Bed 4464: Update pre-saved queries (#654)

* Update pre-defined queries

* Typos

* Update pre-defined queries

* Typos

* updates

* typos, round 2

* too many typos

packages/javascript/bh-shared-ui/src/commonSearches.tsx

@@ -48,11 +48,7 @@ export const CommonSearches: CommonSearchType[] = [
                 cypher: `MATCH p=(n:Domain)-[]->(m:Domain)\nRETURN p`,
             },
             {
-                description: 'Computers with unsupported operating systems',
-                cypher: `MATCH (n:Computer)\nWHERE n.operatingsystem =~ "(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*"\nRETURN n`,
-            },
-            {
-                description: 'Locations of high value/Tier Zero objects',
+                description: 'Locations of Tier Zero / High Value objects',
                 cypher: `MATCH p = (:Domain)-[:Contains*1..]->(n:Base)\nWHERE "admin_tier_0" IN split(n.system_tags, ' ')\nRETURN p`,
             },
         ],
@@ -82,7 +78,7 @@ export const CommonSearches: CommonSearchType[] = [
                 cypher: `MATCH p=(m:Group)-[:AllExtendedRights|ReadLAPSPassword]->(n:Computer)\nWHERE m.objectid ENDS WITH "-513"\nRETURN p`,
             },
             {
-                description: 'Paths from Domain Users to high value/Tier Zero targets',
+                description: 'Paths from Domain Users to Tier Zero / High Value targets',
                 cypher: `MATCH p=shortestPath((m:Group)-[:${adTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND m.objectid ENDS WITH "-513" AND m<>n\nRETURN p`,
             },
             {
@@ -108,7 +104,7 @@ export const CommonSearches: CommonSearchType[] = [
         category: categoryAD,
         queries: [
             {
-                description: 'Kerberoastable members of high value/Tier Zero groups',
+                description: 'Kerberoastable members of Tier Zero / High Value groups',
                 cypher: `MATCH p=shortestPath((n:User)-[:MemberOf]->(g:Group))\nWHERE "admin_tier_0" IN split(g.system_tags, ' ') AND n.hasspn=true\nRETURN p`,
             },
             {
@@ -133,20 +129,16 @@ export const CommonSearches: CommonSearchType[] = [
                 description: 'Shortest paths to systems trusted for unconstrained delegation',
                 cypher: `MATCH p=shortestPath((n)-[:${adTransitEdgeTypes}*1..]->(m:Computer))\nWHERE m.unconstraineddelegation = true AND n<>m\nRETURN p`,
             },
-            {
-                description: 'Shortest paths from Kerberoastable users',
-                cypher: `MATCH p=shortestPath((n:User)-[:${adTransitEdgeTypes}*1..]->(m:Computer))\nWHERE n.hasspn = true AND n<>m\nRETURN p`,
-            },
             {
                 description: 'Shortest paths to Domain Admins from Kerberoastable users',
                 cypher: `MATCH p=shortestPath((n:User)-[:${adTransitEdgeTypes}*1..]->(m:Group))\nWHERE n.hasspn = true AND m.objectid ENDS WITH "-512"\nRETURN p`,
             },
             {
-                description: 'Shortest paths to high value/Tier Zero targets',
+                description: 'Shortest paths to Tier Zero / High Value targets',
                 cypher: `MATCH p=shortestPath((n)-[:${adTransitEdgeTypes}*1..]->(m))\nWHERE "admin_tier_0" IN split(m.system_tags, ' ') AND n<>m\nRETURN p`,
             },
             {
-                description: 'Shortest paths from Domain Users to high value/Tier Zero targets',
+                description: 'Shortest paths from Domain Users to Tier Zero / High Value targets',
                 cypher: `MATCH p=shortestPath((n:Group)-[:${adTransitEdgeTypes}*1..]->(m))\nWHERE "admin_tier_0" IN split(m.system_tags, ' ') AND n.objectid ENDS WITH "-513" AND n<>m\nRETURN p`,
             },
             {
@@ -205,18 +197,50 @@ export const CommonSearches: CommonSearchType[] = [
                 cypher: `MATCH p = (dc:Computer)-[:DCFor]->(d)\nWHERE dc.certificatemappingmethodsraw IN [4, 5, 6, 7, 12, 13, 14, 15, 20, 21, 22, 23, 28, 29, 30, 31]\nRETURN p`,
             },
             {
-                description: 'Non-Default Permissions on IssuancePolicy Nodes',
-                cypher: `MATCH p = (n)-[:GenericAll|GenericWrite|Owns|WriteOwner|WriteDacl]->(:IssuancePolicy)
-                WHERE NOT n.objectid ENDS WITH "-512" AND NOT n.objectid ENDS WITH "-519"
-                RETURN p`,
+                description: 'Non-default permissions on IssuancePolicy nodes',
+                cypher: `MATCH p = (n)-[:GenericAll|GenericWrite|Owns|WriteOwner|WriteDacl]->(:IssuancePolicy)\nWHERE NOT n.objectid ENDS WITH "-512" AND NOT n.objectid ENDS WITH "-519"\nRETURN p`,
             },
             {
-                description: 'Enrollment Rights on CertTemplates with OIDGroupLink',
+                description: 'Enrollment rights on CertTemplates with OIDGroupLink',
                 cypher: `MATCH p = ()-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:ExtendedByPolicy]->(:IssuancePolicy)-[:OIDGroupLink]->(g)
                 RETURN p`,
             },
         ],
     },
+    {
+        subheader: 'Active Directory Hygiene',
+        category: categoryAD,
+        queries: [
+            {
+                description: 'Inactive enabled Tier Zero principals',
+                cypher: `MATCH (n)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (60 * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (60 * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (60 * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH "AZUREADKERBEROS." // Removes false positive, Azure KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nAND NOT n.name STARTS WITH "AZUREADSSOACC." // Removes false positive, Entra Seamless SSO\nRETURN n`
+            },
+            {
+                description: 'Computers with unsupported operating systems',
+                cypher: `MATCH (n:Computer)\nWHERE n.operatingsystem =~ "(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*"\nRETURN n`,
+            },
+            {
+                description: 'Users which do not require password to authenticate',
+                cypher: `MATCH (u:User)\nWHERE u.passwordnotreqd = true\nRETURN u`,
+            },
+            {
+                description: 'Users with passwords not rotated in over 1 year',
+                cypher: `MATCH (u:User)\nWHERE u.pwdlastset < (datetime().epochseconds - (365 * 86400))\nAND NOT u.pwdlastset IN [-1.0, 0.0]\nRETURN u LIMIT 100`,
+            },
+            {
+                description: 'Nested groups within Tier Zero / High Value',
+                cypher: `MATCH p=(n:Group)-[:MemberOf*..]->(t:Group)\nWHERE n.domainsid <> t.domainsid\nAND coalesce(t.system_tags,"") CONTAINS ('tier_0')\nAND NOT n.objectid ENDS WITH "-512" // Domain Admins\nAND NOT n.objectid ENDS WITH "-519" // Enterprise Admins\nRETURN p`,
+            },
+            {
+                description: 'Disabled Tier Zero / High Value principals',
+                cypher: `MATCH (n)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = false\nAND NOT n.objectid ENDS WITH "-502" // Removes false positive, KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nRETURN n`
+            },
+            {
+                description: 'Tier Zero / High Value users with non-expiring passwords',
+                cypher: `MATCH (u:User)\nWHERE  u.enabled=TRUE\nAND u.pwdneverexpires = TRUE\nand u.system_tags CONTAINS "admin_tier_0"\nRETURN u`
+            },
+        ],
+    },
     {
         subheader: 'General',
         category: categoryAzure,
@@ -236,15 +260,15 @@ export const CommonSearches: CommonSearchType[] = [
         category: categoryAzure,
         queries: [
             {
-                description: 'Shortest paths to high value/Tier Zero targets',
+                description: 'Shortest paths to Tier Zero / High Value targets',
                 cypher: `MATCH p=shortestPath((m:AZUser)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`,
             },
             {
                 description: 'Shortest paths to privileged roles',
                 cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZRole))\nWHERE n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`,
             },
             {
-                description: 'Shortest paths from Azure Applications to high value/Tier Zero targets',
+                description: 'Shortest paths from Azure Applications to Tier Zero / High Value targets',
                 cypher: `MATCH p=shortestPath((m:AZApp)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND m<>n\nRETURN p`,
             },
             {
@@ -267,4 +291,22 @@ export const CommonSearches: CommonSearchType[] = [
             },
         ],
     },
+    {
+        subheader: 'Azure Hygiene',
+        category: categoryAzure,
+        queries: [
+            {
+                description: 'Foreign principals in Tier Zero / High Value targets',
+                cypher: `MATCH (n:AZServicePrincipal)\nWHERE n.system_tags contains 'admin_tier_0'\nAND NOT toUpper(n.appownerorganizationid) = toUpper(n.tenantid)\nAND n.appownerorganizationid CONTAINS "-"\nRETURN n`,
+            },
+            {
+                description: 'Tier Zero AD principals synchronized with Entra ID',
+                cypher: `MATCH (ENTRA:AZBase)\nMATCH (AD:Base)\nWHERE ENTRA.onpremsyncenabled = true\nAND ENTRA.onpremid = AD.objectid\nAND AD.system_tags CONTAINS "admin_tier_0"\nRETURN ENTRA\n// Replace "RETURN ENTRA" with "RETURN AD" to see the corresponding AD principals`
+            },
+            {
+                description: 'Tier Zero / High Value external Entra ID users',
+                cypher: `MATCH (n:AZUser)\nWHERE n.system_tags contains 'admin_tier_0'\nAND n.name CONTAINS '#EXT#@'\nRETURN n`
+            },
+        ],
+    },
 ];