{ "platform": "windows", "queries": { "OpenType_Font_Driver_Vulnerability": { "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';", "interval" : "3600", "version": "2.2.1", "description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)" }, "Protecting_Against_Weak_Crypto_Algo": { "query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';", "interval" : "3600", "version": "2.2.1", "description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)", "value" : "Artifact used by this malware" }, "UAC_Disabled": { "query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;", "interval": 3600, "version": "2.2.1", "description": "Controls UAC. A setting of 0 indicates that UAC is disabled." }, "SecureBoot": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State\\UEFISecureBootEnabled'", "interval": "86400", "snapshot": true, "description" : "Whether Secureboot is enabled" }, "FontBlocking": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions\\MitigationOptions_FontBlocking'", "interval": "86400", "snapshot": true, "description" : "Whether FontBlocking is enabled" }, "DepPolicy": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemStartOptions'", "interval": "86400", "snapshot": true, "description" : "Whether DEP is enabled" }, "MitigationOptions": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions'", "interval": "86400", "snapshot": true, "description" : "Whether DEP is enabled with application mitigation options" }, "MoveImages": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\moveImages'", "interval": "86400", "snapshot": true, "description" : "Check ASLR configuration" }, "KernelSehopEnabled": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\KernelSEHOPEnabled'", "interval": "86400", "snapshot": true, "description" : "Whether SEHOP is enabled" }, "EnableCertPaddingCheck": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'", "interval": "86400", "snapshot": true, "description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)" }, "EnableCertPaddingCheck_wow64": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'", "interval": "86400", "snapshot": true, "description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)" }, "CwdIllegalInDllSearch": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\CWDIllegalInDllSearch'", "interval": "86400", "snapshot": true, "description" : "Check Secure Search Path state (https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the)" }, "DisabledExceptionChainValidation": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\DisableExceptionChainValidation'", "interval": "86400", "snapshot": true, "description" : "Check SEHOP state: DisabledExceptionChainValidation" }, "EnableLowVaAccess": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableLowVaAccess'", "interval": "86400", "snapshot": true, "description" : "Check Kernel Null page state" }, "ControlFlowGuard": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableCfg'", "interval": "86400", "snapshot": true, "description" : "Check Control Flow Guard state" }, "App_ExecuteOptions": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\executeOptions'", "interval": "86400", "snapshot": true, "description" : "Check Applications opted in for DEP" }, "App_MitigationOptions": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\MitigationOptions'", "interval": "86400", "snapshot": true, "description" : "Check Applications opted in for DEP" }, "AppCompat": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers'", "interval": "86400", "snapshot": true, "description" : "Check Applications opted in for DEP" }, "App_disabledExceptionChainValidation": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\DisableExceptionChainValidation'", "interval": "86400", "snapshot": true, "description" : "Check Applications not supporting SEHOP" }, "DefaultLevelMachine": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "DefaultLevelUser": { "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "PolicyScopeMachine": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "PolicyScopeUser": { "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "ExecutableTryMachine": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "ExecutableTryUser": { "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "TransparentEnabledMachine": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "TransparentEnabledUser": { "query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state" }, "Unrestricted": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: No SRP whitelist rules" }, "Unrestricted_Paths": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: No SRP path rules" }, "Unrestricted_Paths_ItemData": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths\\%\\ItemData'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: SRP whitelist rules is missing" }, "Disallowed": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: No SRP blacklist rules" }, "Disallowed_Paths": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: No SRP path rules" }, "Disallowed_Paths_ItemData": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\%\\ItemData'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: SRP blacklist rule is missing" }, "SaferFlags": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\%\\%\\%\\SaferFlags'", "interval": "86400", "snapshot": true, "description" : "Check Software Restriction Policies state: SRP rule is not enforcing" }, "RuleSetEnforcementMode": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\EnforcementMode'", "interval": "86400", "snapshot": true, "description" : "Check Applocker rule set configuration" }, "Rule": { "query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\%\\Value'", "interval": "86400", "snapshot": true, "description" : "Check Applocker rule set" }, "AuditSpecialGroups": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit'", "interval": "86400", "snapshot": true, "description" : "Check Special Logon Audit configuration - https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/" }, "SysmonConfig": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CCS\\Services\\SysmonDrv\\Parameters'", "interval": "86400", "snapshot": true, "description" : "Check Microsoft Sysinternals Sysmon config" }, "DeveloperMode": { "query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'", "interval": "86400", "snapshot": true, "description" : "Check Developer Mode state" } } }