Improvements/fixes to existing queries (#15)

* multi-version tier zero tag support
* Update combined queries
* version bump
* Update combined queries
* bug fix: include nested members
* Update combined queries
---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Joey Dreijer <[email protected]>

Author: 3 people

Queries.json

@@ -114,8 +114,8 @@
     ],
     "category": "Dangerous Privileges",
     "description": null,
-    "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN p",
-    "revision": 1,
+    "query": "MATCH p=(n:Base)-[:Owns]->(:Computer)\nWHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN p",
+    "revision": 2,
     "resources": [],
     "acknowledgements": [
       "Martin Sohn Christensen, @martinsohndk"
@@ -283,8 +283,8 @@
     ],
     "category": "Domain Information",
     "description": null,
-    "query": "MATCH p=(n:Base)-[r:MemberOf]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nAND (n:User or n:Computer)\nRETURN p",
-    "revision": 1,
+    "query": "MATCH p=(:Base)-[:MemberOf*1..]->(m:Group)\nWHERE m.objectid ENDS WITH \"-571\"\nRETURN p",
+    "revision": 2,
     "resources": [],
     "acknowledgements": [
       "Martin Sohn Christensen, @martinsohndk"
@@ -2613,8 +2613,8 @@
     ],
     "category": "Active Directory Hygiene",
     "description": null,
-    "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND coalesce(n.system_tags, \"\") CONTAINS \"admin_tier_0\"\nRETURN n",
-    "revision": 1,
+    "query": "MATCH (n:Computer)\nWHERE n.enabled = true\nAND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))\nAND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))\nAND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')\nRETURN n",
+    "revision": 2,
     "resources": [],
     "acknowledgements": [
       "Martin Sohn Christensen, @martinsohndk"

queries/Members of Allowed RODC Password Replication Group.yml

@@ -5,11 +5,10 @@ platforms: Active Directory
 category: Domain Information
 description: 
 query: |-
-  MATCH p=(n:Base)-[r:MemberOf]->(m:Group)
+  MATCH p=(:Base)-[:MemberOf*1..]->(m:Group)
   WHERE m.objectid ENDS WITH "-571"
-  AND (n:User or n:Computer)
   RETURN p
-revision: 1
+revision: 2
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 

queries/Tier Zero computers not owned by Tier Zero.yml

@@ -6,9 +6,9 @@ category: Dangerous Privileges
 description: 
 query: |-
   MATCH p=(n:Base)-[:Owns]->(:Computer)
-  WHERE NOT coalesce(n.system_tags, "") CONTAINS "admin_tier_0"
+  WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
   RETURN p
-revision: 1
+revision: 2
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 

queries/Tier Zero computers with passwords older than the default maximum password age.yml

@@ -9,9 +9,9 @@ query: |-
   WHERE n.enabled = true
   AND n.whencreated < (datetime().epochseconds - (60 * 3 * 86400))
   AND n.pwdlastset < (datetime().epochseconds - (60 * 3 * 86400))
-  AND coalesce(n.system_tags, "") CONTAINS "admin_tier_0"
+  AND ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
   RETURN n
-revision: 1
+revision: 2
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk