admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-11 13:13:26 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2e9901bf9ec94de03e5ed7490847aac0ccbc598
nuclei-templates/code/windows/audit/kisa/crash-on-audit-fail.yaml
ghost b2039aeba4 chore: sign templates 🤖
2025-07-10 10:32:02 +00:00

52 lines
2.1 KiB
YAML
Raw Blame History

id: crash-on-audit-fail
info:
name: Shutdown on Audit Failure Check
author: nukunga[SungHyunJeon]
severity: medium
description: |
Ensure the "Shutdown on Audit Failure" policy is disabled.
The registry value should be set to "4,0" to prevent the system from shutting down if it cannot log security audit events.
If set to "4,1", the system will shut down on audit failure, which could result in a denial-of-service condition.
impact: |
Enabling this policy (value set to "4,1") may cause the system to shut down unexpectedly if audit logs cannot be written, potentially disrupting services and risking data loss.
remediation: |
Disable the policy by setting the CrashOnAuditFail value to "4,0". This can be done by:
- Using the Registry Editor: Navigate to HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System and set CrashOnAuditFail to "4,0".
- Through Local Security Policy: Set "Audit: Shut down system immediately if unable to log security audits" to Disabled.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: account-management,code,windows-audit,kisa,policy
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
$cfgPath = "C:\cfg.txt"
secedit /export /cfg $cfgPath | Out-Null
$cfg = Get-Content $cfgPath | Out-String
if ($cfg -match "CrashOnAuditFail\s*=\s*(\S+)") {
$value = $Matches[1].Trim()
if ($value -eq "4,1") {
"CRASH_ON_AUDIT_FAIL_ENABLED"
} else {
"CRASH_ON_AUDIT_FAIL_DISABLED"
}
} else {
"CRASH_ON_AUDIT_FAIL_NOT_FOUND"
}
matchers:
- type: word
words:
- "CRASH_ON_AUDIT_FAIL_ENABLED"
# digest: 490a00463044022007c2aca38559cd01cd500c5c6fd79aac025e09e5b81eb704d263ee7cd549e55102202518accc1cc2c845dbd42938cdf9c81fe5088c29fcd839627c5a5531c184c6db:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink