From 5c5cde5fefb6f34c2ae7122f9d12fbd14431de3b Mon Sep 17 00:00:00 2001 From: Stephen Hinck Date: Thu, 13 Jun 2024 14:45:24 -0700 Subject: [PATCH] Bed 4464: Update pre-saved queries (#654) * Update pre-defined queries * Typos * Update pre-defined queries * Typos * updates * typos, round 2 * too many typos --- .../bh-shared-ui/src/commonSearches.tsx | 82 ++++++++++++++----- 1 file changed, 62 insertions(+), 20 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx index 58c89264a..ec8b0862e 100644 --- a/packages/javascript/bh-shared-ui/src/commonSearches.tsx +++ b/packages/javascript/bh-shared-ui/src/commonSearches.tsx @@ -48,11 +48,7 @@ export const CommonSearches: CommonSearchType[] = [ cypher: `MATCH p=(n:Domain)-[]->(m:Domain)\nRETURN p`, }, { - description: 'Computers with unsupported operating systems', - cypher: `MATCH (n:Computer)\nWHERE n.operatingsystem =~ "(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*"\nRETURN n`, - }, - { - description: 'Locations of high value/Tier Zero objects', + description: 'Locations of Tier Zero / High Value objects', cypher: `MATCH p = (:Domain)-[:Contains*1..]->(n:Base)\nWHERE "admin_tier_0" IN split(n.system_tags, ' ')\nRETURN p`, }, ], @@ -82,7 +78,7 @@ export const CommonSearches: CommonSearchType[] = [ cypher: `MATCH p=(m:Group)-[:AllExtendedRights|ReadLAPSPassword]->(n:Computer)\nWHERE m.objectid ENDS WITH "-513"\nRETURN p`, }, { - description: 'Paths from Domain Users to high value/Tier Zero targets', + description: 'Paths from Domain Users to Tier Zero / High Value targets', cypher: `MATCH p=shortestPath((m:Group)-[:${adTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND m.objectid ENDS WITH "-513" AND m<>n\nRETURN p`, }, { @@ -108,7 +104,7 @@ export const CommonSearches: CommonSearchType[] = [ category: categoryAD, queries: [ { - description: 'Kerberoastable members of high value/Tier Zero groups', + description: 'Kerberoastable members of Tier Zero / High Value groups', cypher: `MATCH p=shortestPath((n:User)-[:MemberOf]->(g:Group))\nWHERE "admin_tier_0" IN split(g.system_tags, ' ') AND n.hasspn=true\nRETURN p`, }, { @@ -133,20 +129,16 @@ export const CommonSearches: CommonSearchType[] = [ description: 'Shortest paths to systems trusted for unconstrained delegation', cypher: `MATCH p=shortestPath((n)-[:${adTransitEdgeTypes}*1..]->(m:Computer))\nWHERE m.unconstraineddelegation = true AND n<>m\nRETURN p`, }, - { - description: 'Shortest paths from Kerberoastable users', - cypher: `MATCH p=shortestPath((n:User)-[:${adTransitEdgeTypes}*1..]->(m:Computer))\nWHERE n.hasspn = true AND n<>m\nRETURN p`, - }, { description: 'Shortest paths to Domain Admins from Kerberoastable users', cypher: `MATCH p=shortestPath((n:User)-[:${adTransitEdgeTypes}*1..]->(m:Group))\nWHERE n.hasspn = true AND m.objectid ENDS WITH "-512"\nRETURN p`, }, { - description: 'Shortest paths to high value/Tier Zero targets', + description: 'Shortest paths to Tier Zero / High Value targets', cypher: `MATCH p=shortestPath((n)-[:${adTransitEdgeTypes}*1..]->(m))\nWHERE "admin_tier_0" IN split(m.system_tags, ' ') AND n<>m\nRETURN p`, }, { - description: 'Shortest paths from Domain Users to high value/Tier Zero targets', + description: 'Shortest paths from Domain Users to Tier Zero / High Value targets', cypher: `MATCH p=shortestPath((n:Group)-[:${adTransitEdgeTypes}*1..]->(m))\nWHERE "admin_tier_0" IN split(m.system_tags, ' ') AND n.objectid ENDS WITH "-513" AND n<>m\nRETURN p`, }, { @@ -205,18 +197,50 @@ export const CommonSearches: CommonSearchType[] = [ cypher: `MATCH p = (dc:Computer)-[:DCFor]->(d)\nWHERE dc.certificatemappingmethodsraw IN [4, 5, 6, 7, 12, 13, 14, 15, 20, 21, 22, 23, 28, 29, 30, 31]\nRETURN p`, }, { - description: 'Non-Default Permissions on IssuancePolicy Nodes', - cypher: `MATCH p = (n)-[:GenericAll|GenericWrite|Owns|WriteOwner|WriteDacl]->(:IssuancePolicy) - WHERE NOT n.objectid ENDS WITH "-512" AND NOT n.objectid ENDS WITH "-519" - RETURN p`, + description: 'Non-default permissions on IssuancePolicy nodes', + cypher: `MATCH p = (n)-[:GenericAll|GenericWrite|Owns|WriteOwner|WriteDacl]->(:IssuancePolicy)\nWHERE NOT n.objectid ENDS WITH "-512" AND NOT n.objectid ENDS WITH "-519"\nRETURN p`, }, { - description: 'Enrollment Rights on CertTemplates with OIDGroupLink', + description: 'Enrollment rights on CertTemplates with OIDGroupLink', cypher: `MATCH p = ()-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:ExtendedByPolicy]->(:IssuancePolicy)-[:OIDGroupLink]->(g) RETURN p`, }, ], }, + { + subheader: 'Active Directory Hygiene', + category: categoryAD, + queries: [ + { + description: 'Inactive enabled Tier Zero principals', + cypher: `MATCH (n)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (60 * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (60 * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (60 * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH "AZUREADKERBEROS." // Removes false positive, Azure KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nAND NOT n.name STARTS WITH "AZUREADSSOACC." // Removes false positive, Entra Seamless SSO\nRETURN n` + }, + { + description: 'Computers with unsupported operating systems', + cypher: `MATCH (n:Computer)\nWHERE n.operatingsystem =~ "(?i).*Windows.* (2000|2003|2008|2012|xp|vista|7|8|me|nt).*"\nRETURN n`, + }, + { + description: 'Users which do not require password to authenticate', + cypher: `MATCH (u:User)\nWHERE u.passwordnotreqd = true\nRETURN u`, + }, + { + description: 'Users with passwords not rotated in over 1 year', + cypher: `MATCH (u:User)\nWHERE u.pwdlastset < (datetime().epochseconds - (365 * 86400))\nAND NOT u.pwdlastset IN [-1.0, 0.0]\nRETURN u LIMIT 100`, + }, + { + description: 'Nested groups within Tier Zero / High Value', + cypher: `MATCH p=(n:Group)-[:MemberOf*..]->(t:Group)\nWHERE n.domainsid <> t.domainsid\nAND coalesce(t.system_tags,"") CONTAINS ('tier_0')\nAND NOT n.objectid ENDS WITH "-512" // Domain Admins\nAND NOT n.objectid ENDS WITH "-519" // Enterprise Admins\nRETURN p`, + }, + { + description: 'Disabled Tier Zero / High Value principals', + cypher: `MATCH (n)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = false\nAND NOT n.objectid ENDS WITH "-502" // Removes false positive, KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nRETURN n` + }, + { + description: 'Tier Zero / High Value users with non-expiring passwords', + cypher: `MATCH (u:User)\nWHERE u.enabled=TRUE\nAND u.pwdneverexpires = TRUE\nand u.system_tags CONTAINS "admin_tier_0"\nRETURN u` + }, + ], + }, { subheader: 'General', category: categoryAzure, @@ -236,7 +260,7 @@ export const CommonSearches: CommonSearchType[] = [ category: categoryAzure, queries: [ { - description: 'Shortest paths to high value/Tier Zero targets', + description: 'Shortest paths to Tier Zero / High Value targets', cypher: `MATCH p=shortestPath((m:AZUser)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`, }, { @@ -244,7 +268,7 @@ export const CommonSearches: CommonSearchType[] = [ cypher: `MATCH p=shortestPath((m)-[r:${azureTransitEdgeTypes}*1..]->(n:AZRole))\nWHERE n.name =~ '(?i)${highPrivilegedRoleDisplayNameRegex}' AND m<>n\nRETURN p`, }, { - description: 'Shortest paths from Azure Applications to high value/Tier Zero targets', + description: 'Shortest paths from Azure Applications to Tier Zero / High Value targets', cypher: `MATCH p=shortestPath((m:AZApp)-[r:${azureTransitEdgeTypes}*1..]->(n))\nWHERE "admin_tier_0" IN split(n.system_tags, ' ') AND m<>n\nRETURN p`, }, { @@ -267,4 +291,22 @@ export const CommonSearches: CommonSearchType[] = [ }, ], }, + { + subheader: 'Azure Hygiene', + category: categoryAzure, + queries: [ + { + description: 'Foreign principals in Tier Zero / High Value targets', + cypher: `MATCH (n:AZServicePrincipal)\nWHERE n.system_tags contains 'admin_tier_0'\nAND NOT toUpper(n.appownerorganizationid) = toUpper(n.tenantid)\nAND n.appownerorganizationid CONTAINS "-"\nRETURN n`, + }, + { + description: 'Tier Zero AD principals synchronized with Entra ID', + cypher: `MATCH (ENTRA:AZBase)\nMATCH (AD:Base)\nWHERE ENTRA.onpremsyncenabled = true\nAND ENTRA.onpremid = AD.objectid\nAND AD.system_tags CONTAINS "admin_tier_0"\nRETURN ENTRA\n// Replace "RETURN ENTRA" with "RETURN AD" to see the corresponding AD principals` + }, + { + description: 'Tier Zero / High Value external Entra ID users', + cypher: `MATCH (n:AZUser)\nWHERE n.system_tags contains 'admin_tier_0'\nAND n.name CONTAINS '#EXT#@'\nRETURN n` + }, + ], + }, ];