fixed plain-text and RDP template

2026-01-31 15:53:33 +08:00 · 2024-10-24 11:30:13 +07:00
parent f472d50ecd
commit de895311c6
3 changed files with 90 additions and 11 deletions
--- a/.new-addition
+++ b/.new-addition
@@ -0,0 +1,79 @@
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-script-host-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/uac-elevate-without-prompt.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/minimum-password-age-zero.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/smb-allow-unencrypted-passwords.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/rdp-connections-without-password-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-office-macro-security-low.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/usb-storage-not-restricted.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/download-unsigned-activex-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/weak-ssl-tls-protocols-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/autoplay-removable-media-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/max-password-age-too-high.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/auto-logon-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/autorun-scripts-startup-folder.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/password-complexity-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/restrict-anonymous-access-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-installer-elevated-privileges.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/netbios-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/winrm-remote-shell-access-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-dep-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/automatic-windows-updates-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/smb-v1-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-stored-network-credentials-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/remote-assistance-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/default-admin-account-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/credential-guard-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-firewall-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/safe-dll-search-mode-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-credential-manager-plaintext-passwords-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/rdp-nla-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-update-service-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/allow-unencrypted-ftp.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/iis-anonymous-auth-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/password-reset-lock-screen-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/rdp-drive-redirection-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/audit-logging-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/anonymous-sid-enumeration-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/shutdown-without-logon-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/secure-boot-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/device-guard-not-configured.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/winrm-basic-auth-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-administrator-blank-password.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-domain-credentials-caching-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/llmnr-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/insecure-cipher-suites-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/plaintext-passwords-in-memory.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/ftp-service-running.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/network-discovery-public-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/unsigned-kernel-mode-drivers-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/anonymous-sam-enumeration-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/cached-logons-count-high.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-lsa-protection-not-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/password-history-size-low.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/iis-directory-browsing-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/hyperv-enhanced-session-mode-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-system-restore-not-configured.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/allow-untrusted-certificates.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-administrative-shares-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/guest-account-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-defender-realtime-protection-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-ctrl-alt-del-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/winrm-allows-unencrypted-traffic.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-active-desktop-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/null-session-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/lm-ntlmv1-authentication-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-autorun-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-anonymous-sid-enumeration-allowed.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-min-password-length-short.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/sticky-keys-enabled-login.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/telnet-service-running.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/display-last-username-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/lm-hash-storage-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/smb-signing-not-required.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/remote-desktop-enabled-non-server.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-uac-disabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/audit-logs-not-archived.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/winrm-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/reversible-encryption-passwords-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/unencrypted-file-sharing-enabled.yaml
+/Users/pwnmachine/Github/nuclei-templates/code/windows/audit/windows-unsigned-drivers-allowed.yaml
--- a/code/windows/audit/plaintext-passwords-in-memory.yaml
+++ b/code/windows/audit/plaintext-passwords-in-memory.yaml
@@ -1,15 +1,15 @@
-id: rdp-connections-without-password-allowed
+id: plaintext-passwords-in-memory

 info:
-  name: Remote Desktop Connections Allowed Without Password
+  name: Plaintext Passwords Stored in Memory
  author: princechaddha
  severity: high
-  description: Checks if Remote Desktop Protocol connections are allowed without requiring a password.
+  description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.
  impact: |
-    Allowing RDP connections without a password increases the risk of unauthorized access to the system.
+    Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches.
  remediation: |
-    Require passwords for all RDP connections to secure access.
-  tags: windows,rdp,code,windows-audit
+    Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure.
+  tags: windows,security,credentials,windows-audit

 self-contained: true

@@ -24,9 +24,9 @@ code:
      - Bypass
    pattern: "*.ps1"
    source: |
-      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fPromptForPassword' -ErrorAction SilentlyContinue).fPromptForPassword -eq 0) { "RDP connections allowed without password." }
+      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." }

    matchers:
      - type: word
        words:
-          - "RDP connections allowed without password."
+          - "Plaintext passwords are stored in memory."
--- a/code/windows/audit/rdp-connections-without-password-allowed.yaml
+++ b/code/windows/audit/rdp-connections-without-password-allowed.yaml
@@ -9,7 +9,7 @@ info:
    Allowing RDP connections without a password increases the risk of unauthorized access to the system.
  remediation: |
    Require passwords for all RDP connections to secure access.
-  tags: windows,rdp,password,authentication,code,windows-audit
+  tags: windows,rdp,code,windows-audit

 self-contained: true

@@ -24,9 +24,9 @@ code:
      - Bypass
    pattern: "*.ps1"
    source: |
-      Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fPromptForPassword'
+      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fPromptForPassword' -ErrorAction SilentlyContinue).fPromptForPassword -eq 0) { "RDP connections allowed without password." }

    matchers:
      - type: word
        words:
-          - "fPromptForPassword : 0"
+          - "RDP connections allowed without password."