admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-04 01:33:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
23c94de2edd4515d44a32996c8557c91be4ca63f
nuclei-templates/code/windows/audit/kisa/hard-disk-default-share.yaml
ghost b2039aeba4 chore: sign templates 🤖
2025-07-10 10:32:02 +00:00

75 lines
2.8 KiB
YAML
Raw Blame History

id: hard-disk-default-share
info:
name: Hard Disk Default Share Removal Check
author: nukunga[SungHyunJeon]
severity: medium
description: |
Ensure default administrative shares (e.g., C$, D$, Admin$) are disabled by verifying that the AutoShareServer registry value is set to 0.
Leaving these shares enabled can expose system resources to unauthorized access.
impact: |
If the AutoShareServer registry value is set to 1 or default administrative shares (excluding IPC$) are present, attackers may exploit them to gain unauthorized access to system resources.
remediation: |
Permanently disable default administrative shares by setting the AutoShareServer registry value to 0 at:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- Additionally, remove any non-essential default shares using the appropriate system management tools.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: ftp,iis,code,windows-audit,kisa,share-permissions
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
$vulnerable = $false
# Check the AutoShareServer registry value
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters'
$autoShare = (Get-ItemProperty -Path $regPath -Name AutoShareServer -ErrorAction SilentlyContinue).AutoShareServer
if ($autoShare -eq 1) {
$vulnerable = $true
}
# Retrieve list of shared folders using 'net share'
$netShares = net share | Out-String
$lines = $netShares -split "`n"
$shareNames = @()
$startParsing = $false
foreach ($line in $lines) {
if ($line -match "^-+") {
$startParsing = $true
continue
}
if ($startParsing -and $line.Trim() -ne "" -and $line -notmatch "The command completed successfully") {
$tokens = $line.Trim() -split "\s+"
if ($tokens.Count -gt 0) {
$shareNames += $tokens[0]
}
}
}
# Define default shares to check (excluding IPC$)
$defaultShares = @("C$", "D$", "Admin$")
foreach ($share in $shareNames) {
if ($defaultShares -contains $share) {
$vulnerable = $true
break
}
}
if ($vulnerable) {
"DEFAULT_SHARE_VULNERABLE"
} else {
"DEFAULT_SHARE_COMPLIANT"
}
matchers:
- type: word
words:
- "DEFAULT_SHARE_VULNERABLE"
# digest: 4a0a004730450221009ebdc7c1aef05392bad7dfec19455d19a49841b9c5450289066663f12f7cf7b702205fc2205ef3699f0479d05c18f6ba580269db8bfb3265cd700a7084fbe01794e2:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink