Update for SO-CON 2026

[martinsohn]

Overview

This PR significantly expands the BloodHound Query Library with new security assessment queries and comprehensive tool mappings (PurpleKnight, Nessus, PingCastle). The changes focus on Tier Zero governance, cloud security, and attack path analysis.

Query Changes

✨ New Queries Added (38)

• AD Groups nested more than 3 levels
• AdminSDHolder protected objects without 'Admin Count' flag
• AdminSDHolder with ACL inheritance enabled
• All enabled Group Managed Service Accounts (gMSAs)
• Azure groups nested more than 3 levels
• Azure tenants with fewer than 2 Global Administrators
• Azure tenants with more than 5 Global Administrators
• Computers with local administrator permissions over other computers
  • Closes Computers with local administrator permissions over other computers #50
• Computers with membership in default privileged groups
• Domains without Group Managed Service Accounts
• Enabled Entra ID guest users inactive for 30 days
• Enabled Entra ID users inactive for 90 days
• Enabled Entra Tier Zero principals inactive for 60 days
• Global Administrators with recent sign-in activity
• Managed Service Accounts with passwords older than the default maximum password age
• No break-glass test using built-in domain Administrator account in the last year
• Non-Tier Zero Principals with ExecuteDCOM privileges on Domain Controllers
• Non-Tier Zero computers with inbound resource-based constrained delegation
• Non-Tier Zero owners of Tier Zero Entra groups
• Non-Tier Zero principals with GPO link control over Tier Zero containers
• Non-Tier Zero principals with access to enabled gMSA passwords
  • Closes Add gMSA Cypher queries for BloodHound CE #49
• Non-Tier Zero users that can read LAPS passwords
• Objects created in the past 10 days
• Principals that can write Shadow Credentials on Tier Zero principals
• Principals with Directory Synchronization Accounts role assignment
• Principals with control of Domain Controllers
• Principals with control of Entra ID SSO accounts
• Principals with control of KRBTGT accounts
• Principals with deprecated or prohibited Entra role assignments
• Principals with outbound constrained delegation
• Shortest paths from non-Tier Zero computers to Tier Zero
  • Closes Add "non-tier-zero shortest path to tier zero" queries #51
• Shortest paths from non-Tier Zero groups to Tier Zero
  • Closes Add "non-tier-zero shortest path to tier zero" queries #51
• Shortest paths from non-Tier Zero objects to Tier Zero
  • Closes Add "non-tier-zero shortest path to tier zero" queries #51
• Shortest paths from non-Tier Zero user accounts to Tier Zero
  • Closes Add "non-tier-zero shortest path to tier zero" queries #51
• Tier Zero Azure roles with more than 10 members
• Tier Zero Entra ID principals synchronized with AD
• Tier Zero OU containing Non-Tier Zero principals
• Tier Zero objects created in the past 10 days

🔄 Renamed Queries (3)

• All members of Operator groups (formerly All Operators)
• All members of Protected Users (formerly Computers with membership in Protected Users)
• Tier Zero principals not owned by Tier Zero (formerly Tier Zero computers not owned by Tier Zero)

✏️ Updated Queries (18)

• All GPOs applied to a specific computer
• Compromising permissions on ADCS nodes (ESC5)
• Computers with non-default Primary Group membership
• Domains affected by AdPrep privilege escalation risk
• Domains where any user can join a computer to the domain
• Non-Tier Zero account with excessive control
• Non-Tier Zero account with unconstrained delegation
• On-Prem Users synced to Entra Users with Entra Admin Roles (direct)
• On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated)
• Synced Entra Users with Entra Admin Role approval (direct)
• Synced Entra Users with Entra Admin Role approval (group delegated)
• Synced Entra Users with Entra Admin Role direct eligibility
• Synced Entra Users with Entra Admin Roles group delegated eligibility
• Tier Zero accounts that can be delegated

Assessment Tool Mappings

• PurpleKnight: 50+ mappings for Entra/hybrid security findings
  • AD Certificate Authority with Web Enrollment - ESC8
  • AD objects created within the last 10 days
  • AD privileged users that are synced to Entra ID
  • Accounts with Constrained Delegation configured to krbtgt
  • Accounts with Kerberos constrained delegation configured to SSO computer account
  • Admins with old passwords
  • Anonymous NSPI access to AD enabled
  • Anonymous access to Active Directory enabled
  • Built-in domain Administrator account used within the last two weeks
  • Built-in domain Administrator account with old password (180 days)
  • Built-in guest account is enabled
  • Certificate templates that allow requesters to specify a subjectAltName
  • Certificate templates with 3 or more insecure configurations
  • Changes to MS LAPS read permissions
  • Changes to Pre-Windows 2000 Compatible Access Group membership
  • Computer Accounts in Privileged Groups
  • Computer account takeover through Kerberos Resource-Based Constrained Delegation (RBCD)
  • Computer or user accounts with SPN that have unconstrained delegation
  • Computers with older OS versions
  • Computers with password last set over 90 days ago
  • Dangerous Trust Attribute Set
  • Dangerous control paths expose certificate containers
  • Dangerous control paths expose certificate templates
  • Distributed COM Users group or Performance Log Users group are not empty
  • Domain Controller owner is not an administrator
  • Domain Controllers that have not authenticated to the domain for more than 45 days
  • Domain Controllers with Resource-Based Constrained Delegation (RBCD) enabled
  • Domain Controllers with old passwords
  • Domain trust to a third-party domain without quarantine
  • Domains with obsolete functional levels
  • Enabled admin accounts that are inactive
  • Enterprise Key Admins with full access to domain
  • Entra Connect sync account password reset
  • Entra ID privileged users that are also privileged in AD
  • Foreign Security Principals in Privileged Group
  • Forest contains more than 50 privileged accounts
  • GPO linking delegation at the domain controller OU level
  • GPO linking delegation at the domain level
  • Global Administrators that signed in during the last 14 days
  • Guest accounts that were inactive for more than 30 days
  • Guest invites not accepted in last 30 day
  • Hybrid-synced privileged role accounts
  • Inheritance enabled on AdminSDHolder object
  • Kerberos KRBTGT account with old password
  • LDAP signing is not required on Domain Controllers
  • Less than 2 Global Administrators exist
  • More than 10 Privileged Administrators exist
  • More than 5 Global Administrators exist
  • Non-default principals with DC Sync rights on the domain
  • Non-privileged users with access to gMSA passwords
  • OU permissions enabling BadSuccessor dMSA escalation
  • Objects in privileged groups without adminCount=1 (SDProp)
  • Objects with constrained delegation configured
  • Operator groups no longer protected by AdminSDHolder and SDProp
  • Operators Groups that are not empty
  • Outbound forest trust with SID History enabled
  • Permission changes on AdminSDHolder object
  • Primary users with SPN not supporting AES encryption on Kerberos
  • Principals with constrained authentication delegation enabled for a DC service
  • Principals with constrained delegation using protocol transition enabled for a DC service
  • Privileged accounts with a password that never expires
  • Privileged accounts with mailbox
  • Privileged group contains guest account
  • Privileged objects with unprivileged owners
  • Privileged users that are disabled
  • Privileged users with SPN defined
  • Prohibited Entra ID Roles Assigned
  • Protected Users group not in use
  • RC4 or DES encryption type are supported by Domain Controllers
  • Recent privileged account creation activity
  • Resource Based Constrained Delegation applied to AZUREADSSOACC account
  • SMB Signing is not required on Domain Controllers
  • SSO computer account with password last set over 90 days ago
  • Shadow Credentials on privileged objects
  • Smart card password rotation disabled
  • Suspicious Directory Synchronization Accounts role member
  • Unprivileged accounts with adminCount=1
  • Unprivileged owner of a privileged group
  • Unprivileged principals as DNS Admins
  • Unprivileged users can add computer accounts to the domain
  • User accounts that store passwords with reversible encryption
  • User accounts that use DES encryption
  • User accounts using Smart Card authentication with old password
  • User accounts with password not required
  • Users and computers with non-default Primary Group IDs
  • Users or devices inactive for at least 90 days
  • Users with Kerberos pre-authentication disabled
  • Users with Password Never Expires flag set
  • Users with SPN defined
  • Users with old passwords
  • Users with the attribute userPassword set
  • Well-known privileged SIDs in SIDHistory
  • Write access to RBCD on DC
  • gMSA not in use
  • gMSA objects with old passwords
  • krbtgt account with Resource-Based Constrained Delegation (RBCD) enabled
• Nessus: Added scanning IDs
• PingCastle: One scope change

Documentation

• Updated README.md with assessment tool references
• Enhanced security-assessment-mapping.md with scope descriptions
• Updated .gitignore