-
Notifications
You must be signed in to change notification settings - Fork 119
/
Copy pathwindows-registry-monitoring.conf
executable file
·197 lines (197 loc) · 14.2 KB
/
windows-registry-monitoring.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
{
"platform": "windows",
"queries": {
"amsi_disabled_registry": {
"query": "SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users WHERE path = 'HKEY_USERS\\'||uuid||'\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable' AND data=0;",
"interval": 3600,
"description": "A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)",
"platform": "windows"
},
"bitlocker_encryption_settings_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\ShouldEncryptOSDrive' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\OSDriveProtector') AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"bitlocker_mbam_endpoint_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\KeyRecoveryServiceEndPoint' AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc';",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"bitlocker_mbam_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement\\UseMBAMServices' AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"command_line_auditing_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled' AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"command_line_auditing_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"computer_maximum_password_age_changed_registry": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\MaximumPasswordAge' and data!=30;",
"interval": 3600,
"description": "Controls how often to rotate the local computer password (defaults to 30 days). A modification of this value may be an indicator of attacker activity.",
"platform": "windows"
},
"computer_password_change_disabled_registry": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\DisablePasswordChange' AND data!=0;",
"interval": 3600,
"description": "Technique used by attackers to prevent computer accounts from changing their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011)",
"platform": "windows"
},
"crash_dump_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled' AND data=0;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"crash_dump_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"dns_plugin_dll_registry_exists": {
"query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll';",
"interval": 3600,
"description": "Returns the content of this key if it exists, which it shouldn't by default",
"platform": "windows"
},
"dr_watson_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry where key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug') WHERE key_exists!=2;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"error_display_ui_registry_exists": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PCHealth\\ErrorReporting\\ShowUI';",
"interval": 3600,
"description": "Returns the content of this key if it exists, which it shouldn't by default",
"platform": "windows"
},
"error_mode_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode' AND data=2;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"error_mode_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows\\ErrorMode') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"log_errors_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent' AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"log_errors_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\LogEvent') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"per_user_ts_session_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser' AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"per_user_ts_session_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fSingleSessionPerUser') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"physicalstore_dll_registry_persistence": {
"query": "SELECT key, path, name, mtime, username FROM registry r, users WHERE path LIKE 'HKEY_USERS\\'||uuid||'\\Software\\Microsoft\\SystemCertificates\\CA\\PhysicalStores\\%%' OR path LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllOpenStoreProv\\%%' AND name!='#16' AND name!='Ldap';",
"interval": 3600,
"description": "Detect a registry based persistence mechanism that allows an attacker to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105)",
"platform": "windows"
},
"powershell_invocationheader_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"powershell_logging_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableInvocationHeader') AND data!=1;",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"powershell_module_logging_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging\\EnableModuleLogging') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"powershell_scriptblock_logging_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging\\EnableScriptBlockLogging') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"powershell_transcription_logging_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription\\EnableTranscripting') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"runonceex_persistence_registry": {
"query": "SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx';",
"interval": 3600,
"description": "Registry based persistence mechanism to load DLLs at reboot time and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will remain.",
"platform": "windows"
},
"smbv1_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1' AND data!=0;",
"interval": 3600,
"description": "",
"platform": "windows"
},
"smbv1_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\SMB1') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"send_error_alert_registry_exists": {
"query": "SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\CrashControl\\SendAlert';",
"interval": 3600,
"description": "Returns the content of this key if it exists, which it shouldn't by default",
"platform": "windows"
},
"subscription_manager_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1' AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC');",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
},
"subscription_manager_registry_missing": {
"query": "SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count FROM registry WHERE path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager\\1') WHERE key_exists!=1;",
"interval": 3600,
"description": "Returns 0 as a result if the registry key does not exist",
"platform": "windows"
},
"winrm_settings_registry_misconfigured": {
"query": "SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowDigest' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowBasic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowCredSSP' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowUnencryptedTraffic' OR path='HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WinRM\\Service\\WinRS\\AllowRemoteShellAccess') AND data!=0; ",
"interval": 3600,
"description": "Returns the content of the key if it does not match the expected value",
"platform": "windows"
}
}
}