Query Types in the Attack Path Query Library

When generating an attack path from a Built-in Query, you can use the following queries within the Query Library.

Note: Some query types may not be available for all users.

Tile Query Types
Bookmarks

When a user saves a custom attack path query, Attack Path Analysis saves the query in the Bookmarks section. Here, you can view the query, the user who created it, and select the bookmark to use to generate an attack path query.

For more information, see (Optional) Save your Query as a Preset/Bookmark.

Active Directory Misconfigurations
  • LAPS Password — Users with permissions to read LAPS Passwords.

  • AdminSDHolder — Users with write/full control access to AdminSDHolder objects.

  • Kerberos Delegation — Users with permissions to perform Kerberos delegation.

  • Domain Admins vulnerable to Kerberos Delegation — Domain Admins that are not part of Protected Users or has not delegated flag.

  • DNS Admins — Users that are members of the DNS Admins group.

  • Reversible Password Hash — Users whose password is stored in the Active Directory in reversible encryption format.

  • Password Not Expired — Users whose password never expires.

  • Password Not Required — Users who do not require a password for authentication.

Cloud
  • Exposed cloud storage — Cloud storage that is exposed to the internet.

  • Computers vulnerable from cloud — Computers that have management ports open from the Internet.

  • Publicly exposed workload leads to exfiltration — A publicly exposed web application that leads to compromise of EC2 workload and access to data in S3 bucket.

Common Vulnerabilities
  • Bluekeep — Computers that are vulnerable to CVE-2019-0708.

  • EternalBlue — Computers that are vulnerable to CVE-2017-0144.

  • log4shell — Computers that are vulnerable to CVE-2021-44228.

  • PrintNightmare — Computers that are vulnerable to CVE-2021-44228.

  • ProxyLogon — Computers that are vulnerable to CVE-2021-26855.

  • Zerologon — Computers that are vulnerable to CVE-2020-1472.

Credentials
  • Domain Admins password reuse — Domain admin users whose passwords are shared by other users.

  • Cracked Passwords — Passwords that could be cracked by an attacker.

  • Kerberoasting — Users vulnerable to the Kerberoasting attack.

Endpoint
  • Computers that Cache Domain Admins — Computers that are not Domain Controllers and cache the credentials of domain admin users.

  • Bitlocker — Computers configured without Bitlocker.

  • Vulnerable registry service — Computer services that can be altered by unprivileged Domain Users from the Registry.

  • Vulnerable service binaries — Computer services that can be altered by unprivileged Domain Users from a binary file.

  • Services that Cache Domain Admins User — Services that run under the context of domain admin users.

Network
  • Computers with SMBv1 — Computers with SMB version 1 enabled.

  • NBT-NS Poisoning — LLMNR/NBT-NS Poisoning and SMB Relay techniques compromising domain admin users.

Permissions
  • Domain Admin Password Reset — Users who have permissions to reset a domain admin user password.

  • Critical Asset Policy Modification — Users that have permissions to modify a Group Policy Object (GPO) that affects a Critical Asset.

  • Group Membership Modification — Users that have permissions to modify group membership.

  • Network Shares Access — Network shares accessible by the Everyone user group.

Ransomware

Note: The simulations used in these queries do not pose any risk of impact on your system.

  • WannaCry Ransomware Attack — Search an attack with WannaCry TTPs, such as EternalBlue exploit.

  • Fancy Bear APT 28 — Search for an attack vector that mimics APT 28.

  • Maze Ransomware Attack — Search an attack with Maze TTPs, such as unique WMI capabilities.

  • Ryuk Ransomware Attack — Search an attack with Ryuk TTPs, such as unique encryption capabilities.

  • REvil Ransomware Attack — Search an attack with REvil TTPs, such as unique evasion capabilities.

  • Lazarus Group — Search for an attack vector that mimics Lazarus Group.
  • Petya Ransomware — Search an attack vector where Petya Group used.

Top Searches
  • Computers with Domain Admin and Log4Shell — Search for assets that are vulnerable to CVE-2021-44228 and cache the credentials of Domain Admin account

  • Network Shares that Can Be Accessed by Non-administrators — Search for network shares with read/write access for a non-administrative account
  • Services that Run As Domain Admin — Search for system services that runs in the context of a Domain Admin account

  • Computers exposed to the internet via SMBv1 — Search for computers that were found with SMBv1 exposed to the internet.

Vectors
  • Domain Users to Domain Admins — Users in the Domain Users group-escalating privileges to the Domain Admins group.

  • Workstations to Critical Assets — An attack path from Workstations to Critical Assets.