Cyphers and docs

CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[@martinsohn.dk on BlueSky](https://bsky.app/profile/martinsohn.dk) or [@martinsohndk on X](https://x.com/martinsohndk).
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

README.md

@@ -1,15 +1,39 @@
+<p align="center">
+    <a href="https://github.com/SpecterOps/BloodHoundQueryLibrary">
+        <img src="https://img.shields.io/endpoint?url=https%3A%2F%2Fraw.githubusercontent.com%2Fspecterops%2F.github%2Fmain%2Fconfig%2Fshield.json"
+        alt="Sponsored by SpecterOps"/>
+    </a>
+    <a href="https://ghst.ly/BHSlack">
+        <img src="https://img.shields.io/badge/Slack-%23cypher_queries-blueviolet?logo=slack" 
+        alt="Slack"/>
+    </a>
+    <a href="https://github.com/SpecterOps/BloodHoundQueryLibrary/actions">
+        <img src="https://github.com/SpecterOps/BloodHoundQueryLibrary/actions/workflows/syntax.yml/badge.svg"
+        alt="Syntax check"/>
+    </a>
+</p>
+
+
 # BloodHound Query Library 
-![Syntax test](https://github.com/SpecterOps/BloodHoundQueryLibrary/actions/workflows/syntax.yml/badge.svg)
 
 The BloodHound Query Library is a community-driven collection of [Cypher queries](https://support.bloodhoundenterprise.io/hc/en-us/articles/16721164740251) designed to help [BloodHound Community Edition](https://github.com/SpecterOps/BloodHound) and [BloodHound Enterprise](https://specterops.io/bloodhound-overview/) users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem.
 
 The library is a free tool for the community maintained in a human-readable format (YAML) through this repository and the sleek and searchable front-end is found at https://queries.specterops.io/
 
+![BloodHound Query Library frontend screenshot](queries.specterops.io.png)
+
+For an introduction to the project, please read our blog post:
+
+- [Introducing the BloodHound Query Library](https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/)
+
+# Overview
+
 The library contains queries that demonstrate BloodHound's versatility beyond traditional attack path analysis. This includes:
 - All existing pre-built queries from BloodHound
 - Cherry-picked community queries
 - SpecterOps-created queries BloodHound Enterprise customers found valuable
-- Novel queries to further showcase BloodHound's security assessment capabilities, see [security-assessment-mapping.md](/docs/security-assessment-mapping.md)
+- Community contributed queries (see [Contributing](#contributing))
+- Novel queries to further showcase BloodHound's security assessment capabilities (see [security-assessment-mapping.md](/docs/security-assessment-mapping.md))
 
 Individual query files are stored in stored in [/Queries](/Queries/) as `.yml` and are automatically combined into a single  [Queries.json](/Queries.json) file that powers the front-end.
 
@@ -19,7 +43,7 @@ The query files use the YAML structure found in [query-structure.yml](/docs/quer
 name: Entra ID SSO accounts not rolling Kerberos decryption key
 guid: 1867abf8-08e3-4ea8-8f65-8366079d35c4
 prebuilt: false
-platform: 
+platforms: 
 - Active Directory
 - Azure
 category: Configuration Weakness
@@ -29,13 +53,14 @@ query: |-
   WHERE n.name STARTS WITH "AZUREADSSOACC."
   AND n.pwdlastset < (datetime().epochseconds - (30 * 86400))
   RETURN n
-note: 
 revision: 1
 resources: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 ```
 
-## Learning Cypher
+Whenever new queries are added, the syntax is automatically validated, ensuring that only syntactically compatible queries are added.
+
+## Learning Cypher Queries
 One of BloodHound’s key features is its flexibility through Cypher queries – a query language to search the BloodHound graph database.
 
 Queries can answer anything from simple questions (e.g., “*Which users haven’t reset their passwords in 180 days?*”), to complex identity attack path problems (e.g., “*Which low-privileged users can compromise computers hosting a gMSA with unconstrained delegation?*”).

queries/Circular AD group memberships.yml

@@ -0,0 +1,15 @@
+name: Circular AD group memberships
+guid: fcaa5ffc-3d22-481f-a2a2-18a4eec30058
+prebuilt: false
+platforms: Active Directory
+category: Active Directory Hygiene
+description: Detects circular group membership chains where groups are members of themselves through one or more intermediate groups. This causes an administrative complexity.
+query: |-
+  MATCH p=(x:Group)-[:MemberOf*2..]->(y:Group)
+  WHERE x.objectid=y.objectid
+  RETURN p
+  LIMIT 100
+revision: 1
+resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Circular AZ group memberships.yml

@@ -0,0 +1,15 @@
+name: Circular AZ group memberships
+guid: b005669c-d8af-47ae-a0f1-4f36cd5334ab
+prebuilt: false
+platforms: Azure
+category: Azure Hygiene
+description: Detects circular group membership chains where groups are members of themselves through one or more intermediate groups. This causes an administrative complexity.
+query: |-
+  MATCH p=(x:AZGroup)-[:AZMemberOf*2..]->(y:AZGroup)
+  WHERE x.objectid=y.objectid
+  RETURN p
+  LIMIT 100
+revision: 1
+resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Collection health of CA Registry Data.yml

@@ -0,0 +1,22 @@
+name: Collection health of CA Registry Data
+guid: c8dd3479-8063-450a-9456-557bc5f39e10
+prebuilt: false
+platforms: Active Directory
+category: Domain Information
+description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured CA to potentially a full forest compromise by any principal. CAs returned by this query have not been collected.
+query: |-
+  MATCH p=(eca:EnterpriseCA)<-[:HostsCAService]-(c:Computer)
+  WHERE (
+    eca.isuserspecifiessanenabledcollected = false
+    OR eca.casecuritycollected = false
+    OR eca.enrollmentagentrestrictionscollected = false
+    OR eca.roleseparationenabledcollected = false
+  )
+  // Exclude inactive CAs
+  AND c.enabled = true
+  AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400))
+  RETURN p
+revision: 1
+resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#ca-registry
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Collection health of DC Registry Data.yml

@@ -0,0 +1,17 @@
+name: Collection health of DC Registry Data
+guid: 3f0fa2f3-fbdf-42c0-9e7d-97e689009161
+prebuilt: false
+platforms: Active Directory
+category: Domain Information
+description: BloodHound's ADCS analysis requires collecting CA registry data to increase accuracy/enable more edges. Collection by default requires SharpHound has Administrators membership. Requires SharpHound v2.3.5 or above. It only requires one misconfigured DC to potentially a full forest compromise by any principal. DCs returned by this query have not been collected.
+query: |-
+  MATCH p=(:Domain)<-[:DCFor]-(c:Computer)
+  WHERE c.strongcertificatebindingenforcementraw IS NULL
+  // Exclude inactive DCs
+  AND c.enabled = true
+  AND c.lastlogontimestamp > (datetime().epochseconds - (30 * 86400))
+  RETURN p
+revision: 1
+resources: https://bloodhound.specterops.io/collect-data/enterprise-collection/permissions#dc-registry
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Collection health of Tier Zero Inbound Execution Privileges.yml

@@ -0,0 +1,17 @@
+name: Collection health of specific computer
+guid: bb95c9c5-984c-4057-a430-000d684c069a
+prebuilt: false
+platforms: Active Directory
+category: Domain Information
+description: Returns Local groups and their members, and Principals with privileges
+query: |-
+  MATCH p=(m:Base)-[:RemoteInteractiveLogonRight|AdminTo|CanRDP|LocalToComputer|MemberOfLocalGroup]-(n:Base)
+
+  // Insert computer FQDN
+  WHERE m.name ENDS WITH "HOSTNAME.DOMAIN.LOCAL"
+
+  RETURN p
+revision: 1
+resources: 
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Direct Principal Rights Assignment.yml

@@ -0,0 +1,15 @@
+name: Direct Principal Rights Assignment
+guid: 1d9c6ae3-38fc-4089-b5ad-fc3be0fa8eec
+prebuilt: false
+platforms: Active Directory
+category: Active Directory Hygiene
+description: This query identifies rights assigned directly to users or computers instead of groups. Active Directory best practice requires granting rights to groups, then adding users as group members. This role-based access control (RBAC) approach ensures permissions are easily auditable and manageable. Results include inherited rights, which must be modified at the parent container level.
+query: |-
+  MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13]->(:Base)
+  WHERE (n:User OR n:Computer)  
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: https://softwareengineering.stackexchange.com/questions/11856/whats-wrong-with-circular-references
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Foreign AZ Service Principals in Tier Zero.yml

@@ -0,0 +1,18 @@
+name: Foreign AZ Service Principals in Tier Zero
+guid: 4d567239-2e68-43e2-8f26-97655b8a37fb
+prebuilt: false
+platforms: Azure
+category: Azure Hygiene
+description: 
+query: |-
+  MATCH (sp:AZServicePrincipal)
+  WHERE toUpper(sp.appownerorganizationid) <> toUpper(sp.tenantid)
+  AND ((sp:Tag_Tier_Zero) OR COALESCE(sp.system_tags, '') CONTAINS 'admin_tier_0')
+  // Ensure AZServicePrincipal has a valid appownerorganizationid
+  AND sp.appownerorganizationid CONTAINS "-"
+  RETURN sp
+  LIMIT 1000
+revision: 1
+resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65
+acknowledgements: Stephen Hinck
+

queries/Foreign AZ Service Principals in control of Azure tenant.yml

@@ -0,0 +1,17 @@
+name: Foreign AZ Service Principals in control of Azure tenant
+guid: c82c17f1-7253-4e3a-b5d2-3647aa388f4a
+prebuilt: false
+platforms: Azure
+category: Dangerous Privileges
+description: 
+query: |-
+  MATCH p = (sp:AZServicePrincipal)-[]->(t:AZTenant)
+  WHERE toUpper(sp.appownerorganizationid) <> toUpper(t.tenantid)
+  // Ensure AZServicePrincipal has a valid appownerorganizationid
+  AND sp.appownerorganizationid CONTAINS "-"
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65
+acknowledgements: Stephen Hinck
+

queries/Foreign External AZ users in Tier Zero.yaml

@@ -0,0 +1,16 @@
+name: Foreign External AZ users in Tier Zero
+guid: 3a2b7588-522f-4039-8a07-d971e0b214cb
+prebuilt: false
+platforms: Azure
+category: Azure Hygiene
+description: 
+query: |-
+  MATCH (n:AZUser)
+  WHERE n.name CONTAINS "#EXT#@"
+  AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: https://learn.microsoft.com/en-us/entra/external-id/user-properties#key-properties-of-the-microsoft-entra-b2b-collaboration-user
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+

queries/Foreign Service Principals With Group Memberships.yml

@@ -0,0 +1,17 @@
+name: Foreign Service Principals With Group Memberships
+guid: 327ef6a5-bfa8-4c92-b35a-d3df85264a24
+prebuilt: false
+platforms: Azure
+category: Azure Hygiene
+description: Review each to validate whether their presence is expected and whether the assigned group memberships are appropriate for the foreign service principal.
+query: |-
+  MATCH p = (sp:AZServicePrincipal)-[:AZMemberOf]->(g:AZGroup)
+  WHERE toUpper(sp.appownerorganizationid) <> toUpper(g.tenantid)
+  // Ensure AZServicePrincipal has a valid appownerorganizationid
+  AND sp.appownerorganizationid CONTAINS "-"
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65
+acknowledgements: Stephen Hinck
+

queries/Foreign Service Principals With an EntraID Admin Role.yml

@@ -0,0 +1,17 @@
+name: Foreign Service Principals With an EntraID Admin Role
+guid: b6235820-4e0d-4dfa-af5b-729b5644feb5
+prebuilt: false
+platforms: Azure
+category: Dangerous Privileges
+description: Entra ID admin roles grant significant control over a tenant environment, even if the role is not a default Tier Zero / High Value role
+query: |-
+  MATCH p = (sp:AZServicePrincipal)-[:AZHasRole]->(r:AZRole)
+  WHERE toUpper(sp.appownerorganizationid) <> toUpper(sp.tenantid)
+  // Ensure AZServicePrincipal has a valid appownerorganizationid
+  AND sp.appownerorganizationid CONTAINS "-"
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65
+acknowledgements: Stephen Hinck
+