'Apply' misconfiguration.yml @@ -0,0 +1,25 @@ +name: Potential GPO 'Apply' misconfiguration +guid: f5f2455e-afdc-4708-9a34-98f539ce52d8 +prebuilt: true +platforms: Active Directory +category: Dangerous Privileges +description: In Active Directory, GPO's are applied to objects in the Group Policy Management Console by ticking “Allow: Apply group policy”, but administrators can mistakenly tick “Allow: Write” or “Allow: Full Control” resulting in a misconfigured GPO that allows a principal to compromise other principals the GPO also applies to. Results are potential risks and must be audited for for correctness. +query: |- + MATCH p=(n:Base)-[:GenericAll|GenericWrite]->(g:GPO) + + // Exclude Enterprise Admins and Domain Admins + WHERE NOT n.objectid =~ "-(519|512)$" + + // Exclude unresolved SIDs + AND NOT (n.distinguishedname IS NULL) + + // Asset description may reveal if it's a delegation group (false-positive) or a filter group (true-positive) + //AND n.description is not null + //AND n.description =~ "(?i)apply" + + RETURN p + LIMIT 1000 +revision: 1 +resources: +acknowledgements: Martin Sohn Christensen, @martinsohndk + diff --git a/queries/Uncommon permission on containers.yml b/queries/Uncommon permission on containers.yml new file mode 100644 index 0000000..8898dde --- /dev/null +++ b/queries/Uncommon permission on containers.yml @@ -0,0 +1,49 @@ +name: Circular AD group memberships +guid: 018c2b45-e30f-47d8-a751-22419c3d0736 +prebuilt: false +platforms: Active Directory +category: Active Directory Hygiene +description: BloodHound typically identifies risk on Active Directory objects stored in OUs, however behind the scenes; Active Directory has a hieracy of containers e.g. CN=SYSTEM and CN=CONFIGURATION, on which control can lead to risk. Results are prone to false-positives but can assist auditing containers permissions. +query: |- + MATCH p=(:Domain)-[:Contains*1..]->(c:Container)<-[r]-(n:Base) + + // Exclude Tier Zero + WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0') + + // Scope edges to ACLs + AND r.isacl + + // Exclude CN=Users and CN=Computers containers + AND NOT c.distinguishedname STARTS WITH "CN=COMPUTERS,DC=" + AND NOT c.distinguishedname STARTS WITH "CN=USERS,DC=" + + // Exclude same-domain unresolved SIDs + AND NOT (n.distinguishedname IS NULL AND n.domainsid = c.domainsid) + + // Exclude default: Cert Publishers + AND NOT (c.distinguishedname CONTAINS ",CN=PUBLIC KEY SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=" AND n.objectid ENDS WITH "-517") + + // Exclude default: RAS and IAS Servers + AND NOT (c.distinguishedname CONTAINS "CN=RAS AND IAS SERVERS ACCESS CHECK,CN=SYSTEM,DC=" AND n.objectid ENDS WITH "-553") + + // Exclude default: DNS + AND NOT (c.distinguishedname CONTAINS "CN=MICROSOFTDNS,CN=SYSTEM,DC=" AND n.name STARTS WITH "DNSADMINS@") + + // Exclude default: ConfigMgr + AND NOT (c.distinguishedname STARTS WITH "CN=SYSTEM MANAGEMENT,CN=SYSTEM,DC=" AND n.samaccountname ENDS WITH "$") + + // Exclude default: Exchange pt1 + AND NOT (c.distinguishedname CONTAINS "CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=" AND (n.name STARTS WITH "EXCHANGE TRUSTED SUBSYSTEM@" OR n.name STARTS WITH "ORGANIZATION MANAGEMENT@" OR n.name STARTS WITH "EXCHANGE SERVICES@")) + + // Exclude default: Exchange pt2 + AND NOT ((c.distinguishedname CONTAINS "CN=MONITORING MAILBOXES,CN=MICROSOFT EXCHANGE SYSTEM OBJECTS,DC=" OR c.distinguishedname CONTAINS "CN=MICROSOFT EXCHANGE SYSTEM OBJECTS,DC=") AND n.name STARTS WITH "EXCHANGE ENTERPRISE SERVERS@") + + // Exclude default: Exchange pt3 + AND NOT ((c.distinguishedname CONTAINS "CN=ACTIVE DIRECTORY CONNECTIONS,CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=" OR c.distinguishedname CONTAINS "CN=MICROSOFT EXCHANGE SYSTEM OBJECTS,DC=" OR c.distinguishedname =~ "CN=RECIPIENT UPDATE SERVICES,CN=ADDRESS LISTS CONTAINER,CN=.*,CN=MICROSOFT EXCHANGE,CN=SERVICES,CN=CONFIGURATION,DC=") AND n.name STARTS WITH "EXCHANGE DOMAIN SERVERS@") + + RETURN p + LIMIT 2000 +revision: 1 +resources: +acknowledgements: Martin Sohn Christensen, @martinsohndk +