diff --git a/README.md b/README.md index 36d390a..9ffd490 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,10 @@ You can also easily bulk import all queries into BloodHound: - UI: Explore -> Cypher -> Import - API: [/api/v2/saved-queries/import](https://bloodhound.specterops.io/reference/cypher/import-one-or-more-cypher-queries) -For an introduction to the project, please read our blog post: +For an introduction to the project, please read the blog posts: -- [Introducing the BloodHound Query Library](https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/) +- [Jun 17, 2025: Introducing the BloodHound Query Library](https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/) +- [Apr 15, 2026: What’s New in the BloodHound Query Library: BYOL, OpenGraph, Multi-Server, and More](https://specterops.io/blog/2026/04/15/whats-new-in-the-bloodhound-query-library-byol-opengraph-multi-server-and-more/) ## Deprecation Notice: `system_tags` Queries @@ -98,11 +99,12 @@ One of BloodHound’s key features is its flexibility through Cypher queries – Queries can answer anything from simple questions (e.g., “*Which users haven’t reset their passwords in 180 days?*”), to complex identity attack path problems (e.g., “*Which low-privileged users can compromise computers hosting a gMSA with unconstrained delegation?*”). The library gives you practical examples for learning Cypher and can be combined with these resources: -- [BloodHound documentation: Searching with Cypher](https://support.bloodhoundenterprise.io/hc/en-us/articles/16721164740251) +- [BloodHound documentation: Searching with Cypher](https://bloodhound.specterops.io/analyze-data/explore/cypher-search) +- [queries.specterops.io Cheat Sheet](https://queries.specterops.io/cheatsheet) - [openCypher resources](https://opencypher.org/resources/) - [Neo4j Cypher Cheat Sheet](https://neo4j.com/docs/cypher-cheat-sheet/current/lists/) -You can also learn with the community by joining the #cypher_queries channel in the [BloodHound community Slack](https://support.bloodhoundenterprise.io/hc/en-us/articles/16730536907547). +You can also learn with the community by joining the #cypher_queries channel in the [BloodHound community Slack](https://bloodhound.specterops.io/resources/community-support/getting-help). ## BloodHound Operator usage example diff --git a/docs/security-assessment-mapping.json b/docs/security-assessment-mapping.json index 98182f9..ff0a746 100644 --- a/docs/security-assessment-mapping.json +++ b/docs/security-assessment-mapping.json @@ -1628,7 +1628,7 @@ { "bloodhound_query": { "guid": "944cecfe-519b-4318-b226-e8520161b454", - "name": "Non-Tier Zero object with excessive control" + "name": "Non-Tier Zero principal with excessive control" }, "maps_to": [ { @@ -3019,7 +3019,7 @@ { "bloodhound_query": { "guid": "eeed0434-28e3-4d84-9dfb-9108d5997589", - "name": "Objects created in the last 10 days" + "name": "Objects created in the past 10 days" }, "maps_to": [ { @@ -3356,7 +3356,7 @@ { "bloodhound_query": { "guid": "622bf05c-b34b-4538-9a1e-524a2f6f58b0", - "name": "Computers members of built-in privileged groups" + "name": "Computers with membership in default privileged groups" }, "maps_to": [ { @@ -3375,7 +3375,7 @@ { "bloodhound_query": { "guid": "96e86fb9-4cd6-4df3-81a6-e36fd7a34614", - "name": "Principals with write Shadow Credentials on Tier Zero principals" + "name": "Principals that can write Shadow Credentials on Tier Zero principals" }, "maps_to": [ { @@ -3393,8 +3393,8 @@ }, { "bloodhound_query": { - "guid": "ef587ba1-a740-4bcf-b4e0-e1137d01b1af", - "name": "Non-Tier Zero principals with access to gMSA passwords" + "guid": "10d0ee8e-17ec-4f6c-9b94-8dffe548f9d4", + "name": "Non-Tier Zero principals with access to enabled gMSA passwords" }, "maps_to": [ { @@ -3689,4 +3689,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/docs/security-assessment-mapping.md b/docs/security-assessment-mapping.md index 5829bfa..20fdff5 100644 --- a/docs/security-assessment-mapping.md +++ b/docs/security-assessment-mapping.md @@ -9,7 +9,7 @@ The BloodHound-centric mapping data is available at [security-assessment-mapping ## Assessment Coverage Overview -The following show which other security tools the mapping supports and the number BloodHound queries in the BloodHound Query Library that correspond to controls performed by the tools. +The following shows which other security tools the mapping supports and the number of BloodHound queries in the BloodHound Query Library that correspond to controls performed by the tools. | Security Tool | Total Controls | Mapped Controls | Coverage | |---------------|-------------------|---------------|----------| @@ -27,7 +27,7 @@ Each mapping includes a type that describes the relationship: Each BloodHound query entry includes its GUID and an array of tool mappings. Tool mappings specify the security tool, specific control details, mapping type, and any relevant notes about scope differences. -For example, the below mapping excerpt shows the BloodHound query [Tier Zero computers with passwords older than the default maximum password age](../queries/Tier%20Zero%20computers%20with%20passwords%20older%20than%20the%20default%20maximum%20password%20age.yml) maps to one PingCastle control and one MDI, while also supsesetting them - increasing risk coverage by expanding the scope to Tier Zero. +For example, the below mapping excerpt shows the BloodHound query [Tier Zero computers with passwords older than the default maximum password age](../queries/Tier%20Zero%20computers%20with%20passwords%20older%20than%20the%20default%20maximum%20password%20age.yml) maps to one PingCastle control and one MDI, while also supersetting them, increasing risk coverage by expanding the scope to Tier Zero. ```json { diff --git a/queries.specterops.io.png b/queries.specterops.io.png index b8a67b5..67cc4a9 100644 Binary files a/queries.specterops.io.png and b/queries.specterops.io.png differ