osquery-1/packs/windows-hardening.conf

{
  "platform": "windows",
  "queries": {
    "OpenType_Font_Driver_Vulnerability": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)"
    },
    "Protecting_Against_Weak_Crypto_Algo": {
      "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
      "interval" : "3600",
      "version": "2.2.1",
      "description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",
      "value" : "Artifact used by this malware"
    },
    "UAC_Disabled": {
      "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",
      "interval": 3600,
      "version": "2.2.1",
      "description": "Controls UAC. A setting of 0 indicates that UAC is disabled."
    }
  }
}
Creating a windows-hardening pack and moving queries there (#3935) 2017-11-18 17:20:53 +00:00			`{`
			`"platform": "windows",`
			`"queries": {`
			`"OpenType_Font_Driver_Vulnerability": {`
			`"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",`
			`"interval" : "3600",`
			`"version": "2.2.1",`
			`"description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)"`
			`},`
			`"Protecting_Against_Weak_Crypto_Algo": {`
			`"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",`
			`"interval" : "3600",`
			`"version": "2.2.1",`
			`"description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"UAC_Disabled": {`
			`"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",`
			`"interval": 3600,`
			`"version": "2.2.1",`
			`"description": "Controls UAC. A setting of 0 indicates that UAC is disabled."`
			`}`
			`}`
			`}`