mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 18:08:53 +00:00
25 lines
1.4 KiB
Plaintext
25 lines
1.4 KiB
Plaintext
{
|
|
"platform": "windows",
|
|
"queries": {
|
|
"OpenType_Font_Driver_Vulnerability": {
|
|
"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\%' AND name = 'DisableATMFD' AND data != '1';",
|
|
"interval" : "3600",
|
|
"version": "2.2.1",
|
|
"description" : "Determine if Adobe Type Manager Font Driver is disabled (https://technet.microsoft.com/en-us/library/security/ms15-078)"
|
|
},
|
|
"Protecting_Against_Weak_Crypto_Algo": {
|
|
"query" : "select * from registry where path like 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\Default\\%' AND name IN ('WeakSha1ThirdPartyFlags','WeakMd5ThirdPartyFlags') AND type = 'REG_DWORD' AND data not like '-2%';",
|
|
"interval" : "3600",
|
|
"version": "2.2.1",
|
|
"description" : "Determine if Windows is configured to log certificates with weak crypto (https://technet.microsoft.com/library/dn375961(v=ws.11).aspx)",
|
|
"value" : "Artifact used by this malware"
|
|
},
|
|
"UAC_Disabled": {
|
|
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA' AND data=0;",
|
|
"interval": 3600,
|
|
"version": "2.2.1",
|
|
"description": "Controls UAC. A setting of 0 indicates that UAC is disabled."
|
|
}
|
|
}
|
|
}
|