{"resources":{"activedirectory":{"id":"activedirectory","name":"activedirectory","fields":{"certificateAuthorities":{"name":"certificateAuthorities","type":"\u0019\u001bactivedirectory.certificateAuthority","title":"Certificate authorities","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"certificateAuthority":{"name":"certificateAuthority","type":"\u001bactivedirectory.certificateAuthority","title":"Active Directory Certificate Services certificate authority","desc":" Examine a single Enterprise CA's enrollment-service entry: identity, distinguished name, the DNS hostname of the CA server, CA type (Enterprise Root, Enterprise Subordinate, etc.), the CA certificate expiration, and the templates published on this CA. Surfaces the security-relevant ACLs and endpoints — whether any low-privileged principal holds ManageCA or ManageCertificates rights (ESC7) along with the principal list, whether the CA exposes HTTP (non-TLS) enrollment endpoints (ESC8) along with the endpoint URLs, and whether enrollment-agent restrictions are configured.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"certificateTemplate":{"name":"certificateTemplate","type":"\u001bactivedirectory.certificateTemplate","title":"Active Directory Certificate Services template","desc":" Examine a single AD CS certificate template: identity (common name, display name, distinguished name, OID, schema version), the validity and renewal periods, whether the template is published on at least one Enterprise CA, and the security-relevant configuration: enrollee-supplies-subject (ESC1 indicator), the EKU set including authentication / Any-Purpose / no-EKU markers, the manager-approval requirement, authorized-signature count, the raw msPKI-Enrollment-Flag and msPKI-Certificate-Name-Flag bitmasks, the issuance-policy OID list, and the enrollment ACL with a low-privileged-enrollment marker. Pre-computed boolean flags surface AD CS escalation risks (ESC1, ESC2, ESC3, ESC4, ESC9 from no-security-extension, ESC13 via privileged-group-linked issuance policy) so policies can fire directly on those.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"certificateTemplates":{"name":"certificateTemplates","type":"\u0019\u001bactivedirectory.certificateTemplate","title":"Certificate templates (ADCS)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"computer":{"name":"computer","type":"\u001bactivedirectory.computer","title":"Active Directory computer account","desc":" Examine a single computer object: identity (sAMAccountName with the trailing `$`, DNS hostname, distinguished name, SID), enabled state, the OS name / version / service pack, lifecycle timestamps (created, password-last-set, last-logon-timestamp, password age, days-since- last-logon, stale flag), the raw userAccountControl bitmask plus delegation surface (unconstrained delegation, constrained delegation and its targets, resource-based constrained delegation, protocol transition / TRUSTED_TO_AUTH_FOR_DELEGATION), the configured Service Principal Names, LAPS deployment and password expiration, OU placement, and whether the computer is a domain controller. Used for inventory, stale-machine cleanup, and Kerberos-delegation attack-path reviews.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"computers":{"name":"computers","type":"\u0019\u001bactivedirectory.computer","title":"All computer accounts","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"dangerousPermission":{"name":"dangerousPermission","type":"\u001bactivedirectory.dangerousPermission","title":"Dangerous ACL delegation on a critical AD object","desc":" Examine a single attack-path finding where a low-privileged principal holds rights — GenericAll, WriteDACL, WriteOwner, GenericWrite, DCSync, ForceChangePassword — on a sensitive Active Directory object. Each finding records the target distinguished name and friendly name, the target category (domain head, AdminSDHolder, privileged group, DC computer, user, or OU), the principal SID that received the grant, the type of right granted, and the raw access mask. Iterating `activedirectory.dangerousPermissions` surfaces the canonical AD take-over primitives auditors check for.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"dangerousPermissions":{"name":"dangerousPermissions","type":"\u0019\u001bactivedirectory.dangerousPermission","title":"Dangerous ACL delegations on critical AD objects","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Domain distinguished name (e.g., DC=corp,DC=example,DC=com)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"dnsZone":{"name":"dnsZone","type":"\u001bactivedirectory.dnsZone","title":"Active Directory-integrated DNS zone","desc":" Examine a DNS zone whose records are stored in AD itself: zone name, distinguished name, zone type (forward / reverse / stub / etc.), and the dynamic-update posture — whether dynamic updates are accepted at all and whether the zone is restricted to secure-only updates. The combination of these two flags is the standard \"DNS hardening\" finding for AD-integrated zones.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"dnsZones":{"name":"dnsZones","type":"\u0019\u001bactivedirectory.dnsZone","title":"DNS zones","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"domain":{"name":"domain","type":"\u0007","is_mandatory":true,"title":"Domain DNS name (e.g., corp.example.com)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"domainController":{"name":"domainController","type":"\u001bactivedirectory.domainController","title":"Active Directory domain controller","desc":" Examine a single domain controller computer object: DNS hostname, distinguished name, OS name and version, role flags (Global Catalog, Read-Only DC), site placement, and the most recent password-set and logon-timestamp values. Use it to inventory DCs, find unsupported OS versions, and detect DCs that haven't replicated recently.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"domainControllers":{"name":"domainControllers","type":"\u0019\u001bactivedirectory.domainController","title":"Domain controllers","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"domainPasswordPolicy":{"name":"domainPasswordPolicy","type":"\u001bactivedirectory.domainPasswordPolicy","title":"Active Directory default-domain password policy","desc":" Examine the password policy applied to every user that isn't covered by a fine-grained policy: minimum / maximum password age, minimum length, password-history depth, complexity-required flag, and the reversible-encryption flag (which weakens password storage). Also exposes the account-lockout configuration: threshold, duration, and observation window. Auditors read this to verify the domain meets password and lockout benchmarks.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"domainSid":{"name":"domainSid","type":"\u0007","is_mandatory":true,"title":"Domain SID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"fineGrainedPasswordPolicies":{"name":"fineGrainedPasswordPolicies","type":"\u0019\u001bactivedirectory.fineGrainedPasswordPolicy","title":"Fine-Grained Password Policies","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"fineGrainedPasswordPolicy":{"name":"fineGrainedPasswordPolicy","type":"\u001bactivedirectory.fineGrainedPasswordPolicy","title":"Active Directory fine-grained password policy","desc":" Examine a single Password Settings Object (PSO) that overrides the default-domain password policy for a specific set of principals: minimum / maximum age, minimum length, history depth, complexity- required flag, reversible-encryption flag, and the lockout threshold and duration. Each PSO carries a precedence (lower wins) and an `appliesTo` list naming the users or groups it covers. Use it to confirm that privileged groups are bound to a stronger PSO than the default domain policy.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"forestFunctionalLevel":{"name":"forestFunctionalLevel","type":"\u0007","is_mandatory":true,"title":"Forest functional level","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"forestName":{"name":"forestName","type":"\u0007","is_mandatory":true,"title":"Forest DNS name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"functionalLevel":{"name":"functionalLevel","type":"\u0007","is_mandatory":true,"title":"Domain functional level (e.g., \"2016\")","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"gpo":{"name":"gpo","type":"\u001bactivedirectory.gpo","title":"Active Directory Group Policy Object","desc":" Examine a single GPO: GUID and display name, distinguished name, GPO status (enabled / disabled / user-side disabled / computer-side disabled), SYSVOL file-system path containing the policy template, version number, creation and last-modified timestamps, whether the GPO is linked anywhere, and the per-link metadata (target OU/domain/ site, link order, enforced flag, enabled flag) showing exactly where the policy applies.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"gpoLink":{"name":"gpoLink","type":"\u001bactivedirectory.gpoLink","title":"Active Directory GPO link","desc":" Examine a single link record associating a GPO with an OU, domain, or site. The `target` field is the distinguished name of the container the policy is applied to. `order` is the link precedence within that container (1 is highest, applied last). `enforced` indicates the link cannot be blocked by child OUs, and `enabled` controls whether the link is active.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"gpos":{"name":"gpos","type":"\u0019\u001bactivedirectory.gpo","title":"Group Policy Objects","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"group":{"name":"group","type":"\u001bactivedirectory.group","title":"Active Directory group","desc":" Examine a single group object: identity (sAMAccountName, distinguished name, display name, SID), the human-readable groupType description (Security vs Distribution, Global / Universal / DomainLocal scope) plus the raw groupType bitmask, description, adminCount flag, OU placement, and creation timestamp. Iterate `members()` for typed user / group / computer references and use `memberCount()` for size-based rules; the `isPrivileged` flag highlights built-in privileged groups that warrant extra scrutiny in access reviews.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"groupMember":{"name":"groupMember","type":"\u001bactivedirectory.groupMember","title":"Active Directory group member","desc":" Examine a single member entry returned by `activedirectory.group.members()`. Each entry records the sAMAccountName or common name in `name`, the full distinguished name, the object SID, and the `type` discriminator — `user`, `group`, or `computer` — so policy can filter by member category without resolving the full object.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"groups":{"name":"groups","type":"\u0019\u001bactivedirectory.group","title":"All groups","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lapsEnabled":{"name":"lapsEnabled","type":"\u0004","title":"Whether LAPS schema extension is present","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ldapChannelBindingRequired":{"name":"ldapChannelBindingRequired","type":"\u0004","title":"Whether LDAP channel binding is required (LdapEnforceChannelBinding == 2 via remote registry)","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ldapSigningRequired":{"name":"ldapSigningRequired","type":"\u0004","title":"Whether the DC requires LDAP signing (detected via unsigned simple bind probe with invalid credentials)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"machineAccountQuota":{"name":"machineAccountQuota","type":"\u0005","title":"Number of machine accounts any user can create (ms-DS-MachineAccountQuota; should be 0)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"netbiosName":{"name":"netbiosName","type":"\u0007","title":"Domain NetBIOS name (requires additional LDAP query against CN=Partitions)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"organizationalUnits":{"name":"organizationalUnits","type":"\u0019\u001bactivedirectory.ou","title":"Organizational Units","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ou":{"name":"ou","type":"\u001bactivedirectory.ou","title":"Active Directory organizational unit","desc":" Examine a single OU: name, distinguished name, description, creation timestamp, whether GPO inheritance is blocked, and the typed list of linked GPOs in link order. OUs are the unit of policy delegation and scoping, so they're the primary container audits walk to find where a GPO actually applies and whether inheritance is being short-circuited.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"passwordPolicy":{"name":"passwordPolicy","type":"\u001bactivedirectory.domainPasswordPolicy","title":"Password policy (default domain policy)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"pkiObject":{"name":"pkiObject","type":"\u001bactivedirectory.pkiObject","title":"Active Directory PKI object under CN=Public Key Services","desc":" Examine a single PKI container or object below `CN=Public Key Services,CN=Services,CN=Configuration` (NTAuthCertificates, AIA, the Certificate Templates container, Enrollment Services, etc.): name, distinguished name, primary object class, and its lifecycle timestamps. The `isVulnerableESC5` flag and `dangerousAclPrincipals` list highlight write-equivalent ACL grants on these objects, which allow domain-wide AD CS takeover.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"pkiObjects":{"name":"pkiObjects","type":"\u0019\u001bactivedirectory.pkiObject","title":"PKI objects for ESC5 analysis","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"recycleBinEnabled":{"name":"recycleBinEnabled","type":"\u0004","title":"Whether the AD Recycle Bin optional feature is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"schemaVersion":{"name":"schemaVersion","type":"\u0005","title":"Schema version","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbEncryptionSupported":{"name":"smbEncryptionSupported","type":"\u0004","title":"Whether the DC advertises SMB3 encryption capability","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbGuestAccessAllowed":{"name":"smbGuestAccessAllowed","type":"\u0004","title":"Whether the DC falls back to guest session on invalid credentials","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbHighestDialect":{"name":"smbHighestDialect","type":"\u0007","title":"Highest SMB dialect negotiated by the DC (e.g., \"3.1.1\", \"3.0\", \"2.1\")","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbNullSessionAllowed":{"name":"smbNullSessionAllowed","type":"\u0004","title":"Whether the DC accepts SMB null sessions (unauthenticated access)","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbSigningRequired":{"name":"smbSigningRequired","type":"\u0004","title":"Whether the DC requires SMB signing (detected via pre-auth negotiate probe on port 445)","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"smbv1Enabled":{"name":"smbv1Enabled","type":"\u0004","title":"Whether the DC still accepts SMBv1 connections (detected via explicit SMB1 negotiate probe)","min_provider_version":"13.0.2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"trust":{"name":"trust","type":"\u001bactivedirectory.trust","title":"Active Directory domain trust","desc":" Examine a single trust relationship from the source domain to a target domain: trust type (External, Forest, ParentChild, CrossLink, MIT), trust direction (Inbound / Outbound / Bidirectional), transitivity, the cryptographic posture (AES vs weak RC4 encryption), TGT-delegation flag, SID filtering and SID-history flags, selective-authentication flag, the Azure-AD-trust marker, the raw trust-attributes bitmask, and the trust creation timestamp. Used for forest-attack-path reviews and confirming hardening of cross-domain authentication.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"trusts":{"name":"trusts","type":"\u0019\u001bactivedirectory.trust","title":"Domain trusts","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"user":{"name":"user","type":"\u001bactivedirectory.user","title":"Active Directory user account","desc":" Examine a single user object: identity (sAMAccountName, UPN, display name, distinguished name, SID), enabled state, lifecycle timestamps (creation, password-last-set, last-logon, password age, days-since- last-logon), group memberships, OU placement, email and description fields, and SID history. The resource also surfaces the security- relevant userAccountControl flags as named booleans (password never expires, password not required, sensitive-and-cannot-be-delegated, reversible-encryption, DES-only Kerberos, AS-REP-roastable via pre-auth-not-required) plus the delegation surface (Service Principal Names, Kerberoastable flag, constrained-delegation targets, GMSA flag, Protected Users membership), the adminCount flag indicating adminSDHolder protection, and convenience predicates for Domain Admins / Enterprise Admins / Schema Admins / generic privileged-group membership and stale-account state — the surface auditors use for privilege reviews, Kerberos-attack-path analysis, and dormant-account hygiene.","provider":"go.mondoo.com/mql/v13/providers/activedirectory","is_implicit_resource":true},"users":{"name":"users","type":"\u0019\u001bactivedirectory.user","title":"All user accounts","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory Domain Services","desc":" Top-level entry point for an Active Directory domain accessed over LDAP against a domain controller. Exposes the domain's identity (DNS name, NetBIOS name, distinguished name, SID, functional level, forest), the principals (users, groups, computers), the OU and GPO topology, the domain trusts, the default and fine-grained password policies, the AD CS surface (certificate templates, certificate authorities, PKI objects under CN=Public Key Services), DNS-integrated zones, and the hardening signals auditors check on the contacted DC — LDAP signing, LDAP channel binding, SMB signing, SMBv1 still accepted, SMB3 encryption, SMB null / guest sessions, the highest negotiated SMB dialect — plus metadata used by attack-path tooling (LAPS schema extension, machine- account quota, AD Recycle Bin, schema version) and the dangerous-ACL delegations across critical objects.","min_provider_version":"13.0.1","defaults":"domain functionalLevel","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.certificateAuthority":{"id":"activedirectory.certificateAuthority","name":"activedirectory.certificateAuthority","fields":{"caType":{"name":"caType","type":"\u0007","is_mandatory":true,"title":"CA type (Enterprise Root, Enterprise Subordinate, etc.)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"certificateExpiration":{"name":"certificateExpiration","type":"\t","is_mandatory":true,"title":"CA certificate expiration","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"certificateTemplates":{"name":"certificateTemplates","type":"\u0019\u0007","is_mandatory":true,"title":"Certificate template CN names published on this CA","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"dangerousCAPermissions":{"name":"dangerousCAPermissions","type":"\u0019\u0007","is_mandatory":true,"title":"Principals with ManageCA or ManageCertificates rights","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"dnsHostname":{"name":"dnsHostname","type":"\u0007","is_mandatory":true,"title":"DNS hostname of the CA server","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enrollmentAgentRestrictionsConfigured":{"name":"enrollmentAgentRestrictionsConfigured","type":"\u0004","is_mandatory":true,"title":"Whether enrollment agent restrictions are configured on this CA","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"hasHttpEnrollment":{"name":"hasHttpEnrollment","type":"\u0004","is_mandatory":true,"title":"Whether the CA has HTTP (non-TLS) enrollment endpoints (ESC8)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"httpEnrollmentEndpoints":{"name":"httpEnrollmentEndpoints","type":"\u0019\u0007","is_mandatory":true,"title":"HTTP(S) enrollment endpoint URLs registered for this CA","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC7":{"name":"isVulnerableESC7","type":"\u0004","is_mandatory":true,"title":"Whether any low-privilege principal has ManageCA rights (ESC7)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"CA name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory Certificate Services certificate authority","desc":" Examine a single Enterprise CA's enrollment-service entry: identity, distinguished name, the DNS hostname of the CA server, CA type (Enterprise Root, Enterprise Subordinate, etc.), the CA certificate expiration, and the templates published on this CA. Surfaces the security-relevant ACLs and endpoints — whether any low-privileged principal holds ManageCA or ManageCertificates rights (ESC7) along with the principal list, whether the CA exposes HTTP (non-TLS) enrollment endpoints (ESC8) along with the endpoint URLs, and whether enrollment-agent restrictions are configured.","min_provider_version":"13.0.1","defaults":"name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.certificateTemplate":{"id":"activedirectory.certificateTemplate","name":"activedirectory.certificateTemplate","fields":{"authorizedSignaturesRequired":{"name":"authorizedSignaturesRequired","type":"\u0005","is_mandatory":true,"title":"Number of authorized signatures required","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"certificateNameFlags":{"name":"certificateNameFlags","type":"\u0005","is_mandatory":true,"title":"Raw msPKI-Certificate-Name-Flag bitmask controlling subject-name encoding and SAN inclusion","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Template display name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name in CN=Certificate Templates","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enrolleeSuppliesSubject":{"name":"enrolleeSuppliesSubject","type":"\u0004","is_mandatory":true,"title":"Whether enrollee can supply the Subject Alternative Name (ESC1 indicator)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enrollmentFlags":{"name":"enrollmentFlags","type":"\u0005","is_mandatory":true,"title":"Raw msPKI-Enrollment-Flag bitmask controlling template enrollment behavior (auto-enrollment, user interaction, publishing)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enrollmentPermissions":{"name":"enrollmentPermissions","type":"\u0019\u0007","is_mandatory":true,"title":"Principals that can enroll","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"extendedKeyUsages":{"name":"extendedKeyUsages","type":"\u0019\u0007","is_mandatory":true,"title":"Extended Key Usages (OIDs)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"hasAnyPurposeEku":{"name":"hasAnyPurposeEku","type":"\u0004","is_mandatory":true,"title":"Whether template has \"Any Purpose\" EKU (2.5.29.37.0)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"hasAuthenticationEku":{"name":"hasAuthenticationEku","type":"\u0004","is_mandatory":true,"title":"Whether template has authentication EKU","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"hasNoEku":{"name":"hasNoEku","type":"\u0004","is_mandatory":true,"title":"Whether template has no EKU (subordinate CA risk - ESC2)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isPublished":{"name":"isPublished","type":"\u0004","is_mandatory":true,"title":"Whether the template is published on at least one Enterprise CA","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC1":{"name":"isVulnerableESC1","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC1","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC13":{"name":"isVulnerableESC13","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC13 (issuance policy OID linked to privileged group)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC2":{"name":"isVulnerableESC2","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC2","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC3":{"name":"isVulnerableESC3","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC3 (Certificate Request Agent EKU abuse)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC4":{"name":"isVulnerableESC4","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC4 (overly permissive template ACL)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC9":{"name":"isVulnerableESC9","type":"\u0004","is_mandatory":true,"title":"Whether the template is vulnerable to ESC9 (no security extension with auth EKU)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"issuancePolicies":{"name":"issuancePolicies","type":"\u0019\u0007","is_mandatory":true,"title":"Issuance policy OIDs (msPKI-Certificate-Policy) referenced by this template","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lowPrivilegedEnrollment":{"name":"lowPrivilegedEnrollment","type":"\u0004","is_mandatory":true,"title":"Whether low-privileged users can enroll","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"managerApprovalRequired":{"name":"managerApprovalRequired","type":"\u0004","is_mandatory":true,"title":"Whether manager approval is required","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Template common name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"noSecurityExtension":{"name":"noSecurityExtension","type":"\u0004","is_mandatory":true,"title":"Whether CT_FLAG_NO_SECURITY_EXTENSION is set in enrollment flags","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"oid":{"name":"oid","type":"\u0007","is_mandatory":true,"title":"Template OID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"renewalPeriod":{"name":"renewalPeriod","type":"\u0007","is_mandatory":true,"title":"Renewal period","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"schemaVersion":{"name":"schemaVersion","type":"\u0005","is_mandatory":true,"title":"Schema version (1, 2, 3, or 4)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"validityPeriod":{"name":"validityPeriod","type":"\u0007","is_mandatory":true,"title":"Validity period","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenChanged":{"name":"whenChanged","type":"\t","is_mandatory":true,"title":"Last modified timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory Certificate Services template","desc":" Examine a single AD CS certificate template: identity (common name, display name, distinguished name, OID, schema version), the validity and renewal periods, whether the template is published on at least one Enterprise CA, and the security-relevant configuration: enrollee-supplies-subject (ESC1 indicator), the EKU set including authentication / Any-Purpose / no-EKU markers, the manager-approval requirement, authorized-signature count, the raw msPKI-Enrollment-Flag and msPKI-Certificate-Name-Flag bitmasks, the issuance-policy OID list, and the enrollment ACL with a low-privileged-enrollment marker. Pre-computed boolean flags surface AD CS escalation risks (ESC1, ESC2, ESC3, ESC4, ESC9 from no-security-extension, ESC13 via privileged-group-linked issuance policy) so policies can fire directly on those.","min_provider_version":"13.0.1","defaults":"name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.computer":{"id":"activedirectory.computer","name":"activedirectory.computer","fields":{"constrainedDelegation":{"name":"constrainedDelegation","type":"\u0004","is_mandatory":true,"title":"Whether constrained delegation is configured","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"constrainedDelegationTargets":{"name":"constrainedDelegationTargets","type":"\u0019\u0007","is_mandatory":true,"title":"Constrained delegation targets","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"daysSinceLastLogon":{"name":"daysSinceLastLogon","type":"\u0005","is_mandatory":true,"title":"Days since last logon","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"description":{"name":"description","type":"\u0007","is_mandatory":true,"title":"Description","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enabled":{"name":"enabled","type":"\u0004","is_mandatory":true,"title":"Whether the account is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isDomainController":{"name":"isDomainController","type":"\u0004","is_mandatory":true,"title":"Whether the computer is a domain controller","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isStale":{"name":"isStale","type":"\u0004","is_mandatory":true,"title":"Whether the account is stale (\u003e90 days)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lapsEnabled":{"name":"lapsEnabled","type":"\u0004","is_mandatory":true,"title":"Whether LAPS is deployed on this computer","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lapsExpirationTime":{"name":"lapsExpirationTime","type":"\t","is_mandatory":true,"title":"LAPS password expiration time","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lastLogonTimestamp":{"name":"lastLogonTimestamp","type":"\t","is_mandatory":true,"title":"Last logon timestamp (from lastLogonTimestamp)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"DNS hostname","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"operatingSystem":{"name":"operatingSystem","type":"\u0007","is_mandatory":true,"title":"Operating system name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"operatingSystemServicePack":{"name":"operatingSystemServicePack","type":"\u0007","is_mandatory":true,"title":"Operating system service pack","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"operatingSystemVersion":{"name":"operatingSystemVersion","type":"\u0007","is_mandatory":true,"title":"Operating system version","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ouPath":{"name":"ouPath","type":"\u0007","is_mandatory":true,"title":"Organizational Unit path","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordAgeDays":{"name":"passwordAgeDays","type":"\u0005","is_mandatory":true,"title":"Password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"protocolTransition":{"name":"protocolTransition","type":"\u0004","is_mandatory":true,"title":"Whether protocol transition (S4U2Self) is enabled via TRUSTED_TO_AUTH_FOR_DELEGATION","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"pwdLastSet":{"name":"pwdLastSet","type":"\t","is_mandatory":true,"title":"Last password set timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"rbcd":{"name":"rbcd","type":"\u0004","is_mandatory":true,"title":"Resource-based constrained delegation configured","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sAMAccountName":{"name":"sAMAccountName","type":"\u0007","is_mandatory":true,"title":"sAMAccountName (includes trailing $)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"servicePrincipalNames":{"name":"servicePrincipalNames","type":"\u0019\u0007","is_mandatory":true,"title":"Service Principal Names","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sid":{"name":"sid","type":"\u0007","is_mandatory":true,"title":"Object SID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"unconstrainedDelegation":{"name":"unconstrainedDelegation","type":"\u0004","is_mandatory":true,"title":"Whether unconstrained delegation is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"userAccountControl":{"name":"userAccountControl","type":"\u0005","is_mandatory":true,"title":"Raw userAccountControl bitmask combining account-status, delegation, and encryption flags","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory computer account","desc":" Examine a single computer object: identity (sAMAccountName with the trailing `$`, DNS hostname, distinguished name, SID), enabled state, the OS name / version / service pack, lifecycle timestamps (created, password-last-set, last-logon-timestamp, password age, days-since- last-logon, stale flag), the raw userAccountControl bitmask plus delegation surface (unconstrained delegation, constrained delegation and its targets, resource-based constrained delegation, protocol transition / TRUSTED_TO_AUTH_FOR_DELEGATION), the configured Service Principal Names, LAPS deployment and password expiration, OU placement, and whether the computer is a domain controller. Used for inventory, stale-machine cleanup, and Kerberos-delegation attack-path reviews.","min_provider_version":"13.0.1","defaults":"name operatingSystem enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.dangerousPermission":{"id":"activedirectory.dangerousPermission","name":"activedirectory.dangerousPermission","fields":{"accessMask":{"name":"accessMask","type":"\u0005","is_mandatory":true,"title":"Raw access mask value","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"principalSID":{"name":"principalSID","type":"\u0007","is_mandatory":true,"title":"SID of the principal granted dangerous access","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"rightType":{"name":"rightType","type":"\u0007","is_mandatory":true,"title":"Type of dangerous right (GenericAll, WriteDACL, WriteOwner, GenericWrite, DCSync, ForceChangePassword)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"targetDN":{"name":"targetDN","type":"\u0007","is_mandatory":true,"title":"DN of the AD object with the dangerous ACL","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"targetName":{"name":"targetName","type":"\u0007","is_mandatory":true,"title":"Friendly name of the target object","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"targetType":{"name":"targetType","type":"\u0007","is_mandatory":true,"title":"Category of the target (domain, adminSDHolder, group, computer, user, ou)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Dangerous ACL delegation on a critical AD object","desc":" Examine a single attack-path finding where a low-privileged principal holds rights — GenericAll, WriteDACL, WriteOwner, GenericWrite, DCSync, ForceChangePassword — on a sensitive Active Directory object. Each finding records the target distinguished name and friendly name, the target category (domain head, AdminSDHolder, privileged group, DC computer, user, or OU), the principal SID that received the grant, the type of right granted, and the raw access mask. Iterating `activedirectory.dangerousPermissions` surfaces the canonical AD take-over primitives auditors check for.","min_provider_version":"13.0.1","defaults":"targetName rightType principalSID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.dnsZone":{"id":"activedirectory.dnsZone","name":"activedirectory.dnsZone","fields":{"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"dynamicUpdate":{"name":"dynamicUpdate","type":"\u0004","is_mandatory":true,"title":"Whether dynamic updates are enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Zone name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"secureOnly":{"name":"secureOnly","type":"\u0004","is_mandatory":true,"title":"Whether secure-only dynamic updates","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"zoneType":{"name":"zoneType","type":"\u0007","is_mandatory":true,"title":"Zone type","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory-integrated DNS zone","desc":" Examine a DNS zone whose records are stored in AD itself: zone name, distinguished name, zone type (forward / reverse / stub / etc.), and the dynamic-update posture — whether dynamic updates are accepted at all and whether the zone is restricted to secure-only updates. The combination of these two flags is the standard \"DNS hardening\" finding for AD-integrated zones.","min_provider_version":"13.0.1","defaults":"name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.domainController":{"id":"activedirectory.domainController","name":"activedirectory.domainController","fields":{"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isGlobalCatalog":{"name":"isGlobalCatalog","type":"\u0004","is_mandatory":true,"title":"Is Global Catalog","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isRODC":{"name":"isRODC","type":"\u0004","is_mandatory":true,"title":"Is Read-Only Domain Controller","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lastLogonTimestamp":{"name":"lastLogonTimestamp","type":"\t","is_mandatory":true,"title":"Last logon timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"DNS hostname","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"operatingSystem":{"name":"operatingSystem","type":"\u0007","is_mandatory":true,"title":"Operating system","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"operatingSystemVersion":{"name":"operatingSystemVersion","type":"\u0007","is_mandatory":true,"title":"Operating system version","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"pwdLastSet":{"name":"pwdLastSet","type":"\t","is_mandatory":true,"title":"Last password set timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"site":{"name":"site","type":"\u0007","is_mandatory":true,"title":"Site name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory domain controller","desc":" Examine a single domain controller computer object: DNS hostname, distinguished name, OS name and version, role flags (Global Catalog, Read-Only DC), site placement, and the most recent password-set and logon-timestamp values. Use it to inventory DCs, find unsupported OS versions, and detect DCs that haven't replicated recently.","min_provider_version":"13.0.1","defaults":"name operatingSystem","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.domainPasswordPolicy":{"id":"activedirectory.domainPasswordPolicy","name":"activedirectory.domainPasswordPolicy","fields":{"complexityEnabled":{"name":"complexityEnabled","type":"\u0004","is_mandatory":true,"title":"Whether password complexity is required","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lockoutDuration":{"name":"lockoutDuration","type":"\u0005","is_mandatory":true,"title":"Account lockout duration in minutes","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lockoutObservationWindow":{"name":"lockoutObservationWindow","type":"\u0005","is_mandatory":true,"title":"Account lockout observation window in minutes","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lockoutThreshold":{"name":"lockoutThreshold","type":"\u0005","is_mandatory":true,"title":"Account lockout threshold","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"maxPasswordAge":{"name":"maxPasswordAge","type":"\u0005","is_mandatory":true,"title":"Maximum password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"minPasswordAge":{"name":"minPasswordAge","type":"\u0005","is_mandatory":true,"title":"Minimum password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"minPasswordLength":{"name":"minPasswordLength","type":"\u0005","is_mandatory":true,"title":"Minimum password length","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordHistoryCount":{"name":"passwordHistoryCount","type":"\u0005","is_mandatory":true,"title":"Password history count","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"reversibleEncryption":{"name":"reversibleEncryption","type":"\u0004","is_mandatory":true,"title":"Whether reversible encryption is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory default-domain password policy","desc":" Examine the password policy applied to every user that isn't covered by a fine-grained policy: minimum / maximum password age, minimum length, password-history depth, complexity-required flag, and the reversible-encryption flag (which weakens password storage). Also exposes the account-lockout configuration: threshold, duration, and observation window. Auditors read this to verify the domain meets password and lockout benchmarks.","min_provider_version":"13.0.1","defaults":"minPasswordLength maxPasswordAge lockoutThreshold","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.fineGrainedPasswordPolicy":{"id":"activedirectory.fineGrainedPasswordPolicy","name":"activedirectory.fineGrainedPasswordPolicy","fields":{"appliesTo":{"name":"appliesTo","type":"\u0019\u0007","is_mandatory":true,"title":"Subjects the policy applies to","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"complexityEnabled":{"name":"complexityEnabled","type":"\u0004","is_mandatory":true,"title":"Whether password complexity is required","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lockoutDuration":{"name":"lockoutDuration","type":"\u0005","is_mandatory":true,"title":"Account lockout duration in minutes","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lockoutThreshold":{"name":"lockoutThreshold","type":"\u0005","is_mandatory":true,"title":"Account lockout threshold","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"maxPasswordAge":{"name":"maxPasswordAge","type":"\u0005","is_mandatory":true,"title":"Maximum password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"minPasswordAge":{"name":"minPasswordAge","type":"\u0005","is_mandatory":true,"title":"Minimum password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"minPasswordLength":{"name":"minPasswordLength","type":"\u0005","is_mandatory":true,"title":"Minimum password length","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Policy name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordHistoryCount":{"name":"passwordHistoryCount","type":"\u0005","is_mandatory":true,"title":"Password history count","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"precedence":{"name":"precedence","type":"\u0005","is_mandatory":true,"title":"Precedence value (lower = higher priority)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"reversibleEncryption":{"name":"reversibleEncryption","type":"\u0004","is_mandatory":true,"title":"Whether reversible encryption is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory fine-grained password policy","desc":" Examine a single Password Settings Object (PSO) that overrides the default-domain password policy for a specific set of principals: minimum / maximum age, minimum length, history depth, complexity- required flag, reversible-encryption flag, and the lockout threshold and duration. Each PSO carries a precedence (lower wins) and an `appliesTo` list naming the users or groups it covers. Use it to confirm that privileged groups are bound to a stronger PSO than the default domain policy.","min_provider_version":"13.0.1","defaults":"name precedence minPasswordLength","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.gpo":{"id":"activedirectory.gpo","name":"activedirectory.gpo","fields":{"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Display name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"gpcFileSysPath":{"name":"gpcFileSysPath","type":"\u0007","is_mandatory":true,"title":"Path in SYSVOL","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"gpoStatus":{"name":"gpoStatus","type":"\u0007","is_mandatory":true,"title":"GPO status (enabled, disabled, user disabled, computer disabled)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"id":{"name":"id","type":"\u0007","is_mandatory":true,"title":"GPO GUID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isLinked":{"name":"isLinked","type":"\u0004","is_mandatory":true,"title":"Whether the GPO is linked anywhere","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"links":{"name":"links","type":"\u0019\u001bactivedirectory.gpoLink","title":"Link metadata for each OU/domain/site this GPO is attached to","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"version":{"name":"version","type":"\u0005","is_mandatory":true,"title":"Version number","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenChanged":{"name":"whenChanged","type":"\t","is_mandatory":true,"title":"Last modified timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory Group Policy Object","desc":" Examine a single GPO: GUID and display name, distinguished name, GPO status (enabled / disabled / user-side disabled / computer-side disabled), SYSVOL file-system path containing the policy template, version number, creation and last-modified timestamps, whether the GPO is linked anywhere, and the per-link metadata (target OU/domain/ site, link order, enforced flag, enabled flag) showing exactly where the policy applies.","min_provider_version":"13.0.1","defaults":"displayName","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.gpoLink":{"id":"activedirectory.gpoLink","name":"activedirectory.gpoLink","fields":{"enabled":{"name":"enabled","type":"\u0004","is_mandatory":true,"title":"Whether the link is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enforced":{"name":"enforced","type":"\u0004","is_mandatory":true,"title":"Whether the link is enforced","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"order":{"name":"order","type":"\u0005","is_mandatory":true,"title":"Link order; 1 is highest precedence (applied last)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"target":{"name":"target","type":"\u0007","is_mandatory":true,"title":"Target DN or site this link applies to","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory GPO link","desc":" Examine a single link record associating a GPO with an OU, domain, or site. The `target` field is the distinguished name of the container the policy is applied to. `order` is the link precedence within that container (1 is highest, applied last). `enforced` indicates the link cannot be blocked by child OUs, and `enabled` controls whether the link is active.","min_provider_version":"13.0.1","defaults":"target","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.group":{"id":"activedirectory.group","name":"activedirectory.group","fields":{"adminCount":{"name":"adminCount","type":"\u0004","is_mandatory":true,"title":"Admin count flag","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"description":{"name":"description","type":"\u0007","is_mandatory":true,"title":"Description","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Display name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"groupType":{"name":"groupType","type":"\u0007","is_mandatory":true,"title":"Group type description (Security/Distribution, Global/Universal/DomainLocal)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"groupTypeRaw":{"name":"groupTypeRaw","type":"\u0005","is_mandatory":true,"title":"Raw groupType flags","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isPrivileged":{"name":"isPrivileged","type":"\u0004","is_mandatory":true,"title":"Whether this is a built-in privileged group","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"memberCount":{"name":"memberCount","type":"\u0005","title":"Member count","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"members":{"name":"members","type":"\u0019\u001bactivedirectory.groupMember","title":"Direct members","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ouPath":{"name":"ouPath","type":"\u0007","is_mandatory":true,"title":"Organizational Unit path","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sAMAccountName":{"name":"sAMAccountName","type":"\u0007","is_mandatory":true,"title":"sAMAccountName","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sid":{"name":"sid","type":"\u0007","is_mandatory":true,"title":"Object SID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory group","desc":" Examine a single group object: identity (sAMAccountName, distinguished name, display name, SID), the human-readable groupType description (Security vs Distribution, Global / Universal / DomainLocal scope) plus the raw groupType bitmask, description, adminCount flag, OU placement, and creation timestamp. Iterate `members()` for typed user / group / computer references and use `memberCount()` for size-based rules; the `isPrivileged` flag highlights built-in privileged groups that warrant extra scrutiny in access reviews.","min_provider_version":"13.0.1","defaults":"sAMAccountName groupType","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.groupMember":{"id":"activedirectory.groupMember","name":"activedirectory.groupMember","fields":{"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"sAMAccountName or name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sid":{"name":"sid","type":"\u0007","is_mandatory":true,"title":"Object SID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"type":{"name":"type","type":"\u0007","is_mandatory":true,"title":"Member type (user, group, computer)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory group member","desc":" Examine a single member entry returned by `activedirectory.group.members()`. Each entry records the sAMAccountName or common name in `name`, the full distinguished name, the object SID, and the `type` discriminator — `user`, `group`, or `computer` — so policy can filter by member category without resolving the full object.","min_provider_version":"13.0.1","defaults":"name type","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.ou":{"id":"activedirectory.ou","name":"activedirectory.ou","fields":{"description":{"name":"description","type":"\u0007","is_mandatory":true,"title":"Description","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"gpoInheritanceBlocked":{"name":"gpoInheritanceBlocked","type":"\u0004","is_mandatory":true,"title":"Whether GPO inheritance is blocked","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"linkedGpos":{"name":"linkedGpos","type":"\u0019\u001bactivedirectory.gpoLink","title":"Linked GPOs in link order","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"OU name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory organizational unit","desc":" Examine a single OU: name, distinguished name, description, creation timestamp, whether GPO inheritance is blocked, and the typed list of linked GPOs in link order. OUs are the unit of policy delegation and scoping, so they're the primary container audits walk to find where a GPO actually applies and whether inheritance is being short-circuited.","min_provider_version":"13.0.1","defaults":"name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.pkiObject":{"id":"activedirectory.pkiObject","name":"activedirectory.pkiObject","fields":{"dangerousAclPrincipals":{"name":"dangerousAclPrincipals","type":"\u0019\u0007","is_mandatory":true,"title":"Principals with dangerous write-equivalent rights","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isVulnerableESC5":{"name":"isVulnerableESC5","type":"\u0004","is_mandatory":true,"title":"Whether the object is vulnerable to ESC5 (dangerous write-equivalent ACLs)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"name":{"name":"name","type":"\u0007","is_mandatory":true,"title":"Relative name of the PKI object","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"objectClass":{"name":"objectClass","type":"\u0007","is_mandatory":true,"title":"Primary object class","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenChanged":{"name":"whenChanged","type":"\t","is_mandatory":true,"title":"Last modified timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory PKI object under CN=Public Key Services","desc":" Examine a single PKI container or object below `CN=Public Key Services,CN=Services,CN=Configuration` (NTAuthCertificates, AIA, the Certificate Templates container, Enrollment Services, etc.): name, distinguished name, primary object class, and its lifecycle timestamps. The `isVulnerableESC5` flag and `dangerousAclPrincipals` list highlight write-equivalent ACL grants on these objects, which allow domain-wide AD CS takeover.","min_provider_version":"13.0.1","defaults":"name objectClass","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.trust":{"id":"activedirectory.trust","name":"activedirectory.trust","fields":{"aesEncryption":{"name":"aesEncryption","type":"\u0004","is_mandatory":true,"title":"Whether the trust uses AES encryption","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isAzureADTrust":{"name":"isAzureADTrust","type":"\u0004","is_mandatory":true,"title":"Whether the trust is to Azure AD","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isTransitive":{"name":"isTransitive","type":"\u0004","is_mandatory":true,"title":"Whether the trust is transitive","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"rc4Encryption":{"name":"rc4Encryption","type":"\u0004","is_mandatory":true,"title":"Whether the trust uses RC4 encryption (weak)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"selectiveAuthentication":{"name":"selectiveAuthentication","type":"\u0004","is_mandatory":true,"title":"Whether selective authentication is used","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sidFilteringEnabled":{"name":"sidFilteringEnabled","type":"\u0004","is_mandatory":true,"title":"Whether SID filtering is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sidHistoryEnabled":{"name":"sidHistoryEnabled","type":"\u0004","is_mandatory":true,"title":"Whether SID history is enabled across the trust","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sourceDomain":{"name":"sourceDomain","type":"\u0007","is_mandatory":true,"title":"Source domain name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"targetDomain":{"name":"targetDomain","type":"\u0007","is_mandatory":true,"title":"Target domain name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"tgtDelegation":{"name":"tgtDelegation","type":"\u0004","is_mandatory":true,"title":"Whether TGT delegation is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"trustAttributes":{"name":"trustAttributes","type":"\u0005","is_mandatory":true,"title":"Trust attributes raw value","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"trustDirection":{"name":"trustDirection","type":"\u0007","is_mandatory":true,"title":"Trust direction (Inbound, Outbound, Bidirectional)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"trustType":{"name":"trustType","type":"\u0007","is_mandatory":true,"title":"Trust type (External, Forest, ParentChild, CrossLink, MIT)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Trust creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory domain trust","desc":" Examine a single trust relationship from the source domain to a target domain: trust type (External, Forest, ParentChild, CrossLink, MIT), trust direction (Inbound / Outbound / Bidirectional), transitivity, the cryptographic posture (AES vs weak RC4 encryption), TGT-delegation flag, SID filtering and SID-history flags, selective-authentication flag, the Azure-AD-trust marker, the raw trust-attributes bitmask, and the trust creation timestamp. Used for forest-attack-path reviews and confirming hardening of cross-domain authentication.","min_provider_version":"13.0.1","defaults":"targetDomain trustType trustDirection","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"activedirectory.user":{"id":"activedirectory.user","name":"activedirectory.user","fields":{"adminCount":{"name":"adminCount","type":"\u0004","is_mandatory":true,"title":"Admin count flag (indicates adminSDHolder protection)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"constrainedDelegationTargets":{"name":"constrainedDelegationTargets","type":"\u0019\u0007","is_mandatory":true,"title":"Constrained delegation targets (msDS-AllowedToDelegateTo)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"daysSinceLastLogon":{"name":"daysSinceLastLogon","type":"\u0005","is_mandatory":true,"title":"Days since last logon","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"description":{"name":"description","type":"\u0007","is_mandatory":true,"title":"Description (may contain credentials in misconfigured environments)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"displayName":{"name":"displayName","type":"\u0007","is_mandatory":true,"title":"Display name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"distinguishedName":{"name":"distinguishedName","type":"\u0007","is_mandatory":true,"title":"Distinguished name","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"email":{"name":"email","type":"\u0007","is_mandatory":true,"title":"Email address","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"enabled":{"name":"enabled","type":"\u0004","is_mandatory":true,"title":"Whether the account is enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isDomainAdmin":{"name":"isDomainAdmin","type":"\u0004","title":"Whether user is member of Domain Admins","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isEnterpriseAdmin":{"name":"isEnterpriseAdmin","type":"\u0004","title":"Whether user is member of Enterprise Admins","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isGMSA":{"name":"isGMSA","type":"\u0004","is_mandatory":true,"title":"Whether the account is a Group Managed Service Account","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isPrivileged":{"name":"isPrivileged","type":"\u0004","title":"Whether user is member of any privileged group","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isSchemaAdmin":{"name":"isSchemaAdmin","type":"\u0004","title":"Whether user is member of Schema Admins","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"isStale":{"name":"isStale","type":"\u0004","is_mandatory":true,"title":"Whether the account is stale (\u003e90 days since last logon)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"kerberoastable":{"name":"kerberoastable","type":"\u0004","is_mandatory":true,"title":"Whether the account is Kerberoastable (has SPN and is not krbtgt/computer)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"kerberosPreAuthNotRequired":{"name":"kerberosPreAuthNotRequired","type":"\u0004","is_mandatory":true,"title":"Whether Kerberos pre-authentication is disabled (AS-REP roastable)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"lastLogonTimestamp":{"name":"lastLogonTimestamp","type":"\t","is_mandatory":true,"title":"Last logon timestamp (from lastLogonTimestamp)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"memberOf":{"name":"memberOf","type":"\u0019\u0007","is_mandatory":true,"title":"Group memberships (direct)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"ouPath":{"name":"ouPath","type":"\u0007","is_mandatory":true,"title":"Organizational Unit path","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordAgeDays":{"name":"passwordAgeDays","type":"\u0005","is_mandatory":true,"title":"Password age in days","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordNeverExpires":{"name":"passwordNeverExpires","type":"\u0004","is_mandatory":true,"title":"Whether password never expires","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"passwordNotRequired":{"name":"passwordNotRequired","type":"\u0004","is_mandatory":true,"title":"Whether password is not required","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"protectedUser":{"name":"protectedUser","type":"\u0004","title":"Whether account is a member of Protected Users group","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"pwdLastSet":{"name":"pwdLastSet","type":"\t","is_mandatory":true,"title":"Last password set timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"reversibleEncryption":{"name":"reversibleEncryption","type":"\u0004","is_mandatory":true,"title":"Whether reversible password encryption is allowed for the account","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sAMAccountName":{"name":"sAMAccountName","type":"\u0007","is_mandatory":true,"title":"sAMAccountName (pre-Windows 2000 logon name)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sensitiveAndCannotBeDelegated":{"name":"sensitiveAndCannotBeDelegated","type":"\u0004","is_mandatory":true,"title":"Whether account is sensitive and cannot be delegated","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"servicePrincipalNames":{"name":"servicePrincipalNames","type":"\u0019\u0007","is_mandatory":true,"title":"Service Principal Names","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sid":{"name":"sid","type":"\u0007","is_mandatory":true,"title":"Object SID","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"sidHistory":{"name":"sidHistory","type":"\u0019\u0007","is_mandatory":true,"title":"SID history (for migration tracking / potential abuse)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"useDesKeyOnly":{"name":"useDesKeyOnly","type":"\u0004","is_mandatory":true,"title":"Whether account uses DES-only Kerberos encryption","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"userAccountControl":{"name":"userAccountControl","type":"\u0005","is_mandatory":true,"title":"Raw userAccountControl bitmask combining account-status flags (disabled, locked, password-not-required, etc.)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"userPrincipalName":{"name":"userPrincipalName","type":"\u0007","is_mandatory":true,"title":"User Principal Name (user@domain.com)","provider":"go.mondoo.com/mql/v13/providers/activedirectory"},"whenCreated":{"name":"whenCreated","type":"\t","is_mandatory":true,"title":"Account creation timestamp","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}},"title":"Active Directory user account","desc":" Examine a single user object: identity (sAMAccountName, UPN, display name, distinguished name, SID), enabled state, lifecycle timestamps (creation, password-last-set, last-logon, password age, days-since- last-logon), group memberships, OU placement, email and description fields, and SID history. The resource also surfaces the security- relevant userAccountControl flags as named booleans (password never expires, password not required, sensitive-and-cannot-be-delegated, reversible-encryption, DES-only Kerberos, AS-REP-roastable via pre-auth-not-required) plus the delegation surface (Service Principal Names, Kerberoastable flag, constrained-delegation targets, GMSA flag, Protected Users membership), the adminCount flag indicating adminSDHolder protection, and convenience predicates for Domain Admins / Enterprise Admins / Schema Admins / generic privileged-group membership and stale-account state — the surface auditors use for privilege reviews, Kerberos-attack-path analysis, and dormant-account hygiene.","min_provider_version":"13.0.1","defaults":"sAMAccountName displayName enabled","provider":"go.mondoo.com/mql/v13/providers/activedirectory"}}}