{
  "queries": [
    {
      "name": "Find all Certificate Templates",
      "category": "Certificates",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n"
        }
      ]
    },
    {
      "name": "Find enabled Certificate Templates",
      "category": "Certificates",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.Enabled = true RETURN n"
        }
      ]
    },
    {
      "name": "Find Certificate Authorities",
      "category": "Certificates",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n"
        }
      ]
    },
    {
      "name": "Show Enrollment Rights for Certificate Template",
      "category": "Certificates",
      "queryList": [
        {
          "final": false,
          "title": "Select a Certificate Template...",
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' RETURN n.name"
        },
        {
          "final": true,
          "query": "MATCH p=(g)-[:Enroll|AutoEnroll]->(n:GPO {name:$result}) WHERE n.type = 'Certificate Template' return p",
          "allowCollapse": false
        }
      ]
    },
    {
      "name": "Show Rights for Certificate Authority",
      "category": "Certificates",
      "queryList": [
        {
          "final": false,
          "title": "Select a Certificate Authority...",
          "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' RETURN n.name"
        },
        {
          "final": true,
          "query": "MATCH p=(g)-[:ManageCa|ManageCertificates|Auditor|Operator|Read|Enroll]->(n:GPO {name:$result}) return p",
          "allowCollapse": false
        }
      ]
    },
    {
      "name": "Find Misconfigured Certificate Templates (ESC1)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true  RETURN n"
        }
      ]
    },
    {
      "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC1)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true return p"
        }
      ]
    },
    {
      "name": "Find Misconfigured Certificate Templates (ESC2)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n"
        }
      ]
    },
    {
      "name": "Shortest Paths to Misconfigured Certificate Templates from Owned Principals (ESC2)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN p"
        }
      ]
    },
    {
      "name": "Find Enrollment Agent Templates (ESC3)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or 'Certificate Request Agent' IN n.`Extended Key Usage` or n.`Any Purpose` = True) RETURN n"
        }
      ]
    },
    {
      "name": "Shortest Paths to Enrollment Agent Templates from Owned Principals (ESC3)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Certificate Template' and n.`Enabled` = true and (n.`Extended Key Usage` = [] or 'Any Purpose' IN n.`Extended Key Usage` or n.`Any Purpose` = True or 'Certificate Request Agent' IN n.`Extended Key Usage`) RETURN p"
        }
      ]
    },
    {
      "name": "Shortest Paths to Vulnerable Certificate Template Access Control (ESC4)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=shortestPath((g)-[:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Certificate Template' and n.`Enabled` = true RETURN p"
        }
      ]
    },
    {
      "name": "Shortest Paths to Vulnerable Certificate Template Access Control from Owned Principals (ESC4)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE g<>n and n.type = 'Certificate Template' and n.Enabled = true and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') return p"
        }
      ]
    },
    {
      "name": "Find Certificate Authorities with User Specified SAN (ESC6)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`User Specified SAN` = 'Enabled' RETURN n"
        }
      ]
    },
    {
      "name": "Shortest Paths to Vulnerable Certificate Authority Access Control (ESC7)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=shortestPath((g)-[r:GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ManageCa|ManageCertificates*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Enrollment Service' RETURN p"
        }
      ]
    },
    {
      "name": "Shortest Paths to Vulnerable Certificate Authority Access Control from Owned Principals (ESC7)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[*1..]->(n:GPO)) WHERE  g<>n and n.type = 'Enrollment Service' and NONE(x in relationships(p) WHERE type(x) = 'Enroll' or type(x) = 'AutoEnroll') RETURN p"
        }
      ]
    },
    {
      "name": "Find Certificate Authorities with HTTP Web Enrollment (ESC8)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n"
        }
      ]
    },
    {
      "name": "Find Unsecured Certificate Templates (ESC9)",
      "category": "Domain Escalation",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true  RETURN n"
        }
      ]
    },
    {
      "name": "Find Unsecured Certificate Templates (ESC9)",
      "category": "PKI",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true  RETURN n"
        }
      ]
    },
    {
      "name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)",
      "category": "PKI",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) return p"
        }
      ]
    }
  ]
}