valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 17:45:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4927bf6877
osquery-1/packs/windows-hardening.conf

241 lines
13 KiB
Plaintext
Raw Blame History

{
"platform": "windows",
"queries": {
"OpenType_Font_Driver_Vulnerability": {
"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",
"interval" : "3600",
"version": "2.2.1",
"description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)"
},
"Protecting_Against_Weak_Crypto_Algo": {
"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
"interval" : "3600",
"version": "2.2.1",
"description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",
"value" : "Artifact used by this malware"
},
"UAC_Disabled": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",
"interval": 3600,
"version": "2.2.1",
"description": "Controls UAC. A setting of 0 indicates that UAC is disabled."
},
"SecureBoot": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State\\UEFISecureBootEnabled'",
"interval": "86400",
"snapshot": true,
"description" : "Whether Secureboot is enabled"
},
"FontBlocking": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions\\MitigationOptions_FontBlocking'",
"interval": "86400",
"snapshot": true,
"description" : "Whether FontBlocking is enabled"
},
"DepPolicy": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SystemStartOptions'",
"interval": "86400",
"snapshot": true,
"description" : "Whether DEP is enabled"
},
"MitigationOptions": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\MitigationOptions'",
"interval": "86400",
"snapshot": true,
"description" : "Whether DEP is enabled with application mitigation options"
},
"MoveImages": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\moveImages'",
"interval": "86400",
"snapshot": true,
"description" : "Check ASLR configuration"
},
"KernelSehopEnabled": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\KernelSEHOPEnabled'",
"interval": "86400",
"snapshot": true,
"description" : "Whether SEHOP is enabled"
},
"EnableCertPaddingCheck": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'",
"interval": "86400",
"snapshot": true,
"description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)"
},
"EnableCertPaddingCheck_wow64": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\WinTrust\\Config\\EnableCertPaddingCheck'",
"interval": "86400",
"snapshot": true,
"description" : "Determine state of Certificate Padding (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2915720)"
},
"CwdIllegalInDllSearch": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\CWDIllegalInDllSearch'",
"interval": "86400",
"snapshot": true,
"description" : "Check Secure Search Path state (https://support.microsoft.com/en-us/help/2264107/a-new-cwdillegalindllsearch-registry-entry-is-available-to-control-the)"
},
"DisabledExceptionChainValidation": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\DisableExceptionChainValidation'",
"interval": "86400",
"snapshot": true,
"description" : "Check SEHOP state: DisabledExceptionChainValidation"
},
"EnableLowVaAccess": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableLowVaAccess'",
"interval": "86400",
"snapshot": true,
"description" : "Check Kernel Null page state"
},
"ControlFlowGuard": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\EnableCfg'",
"interval": "86400",
"snapshot": true,
"description" : "Check Control Flow Guard state"
},
"App_ExecuteOptions": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\executeOptions'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applications opted in for DEP"
},
"App_MitigationOptions": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\MitigationOptions'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applications opted in for DEP"
},
"AppCompat": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applications opted in for DEP"
},
"App_disabledExceptionChainValidation": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\%Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%\\DisableExceptionChainValidation'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applications not supporting SEHOP"
},
"DefaultLevelMachine": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"DefaultLevelUser": {
"query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\DefaultLevel'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"PolicyScopeMachine": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"PolicyScopeUser": {
"query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\PolicyScope'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"ExecutableTryMachine": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"ExecutableTryUser": {
"query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\ExecutableTry'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"TransparentEnabledMachine": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"TransparentEnabledUser": {
"query" : "select * from registry where key like 'HKEY_USERS\\%\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\TransparentEnabled'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state"
},
"Unrestricted": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: No SRP whitelist rules"
},
"Unrestricted_Paths": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: No SRP path rules"
},
"Unrestricted_Paths_ItemData": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\262144\\Paths\\%\\ItemData'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: SRP whitelist rules is missing"
},
"Disallowed": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: No SRP blacklist rules"
},
"Disallowed_Paths": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: No SRP path rules"
},
"Disallowed_Paths_ItemData": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\%\\ItemData'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: SRP blacklist rule is missing"
},
"SaferFlags": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\%\\%\\%\\SaferFlags'",
"interval": "86400",
"snapshot": true,
"description" : "Check Software Restriction Policies state: SRP rule is not enforcing"
},
"RuleSetEnforcementMode": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\EnforcementMode'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applocker rule set configuration"
},
"Rule": {
"query" : "select * from registry where key like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\%\\%\\Value'",
"interval": "86400",
"snapshot": true,
"description" : "Check Applocker rule set"
},
"AuditSpecialGroups": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit'",
"interval": "86400",
"snapshot": true,
"description" : "Check Special Logon Audit configuration - https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/"
},
"SysmonConfig": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SYSTEM\\CCS\\Services\\SysmonDrv\\Parameters'",
"interval": "86400",
"snapshot": true,
"description" : "Check Microsoft Sysinternals Sysmon config"
},
"DeveloperMode": {
"query" : "select * from registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'",
"interval": "86400",
"snapshot": true,
"description" : "Check Developer Mode state"
}
}
}
Reference in New Issue View Git Blame Copy Permalink