20241029

date.txt

@@ -1 +1 @@
-20241028
+20241029

poc/auth/credential-guard-disabled.yaml

@@ -0,0 +1,38 @@
+id: credential-guard-disabled
+
+info:
+  name: Credential Guard Not Enabled
+  author: princechaddha
+  severity: high
+  description: Verifies if Windows Defender Credential Guard is disabled, reducing protection against credential theft.
+  impact: |
+    Disabling Credential Guard reduces protection against modern credential theft techniques.
+  remediation: |
+    Enable Credential Guard to enhance security against credential theft.
+  tags: credential-guard,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "AvailableSecurityProperties"
+
+      - type: word
+        words:
+          - "Credential Guard"
+        negative: true

poc/auth/disable-empty-password.yaml

@@ -0,0 +1,24 @@
+id: disable-empty-password
+
+info:
+  name: Disable SSH Empty Password
+  author: pussycat0x
+  severity: info
+  description: |
+    Disabling SSH logins with empty passwords significantly enhances the security of your server.
+  remediation: |
+    Change it to : PermitEmptyPasswords no
+  reference:
+    - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
+    - https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-sshd-disable-empty-passwords/
+  tags: audit,config,file,ssh
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: word
+        words:
+          - "PermitEmptyPasswords no"
+        negative: true

poc/auth/disable-root-login.yaml

@@ -0,0 +1,23 @@
+id: disable-root-login
+
+info:
+  name: Disable SSH Root Login
+  author: pussycat0x
+  severity: info
+  description: |
+    Disabling direct root login can help prevent unauthorized users from gaining full control over your system.
+  remediation: |
+    Change it to : PermitRootLogin no
+  reference:
+    - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
+    - https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/
+  tags: audit,config,file,ssh
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: word
+        words:
+          - "PermitRootLogin yes"

poc/auth/get-stored-credentials-cmdkey.yaml

@@ -0,0 +1,27 @@
+id: get-stored-credentials-cmdkey
+
+info:
+  name: Get Stored Credentials - cmdkey
+  author: pussycat0x
+  severity: high
+  description: |
+    The cmdkey /list command in Windows is used to list all the stored credentials on the system. These credentials can include saved usernames and passwords for network resources, websites, or remote computers
+  tags: code,windows,privesc,ps
+
+self-contained: true
+code:
+  - engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+      - -File
+    pattern: "*.ps1"
+    source: |
+      cmdkey /list
+
+    extractors:
+      - type: dsl
+        dsl:
+          - response

poc/auth/hide-last-login-information.yaml

@@ -0,0 +1,24 @@
+id: hide-last-login-information
+
+info:
+  name: Hide SSH Last Login Information
+  author: pussycat0x
+  severity: info
+  description: |
+    Reduces Information Exposure: Users will no longer see the last login details when they log in, enhancing privacy.
+  remediation: |
+    Ensure the following line is present: : PrintLastLog no
+  reference:
+    - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
+    - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441
+  tags: audit,config,file,ssh
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: word
+        words:
+          - "PrintLastLog no"
+        negative: true

poc/auth/http-preprocessor.yaml

@@ -0,0 +1,17 @@
+id: http-preprocessor
+
+info:
+  name: Test Http Preprocessor
+  author: pdteam
+  severity: info
+
+http:
+  - raw:
+      - |
+        GET /?test={{randstr}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: status
+        status:
+          - 200

poc/auth/hyperv-enhanced-session-mode-enabled.yaml

@@ -0,0 +1,33 @@
+id: hyperv-enhanced-session-mode-enabled
+
+info:
+  name: Hyper-V Enhanced Session Mode Enabled
+  author: princechaddha
+  severity: medium
+  description: Determines if Hyper-V Enhanced Session Mode is enabled unnecessarily.
+  impact: |
+    Enabling Enhanced Session Mode unnecessarily can expose the virtual machine to additional risks by increasing attack surface.
+  remediation: |
+    Disable Enhanced Session Mode if not required.
+  tags: windows,hyperv,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $enhancedSession = Get-VMHost | Select-Object -ExpandProperty EnhancedSessionTransportType
+      Write-Host "EnhancedSessionMode: $enhancedSession"
+
+    matchers:
+      - type: word
+        words:
+          - "EnhancedSessionMode: VMBus"

poc/auth/limit-maximum-authentication-attempts.yaml

@@ -0,0 +1,23 @@
+id: limit-maximum-authentication-attempts
+
+info:
+  name: Limit Maximum SSH Authentication Attempts
+  author: pussycat0x
+  severity: info
+  description: |
+    Reduces Brute-Force Attack Surface: Limiting the number of attempts prevents attackers from repeatedly guessing passwords.
+  remediation: |
+    Change it to : MaxAuthTries 3
+  reference:
+    - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
+    - https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v3.0.0_L1.audit:82ddb0bcc7ddfddaae3ec0b408ffb225
+  tags: audit,config,file,ssh
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: word
+        words:
+          - "#MaxAuthTries"

poc/auth/lm-ntlmv1-authentication-enabled.yaml

@@ -0,0 +1,32 @@
+id: lm-ntlmv1-authentication-enabled
+
+info:
+  name: LM and NTLMv1 Authentication Enabled
+  author: princechaddha
+  severity: high
+  description: Checks if LM and NTLMv1 authentication protocols are enabled, which are insecure.
+  impact: |
+    Legacy authentication methods such as LM and NTLMv1 are vulnerable to brute-force and pass-the-hash attacks.
+  remediation: |
+    Disable LM and NTLMv1 and enforce NTLMv2 or Kerberos for secure authentication.
+  tags: lm,ntlmv1,authentication,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $level = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -ErrorAction SilentlyContinue).LmCompatibilityLevel; if ($level -lt 3 -or $level -eq $null) { if ($level -eq $null) {"LM Compatibility Level is not set"} else {"LM Compatibility Level is misconfigured (current value: $level)"}} else {"LM Compatibility Level is securely configured (current value: $level)"}
+
+    matchers:
+      - type: word
+        words:
+          - "LM Compatibility Level is misconfigured"

poc/auth/max-password-age-too-high.yaml

@@ -0,0 +1,30 @@
+id: max-password-age-too-high
+
+info:
+  name: Maximum Password Age Set Too High or Unlimited
+  author: princechaddha
+  severity: medium
+  description: Checks if the maximum password age allows passwords to be used indefinitely.
+  impact: |
+    Allowing long or unlimited password lifetimes increases the risk of compromised credentials.
+  remediation: |
+    Set a reasonable maximum password age to force regular password changes.
+  tags: policy,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - cmd
+    args:
+      - /c
+    pattern: "*.cmd"
+    source: |
+      net accounts
+
+    matchers:
+      - type: word
+        words:
+          - "Maximum password age (days):                          0"

poc/auth/minimum-password-age-zero.yaml

@@ -0,0 +1,36 @@
+id: minimum-password-age-zero
+
+info:
+  name: Minimum Password Age Set to Zero
+  author: princechaddha
+  severity: medium
+  description: Checks if the minimum password age is set to zero, allowing immediate password changes and potential reuse.
+  impact: |
+    Allowing a password age of zero may lead to the rapid reuse of weak passwords, reducing account security.
+  remediation: |
+    Set a reasonable minimum password age to prevent users from reusing old passwords frequently.
+  tags: windows, password, policy, code, windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - cmd
+    args:
+      - /c
+    pattern: "*.cmd"
+    source: |
+      net accounts
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Minimum password age (days):                          0"
+        negative: true
+
+      - type: word
+        words:
+          - "Minimum password age"

poc/auth/null-session-allowed.yaml

@@ -0,0 +1,32 @@
+id: null-session-allowed
+
+info:
+  name: Null Session Allowed
+  author: princechaddha
+  severity: high
+  description: Checks if null sessions are allowed via any entry in the NullSessionPipes registry key, posing a security risk.
+  impact: |
+    Allowing null sessions can lead to unauthorized access to network resources, increasing vulnerability to attacks.
+  remediation: |
+    Disable null sessions by ensuring no entries are allowed in the NullSessionPipes registry key.
+  tags: windows,null-session,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name 'NullSessionPipes').NullSessionPipes.Count -gt 0) { "Null sessions are allowed" }
+
+    matchers:
+      - type: word
+        words:
+          - "Null sessions are allowed"

poc/auth/password-complexity-disabled.yaml

@@ -0,0 +1,32 @@
+id: password-complexity-disabled
+
+info:
+  name: Password Complexity Requirements Disabled
+  author: princechaddha
+  severity: high
+  description: Checks if password complexity requirements are disabled.
+  impact: |
+    Disabling password complexity can lead to the use of weak, easily guessable passwords, increasing the risk of unauthorized access.
+  remediation: |
+    Enable password complexity requirements to enforce the use of strong, hard-to-guess passwords.
+  tags: windows,code,windows-audit
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LimitBlankPasswordUse').LimitBlankPasswordUse -eq 0) { "Password complexity is disabled" }
+
+    matchers:
+      - type: word
+        words:
+          - "Password complexity is disabled"