admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-06 10:43:18 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
23c94de2edd4515d44a32996c8557c91be4ca63f
nuclei-templates/code/windows/audit/kisa/remote-system-shutdown.yaml
ghost b2039aeba4 chore: sign templates 🤖
2025-07-10 10:32:02 +00:00

52 lines
2.1 KiB
YAML
Raw Blame History

id: remote-system-shutdown
info:
name: Remote System Forced Shutdown Privilege Check
author: nukunga[SungHyunJeon]
severity: medium
description: |
Ensure the "Force shutdown from a remote system" policy (SeRemoteShutdownPrivilege) is assigned only to the Administrators group (SID: S-1-5-32-544). Granting this privilege to unauthorized accounts can allow attackers to remotely shut down the system, posing a significant risk.
impact: |
Granting this privilege to accounts or groups other than Administrators can be exploited to carry out unauthorized remote shutdowns, resulting in service disruptions or denial-of-service conditions.
remediation: |
Configure the policy to grant the SeRemoteShutdownPrivilege exclusively to the Administrators group by setting its value to S-1-5-32-544 only.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: policy,code,windows-audit,kisa
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
# Export the current security settings to a configuration file.
$cfgPath = "C:\cfg.txt"
secedit /export /cfg $cfgPath | Out-Null
# Read the exported configuration file.
$cfg = Get-Content $cfgPath | Out-String
# Extract the SeRemoteShutdownPrivilege value.
if ($cfg -match "SeRemoteShutdownPrivilege\s*=\s*(.*)") {
$privs = $Matches[1].Trim()
# Check if only the Administrators SID (S-1-5-32-544) is present.
if ($privs -eq "S-1-5-32-544") {
"REMOTE_SHUTDOWN_PRIVILEGE_COMPLIANT"
} else {
"REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"
}
} else {
"REMOTE_SHUTDOWN_PRIVILEGE_NOT_FOUND"
}
matchers:
- type: word
words:
- "REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"
# digest: 490a004630440220036867acb4067c5a103c2ebd6f8b8c3afc113f9c35cffdf696aa7951ab6eca3d022073e3c70aef90e0785eada52c27726cabdfe0020fd19de73994062f43744f8601:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink