From 9ea5b414b83ef07ef151ed8a22beec305d6acae0 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 24 Oct 2024 13:54:16 +0700 Subject: [PATCH] misc changes + added profile --- .../anonymous-sid-enumeration-enabled.yaml | 1 - code/windows/audit/audit-logging-disabled.yaml | 1 - .../automatic-windows-updates-disabled.yaml | 2 +- ...s-defender-realtime-protection-disabled.yaml | 2 +- .../winrm-remote-shell-access-allowed.yaml | 1 + profiles/azure-cloud-config.yml | 5 +---- profiles/windows-audit.yml | 17 +++++++++++++++++ 7 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 profiles/windows-audit.yml diff --git a/code/windows/audit/anonymous-sid-enumeration-enabled.yaml b/code/windows/audit/anonymous-sid-enumeration-enabled.yaml index 041578c17ad..fc364225417 100644 --- a/code/windows/audit/anonymous-sid-enumeration-enabled.yaml +++ b/code/windows/audit/anonymous-sid-enumeration-enabled.yaml @@ -22,7 +22,6 @@ code: args: - -ExecutionPolicy - Bypass - - -Command pattern: "*.ps1" source: | Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'EveryoneIncludesAnonymous' diff --git a/code/windows/audit/audit-logging-disabled.yaml b/code/windows/audit/audit-logging-disabled.yaml index c37bf516aa5..702b4cd1909 100644 --- a/code/windows/audit/audit-logging-disabled.yaml +++ b/code/windows/audit/audit-logging-disabled.yaml @@ -22,7 +22,6 @@ code: args: - -ExecutionPolicy - Bypass - - -Command pattern: "*.ps1" source: | AuditPol /get /category:"Account Logon" diff --git a/code/windows/audit/automatic-windows-updates-disabled.yaml b/code/windows/audit/automatic-windows-updates-disabled.yaml index 51fdb809255..70473d11d53 100644 --- a/code/windows/audit/automatic-windows-updates-disabled.yaml +++ b/code/windows/audit/automatic-windows-updates-disabled.yaml @@ -9,7 +9,7 @@ info: Without regular updates, systems may miss important security patches. remediation: | Enable automatic Windows Updates to ensure timely updates for system security. - tags: windows,updates,disabled + tags: windows,updates,disabled,windows-audit self-contained: true diff --git a/code/windows/audit/windows-defender-realtime-protection-disabled.yaml b/code/windows/audit/windows-defender-realtime-protection-disabled.yaml index 064fb860d14..5d5d01b17a8 100644 --- a/code/windows/audit/windows-defender-realtime-protection-disabled.yaml +++ b/code/windows/audit/windows-defender-realtime-protection-disabled.yaml @@ -9,7 +9,7 @@ info: Disabling real-time protection increases the risk of malware infections. remediation: | Enable Windows Defender real-time protection to secure the system. - tags: windows,defender,antivirus,disabled + tags: windows,defender,windows-audit self-contained: true diff --git a/code/windows/audit/winrm-remote-shell-access-allowed.yaml b/code/windows/audit/winrm-remote-shell-access-allowed.yaml index 1cf7599d5ac..0b18deee1c5 100644 --- a/code/windows/audit/winrm-remote-shell-access-allowed.yaml +++ b/code/windows/audit/winrm-remote-shell-access-allowed.yaml @@ -22,6 +22,7 @@ code: args: - -ExecutionPolicy - Bypass + pattern: "*.ps1" source: | (Get-Item WSMan:\localhost\Shell).AllowRemoteShellAccess diff --git a/profiles/azure-cloud-config.yml b/profiles/azure-cloud-config.yml index ae8125105aa..2d62fd1d08c 100644 --- a/profiles/azure-cloud-config.yml +++ b/profiles/azure-cloud-config.yml @@ -14,7 +14,4 @@ code: true # enable code templates tags: - - azure-cloud-config # filter templates with "azure-cloud-config" tags - -var: - - region=us-east-1 # template input for "region" variable + - azure-cloud-config # filter templates with "azure-cloud-config" tags \ No newline at end of file diff --git a/profiles/windows-audit.yml b/profiles/windows-audit.yml new file mode 100644 index 00000000000..dbf3980b7ca --- /dev/null +++ b/profiles/windows-audit.yml @@ -0,0 +1,17 @@ +# Nuclei Configuration Profile for Windows Audit +# +# This configuration file is specifically tailored for auditing Windows environments using Nuclei. +# +# Purpose: +# This profile is focused on identifying misconfigurations and vulnerabilities in Windows systems. Ensuring proper configuration and security controls is crucial for protecting Windows environments and ensuring that only authorized entities have access. +# +# Included Templates: +# This configuration references specific templates tagged with 'windows-audit' to cover comprehensive scanning of Windows systems. +# +# Running this profile: +# You can run this profile using the following command: +# nuclei -profile windows-audit +code: true # enable code templates + +tags: + - windows-audit # filter templates with "windows-audit" tags \ No newline at end of file