SpecterOps · d3vzer0 · Oct 14, 2025 · Sep 10, 2025 · Sep 12, 2025 · Sep 12, 2025
diff --git a/Queries.json b/Queries.json
diff --git a/README.md b/README.md
@@ -80,13 +80,15 @@ Command line usage is easy with the [BloodHound Operator](https://github.com/Sad
 First load the `Queries.json`:
 
 ```powershell
-> $queries = Invoke-RestMethod "https://raw.githubusercontent.com/SpecterOps/BloodHoundQueryLibrary/refs/heads/main/Queries.json"
+$queries = Invoke-RestMethod "https://raw.githubusercontent.com/SpecterOps/BloodHoundQueryLibrary/refs/heads/main/Queries.json"
 ```
 
 Example: Run a query in BloodHound:
 
 ```powershell
-> $queries[0] | BHInvoke
+$queries[0] | BHInvoke
+```
+```
 
 
 Name      : Tier Zero / High Value external Entra ID users
@@ -104,10 +106,32 @@ Timestamp : 17-06-2025 13:55:27
 Duration  : 00:00:00.0265562
 ```
 
-Example:  Import a few queries to BloodHound's Custom Searches:
+Example: Import a few queries to BloodHound's Custom Searches:
+
+```powershell
+$queries[0..4] | New-BHPathQuery
+```
+
+Example: Test all queries
 
 ```powershell
-> $queries[0..4] | New-BHPathQuery
+$results = [System.Collections.ArrayList]::new()
+$queries | % { 
+    "$($results.Count + 1)/$($queries.Count) $($_.name)"
+    $results.Add([PSCustomObject]@{
+        Name = $_.name
+        Time = (Measure-Command { 
+            $errorMsg = $null
+            try {
+                $result = $_ | BHInvoke -WarningAction "Stop"
+            } catch {
+                $errorMsg = $_.Exception.Message
+            }
+        }).TotalSeconds
+        Result = $result
+        Error = $errorMsg
+    }) | Out-Null
+}
 ```
 
 ## Contributing

diff --git a/docs/security-assessment-mapping.json b/docs/security-assessment-mapping.json
@@ -1242,7 +1242,7 @@
 		{
 			"bloodhound_query": {
 				"guid": "944cecfe-519b-4318-b226-e8520161b454",
-				"name": "Non-Tier Zero account with excessive control"
+				"name": "Non-Tier Zero object with excessive control"
 			},
 			"maps_to": [
 				{

diff --git a/...ounts with smart card required in domains where smart account passwords do not expire.yml b/...ounts with smart card required in domains where smart account passwords do not expire.yml
@@ -0,0 +1,15 @@
+name: Accounts with smart card required in domains where smart account passwords do not expire
+guid: bba7985e-f32a-4c62-b1b0-0365bf1455e6
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Hygiene
+description:
+query: |-
+  MATCH p=(s:Domain)-[:Contains*1..]->(t:Base)
+  WHERE s.expirepasswordsonsmartcardonlyaccounts = false
+  AND t.enabled = true
+  AND t.smartcardrequired = true
+  RETURN p
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/AdminSDHolder to protected objects relationship.yml b/queries/AdminSDHolder to protected objects relationship.yml
@@ -0,0 +1,13 @@
+name: AdminSDHolder to protected objects relationship
+guid: c751f95c-8bb0-4be4-b027-84f5709c91d2
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Hygiene
+description:
+query: |-
+  MATCH p=(n)-[:ProtectAdminGroups]->(m)
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/All GPOs applied to a specific computer.yml b/queries/All GPOs applied to a specific computer.yml
@@ -1,7 +1,7 @@
 name: All GPOs applied to a specific Computer
 guid: 1d75a21e-0d34-40c5-9360-281b60737d87
 prebuilt: false
-platform: Active Directory
+platforms: Active Directory
 category: Domain Information
 description: View all GPOs that are applied to any specific computer. This query identifies GPOs that are applied at both the Domain Level and the OU level, saving time in large Active Directory environments where GPO inheritance is complex. Replace "COMPUTER_NAME" with the target computer name or a substring. Note this does not take OU 'Block inheritance' and GPO 'No Override' into account.
 query: |-

diff --git a/queries/All Global Administrators.yml b/queries/All Global Administrators.yml
@@ -5,10 +5,11 @@ platforms: Azure
 category: General
 description: 
 query: |-
-  MATCH p = (:AZBase)-[:AZGlobalAdmin*1..]->(:AZTenant)
+  MATCH p=(:AZBase)-[:AZHasRole*1..]->(t:AZRole)
+  WHERE t.name =~ '(?i)Global Administrator.*'
   RETURN p
   LIMIT 1000
-revision: 1
+revision: 2
 resources: 
 acknowledgements: 
 
diff --git a/queries/All incoming and local paths for a specific computer.yml b/queries/All incoming and local paths for a specific computer.yml
@@ -6,11 +6,11 @@ category: Domain Information
 description: All incoming and local paths for a specific computer; incoming from domain objects and paths local inside the computer.
 query: |-
   // Replace 'HOSTNAME' with the computer's shortname eg. 'SRV01', not FQDN
-  MATCH p=(n:Base)-[:RemoteInteractiveLogonPrivilege|AdminTo|CanRDP|LocalToComputer|MemberOfLocalGroup]-(m:Base)
+  MATCH p=(n:Base)-[:RemoteInteractiveLogonRight|AdminTo|CanRDP|LocalToComputer|MemberOfLocalGroup]-(m:Base)
   WHERE m.name CONTAINS 'HOSTNAME'
   AND m.name CONTAINS '.' // Only see computer-related objects (eg. not AD Groups)
   RETURN p
-revision: 1
+revision: 2
 resources: 
 acknowledgements: Martin Sohn Christensen, @martinsohndk
 
diff --git a/queries/CA Administrators and CA Managers (ESC7).yml b/queries/CA Administrators and CA Managers (ESC7).yml
@@ -0,0 +1,13 @@
+name: CA Administrators and CA Managers (ESC7)
+guid: 77a708b8-962e-4c3d-ad70-e994126aaeba
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Certificate Services
+description:
+query: |-
+  MATCH p = (:Base)-[:ManageCertificates|ManageCA]->(:EnterpriseCA)
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Collection health of specific computer.yml b/queries/Collection health of specific computer.yml
diff --git a/queries/Compromising permissions on ADCS nodes (ESC5).yml b/queries/Compromising permissions on ADCS nodes (ESC5).yml
@@ -0,0 +1,17 @@
+name: Compromising permissions on ADCS nodes (ESC5)
+guid: 396c7b67-fb5d-4c04-bb13-8007f0dfc9b1
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Certificate Services
+description:
+query: |-
+  MATCH p = (n:Base)-[:Owns|WriteOwner|WriteDacl|GenericAll|GenericWrite]->(m:Base)
+  WHERE m.distinguishedname CONTAINS "PUBLIC KEY SERVICES"
+  AND NOT n.objectid ENDS WITH "-512" // Domain Admins
+  AND NOT n.objectid ENDS WITH "-519" // Enterprise Admins
+  AND NOT n.objectid ENDS WITH "-544" // Administrators
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Computers with membership in Protected Users.yml b/queries/Computers with membership in Protected Users.yml
@@ -6,9 +6,9 @@ category: NTLM Relay Attacks
 description: 
 query: |-
   MATCH p = (:Base)-[:MemberOf*1..]->(g:Group)
-  WHERE g.objectid ENDS WITH "-525"
+  WHERE g.objectid ENDS WITH '-525'
   RETURN p LIMIT 1000
-revision: 1
+revision: 2
 resources: 
 acknowledgements: 
 
diff --git a/queries/Computers with non-default Primary Group membership.yml b/queries/Computers with non-default Primary Group membership.yml
@@ -7,11 +7,13 @@ description:
 query: |-
   MATCH p=(n:Computer)-[r:MemberOf]->(g:Group)
   WHERE NOT g.objectid ENDS WITH "-515" // Domain Computers
-  AND NOT g.objectid ENDS WITH "-516" // Domain Controllers
-  AND NOT g.objectid ENDS WITH "-521" // Read-Only Domain Controllers
+  AND NOT n.isdc = true
+  AND NOT n.isreadonlydc = true
   AND r.isprimarygroup = true
   RETURN p
-revision: 1
+revision: 2
 resources: 
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/e12954a4-6865-4432-94e6-00c310ca87c0
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5dbcf875-e802-4357-a6e2-1bdff19ff9b5
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/73d11ea7-e634-453e-944d-559654cc91c5
 acknowledgements: Martin Sohn Christensen, @martinsohndk
-
diff --git a/queries/Dangerous privileges for Domain Users groups.yml b/queries/Dangerous privileges for Domain Users groups.yml
@@ -5,11 +5,12 @@ platforms: Active Directory
 category: Dangerous Privileges
 description: 
 query: |-
-  MATCH p=(s:Group)-[:AD_ATTACK_PATHS]->(:Base)
+  MATCH p=(s:Group)-[r:AD_ATTACK_PATHS]->(:Base)
   WHERE s.objectid ENDS WITH '-513'
+  AND NOT r:MemberOf
   RETURN p
   LIMIT 1000
-revision: 2
+revision: 3
 resources: 
 acknowledgements: 
 
diff --git a/queries/Domains where any user can join a computer to the domain.yml b/queries/Domains where any user can join a computer to the domain.yml
@@ -5,10 +5,10 @@ platforms: Active Directory
 category: Active Directory Hygiene
 description: 
 query: |-
-  MATCH (n:Domain)
-  WHERE n.machineaccountquota > 0
-  RETURN n
-revision: 1
+  MATCH (d:Domain)
+  WHERE d.machineaccountquota > 0
+  RETURN d
+revision: 2
 resources: 
 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain
 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/add-workstations-to-domain

diff --git a/...rtificate templates published to Enterprise CA with User Specified SAN enabled (ESC6).yml b/...rtificate templates published to Enterprise CA with User Specified SAN enabled (ESC6).yml
@@ -0,0 +1,14 @@
+name: Enrollment rights on certificate templates published to Enterprise CA with User Specified SAN enabled (ESC6)
+guid: ab14e9dc-996c-4737-878c-583c19cdbf5a
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Certificate Services
+description:
+query: |-
+  MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(eca:EnterpriseCA)
+  WHERE eca.isuserspecifiessanenabled = True
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/...tificate templates published to Enterprise CA with vulnerable HTTP(S) endpoint (ESC8).yml b/...tificate templates published to Enterprise CA with vulnerable HTTP(S) endpoint (ESC8).yml
@@ -0,0 +1,14 @@
+name: Enrollment rights on certificate templates published to Enterprise CA with vulnerable HTTP(S) endpoint (ESC8)
+guid: 1c1435b1-bad0-49f2-ba7d-932e047c0af4
+prebuilt: true
+platforms: Active Directory
+category: Active Directory Certificate Services
+description:
+query: |-
+  MATCH p = (:Base)-[:Enroll|GenericAll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(eca:EnterpriseCA)
+  WHERE eca.hasvulnerableendpoint = True
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Entra Users with Entra Admin Role approval (direct).yml b/queries/Entra Users with Entra Admin Role approval (direct).yml
@@ -0,0 +1,12 @@
+name: Entra Users with Entra Admin Role approval (direct)
+guid: 74d7993c-24af-4df7-8402-5c6fb22d088c
+prebuilt: true
+platforms: Azure
+category: General
+description:
+query: |-
+  MATCH p = (:AZUser)-[:AZRoleApprover]->(:AZRole)
+  RETURN p LIMIT 100
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Entra Users with Entra Admin Role approval (group delegated).yml b/queries/Entra Users with Entra Admin Role approval (group delegated).yml
@@ -0,0 +1,12 @@
+name: Entra Users with Entra Admin Role approval (group delegated)
+guid: b70a6512-21e1-4d6e-926a-fba44646085d
+prebuilt: true
+platforms: Azure
+category: General
+description:
+query: |-
+  MATCH p = (:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZRoleApprover]->(:AZRole)
+  RETURN p LIMIT 100
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Entra Users with Entra Admin Role direct eligibility.yml b/queries/Entra Users with Entra Admin Role direct eligibility.yml
@@ -0,0 +1,12 @@
+name: Entra Users with Entra Admin Role direct eligibility
+guid: b87899ce-3a51-401a-ae39-ef271b566e3d
+prebuilt: true
+platforms: Azure
+category: General
+description:
+query: |-
+  MATCH p = (:AZUser)-[:AZRoleEligible]->(:AZRole)
+  RETURN p LIMIT 100
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Entra Users with Entra Admin Roles group delegated eligibility.yml b/queries/Entra Users with Entra Admin Roles group delegated eligibility.yml
@@ -0,0 +1,12 @@
+name: Entra Users with Entra Admin Roles group delegated eligibility
+guid: 2e36c81b-25ed-40ba-afec-5f5f6443e095
+prebuilt: true
+platforms: Azure
+category: General
+description:
+query: |-
+  MATCH p = (:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZRoleEligible]->(:AZRole)
+  RETURN p LIMIT 100
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Kerberoastable members of Tier Zero High Value groups.yml b/queries/Kerberoastable members of Tier Zero High Value groups.yml
@@ -6,14 +6,14 @@ category: Kerberos Interaction
 description: 
 query: |-
   MATCH (u:User)
-  WHERE (u:Tag_Tier_Zero) AND u.hasspn=true
+  WHERE ((u:Tag_Tier_Zero) OR COALESCE(u.system_tags, '') CONTAINS 'admin_tier_0') AND u.hasspn=true
   AND u.enabled = true
   AND NOT u.objectid ENDS WITH '-502'
   AND NOT COALESCE(u.gmsa, false) = true
   AND NOT COALESCE(u.msa, false) = true 
   RETURN u
   LIMIT 100
-revision: 1
+revision: 2
 resources: https://attack.mitre.org/techniques/T1558/003/
 acknowledgements: 
 
diff --git a/queries/Location of AdminSDHolder Protected objects.yml b/queries/Location of AdminSDHolder Protected objects.yml
@@ -0,0 +1,14 @@
+name: Location of AdminSDHolder Protected objects
+guid: 3408ccaf-1f42-4c10-b09a-e986661f84d7
+prebuilt: true
+platforms: Active Directory
+category: Domain Information
+description:
+query: |-
+  MATCH p = (n:Base)<-[:Contains*1..]-(:Domain)
+  WHERE n.adminsdholderprotected = True
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources:
+acknowledgements:
diff --git a/queries/Locations of Owned objects - AD.yml b/queries/Locations of Owned objects - AD.yml
@@ -0,0 +1,15 @@
+name: Locations of Owned objects
+guid: c88bfab4-3da0-4b36-b71d-7b324ebd2243
+prebuilt: false
+platforms: Active Directory
+category: Domain Information
+description: 
+query: |-
+  MATCH p = (t:Base)<-[:Contains*1..]-(:Domain)
+  WHERE ((t:Tag_Owned) OR COALESCE(t.system_tags, '') CONTAINS 'owned')
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: 
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+
diff --git a/queries/Locations of Owned objects - AZ.yml b/queries/Locations of Owned objects - AZ.yml
@@ -0,0 +1,15 @@
+name: Locations of Owned objects
+guid: 350b8b8a-ea4c-44f3-874b-c9316de6c41b
+prebuilt: false
+platforms: Azure
+category: General
+description: 
+query: |-
+  MATCH p = (t:AZBase)<-[:AZContains*1..]-(:AZTenant)
+  WHERE ((t:Tag_Owned) OR COALESCE(t.system_tags, '') CONTAINS 'owned')
+  RETURN p
+  LIMIT 1000
+revision: 1
+resources: 
+acknowledgements: Martin Sohn Christensen, @martinsohndk
+