-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e6b6301
commit 9eb53f8
Showing
245 changed files
with
16,125 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
20241028 | ||
20241029 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
id: credential-guard-disabled | ||
|
||
info: | ||
name: Credential Guard Not Enabled | ||
author: princechaddha | ||
severity: high | ||
description: Verifies if Windows Defender Credential Guard is disabled, reducing protection against credential theft. | ||
impact: | | ||
Disabling Credential Guard reduces protection against modern credential theft techniques. | ||
remediation: | | ||
Enable Credential Guard to enhance security against credential theft. | ||
tags: credential-guard,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
pattern: "*.ps1" | ||
source: | | ||
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "AvailableSecurityProperties" | ||
- type: word | ||
words: | ||
- "Credential Guard" | ||
negative: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
id: disable-empty-password | ||
|
||
info: | ||
name: Disable SSH Empty Password | ||
author: pussycat0x | ||
severity: info | ||
description: | | ||
Disabling SSH logins with empty passwords significantly enhances the security of your server. | ||
remediation: | | ||
Change it to : PermitEmptyPasswords no | ||
reference: | ||
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f | ||
- https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-sshd-disable-empty-passwords/ | ||
tags: audit,config,file,ssh | ||
|
||
file: | ||
- extensions: | ||
- all | ||
|
||
matchers: | ||
- type: word | ||
words: | ||
- "PermitEmptyPasswords no" | ||
negative: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
id: disable-root-login | ||
|
||
info: | ||
name: Disable SSH Root Login | ||
author: pussycat0x | ||
severity: info | ||
description: | | ||
Disabling direct root login can help prevent unauthorized users from gaining full control over your system. | ||
remediation: | | ||
Change it to : PermitRootLogin no | ||
reference: | ||
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f | ||
- https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/ | ||
tags: audit,config,file,ssh | ||
|
||
file: | ||
- extensions: | ||
- all | ||
|
||
matchers: | ||
- type: word | ||
words: | ||
- "PermitRootLogin yes" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
id: get-stored-credentials-cmdkey | ||
|
||
info: | ||
name: Get Stored Credentials - cmdkey | ||
author: pussycat0x | ||
severity: high | ||
description: | | ||
The cmdkey /list command in Windows is used to list all the stored credentials on the system. These credentials can include saved usernames and passwords for network resources, websites, or remote computers | ||
tags: code,windows,privesc,ps | ||
|
||
self-contained: true | ||
code: | ||
- engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
- -File | ||
pattern: "*.ps1" | ||
source: | | ||
cmdkey /list | ||
extractors: | ||
- type: dsl | ||
dsl: | ||
- response |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
id: hide-last-login-information | ||
|
||
info: | ||
name: Hide SSH Last Login Information | ||
author: pussycat0x | ||
severity: info | ||
description: | | ||
Reduces Information Exposure: Users will no longer see the last login details when they log in, enhancing privacy. | ||
remediation: | | ||
Ensure the following line is present: : PrintLastLog no | ||
reference: | ||
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f | ||
- https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441 | ||
tags: audit,config,file,ssh | ||
|
||
file: | ||
- extensions: | ||
- all | ||
|
||
matchers: | ||
- type: word | ||
words: | ||
- "PrintLastLog no" | ||
negative: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
id: http-preprocessor | ||
|
||
info: | ||
name: Test Http Preprocessor | ||
author: pdteam | ||
severity: info | ||
|
||
http: | ||
- raw: | ||
- | | ||
GET /?test={{randstr}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
matchers: | ||
- type: status | ||
status: | ||
- 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
id: hyperv-enhanced-session-mode-enabled | ||
|
||
info: | ||
name: Hyper-V Enhanced Session Mode Enabled | ||
author: princechaddha | ||
severity: medium | ||
description: Determines if Hyper-V Enhanced Session Mode is enabled unnecessarily. | ||
impact: | | ||
Enabling Enhanced Session Mode unnecessarily can expose the virtual machine to additional risks by increasing attack surface. | ||
remediation: | | ||
Disable Enhanced Session Mode if not required. | ||
tags: windows,hyperv,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
pattern: "*.ps1" | ||
source: | | ||
$enhancedSession = Get-VMHost | Select-Object -ExpandProperty EnhancedSessionTransportType | ||
Write-Host "EnhancedSessionMode: $enhancedSession" | ||
matchers: | ||
- type: word | ||
words: | ||
- "EnhancedSessionMode: VMBus" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
id: limit-maximum-authentication-attempts | ||
|
||
info: | ||
name: Limit Maximum SSH Authentication Attempts | ||
author: pussycat0x | ||
severity: info | ||
description: | | ||
Reduces Brute-Force Attack Surface: Limiting the number of attempts prevents attackers from repeatedly guessing passwords. | ||
remediation: | | ||
Change it to : MaxAuthTries 3 | ||
reference: | ||
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f | ||
- https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v3.0.0_L1.audit:82ddb0bcc7ddfddaae3ec0b408ffb225 | ||
tags: audit,config,file,ssh | ||
|
||
file: | ||
- extensions: | ||
- all | ||
|
||
matchers: | ||
- type: word | ||
words: | ||
- "#MaxAuthTries" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
id: lm-ntlmv1-authentication-enabled | ||
|
||
info: | ||
name: LM and NTLMv1 Authentication Enabled | ||
author: princechaddha | ||
severity: high | ||
description: Checks if LM and NTLMv1 authentication protocols are enabled, which are insecure. | ||
impact: | | ||
Legacy authentication methods such as LM and NTLMv1 are vulnerable to brute-force and pass-the-hash attacks. | ||
remediation: | | ||
Disable LM and NTLMv1 and enforce NTLMv2 or Kerberos for secure authentication. | ||
tags: lm,ntlmv1,authentication,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
pattern: "*.ps1" | ||
source: | | ||
$level = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -ErrorAction SilentlyContinue).LmCompatibilityLevel; if ($level -lt 3 -or $level -eq $null) { if ($level -eq $null) {"LM Compatibility Level is not set"} else {"LM Compatibility Level is misconfigured (current value: $level)"}} else {"LM Compatibility Level is securely configured (current value: $level)"} | ||
matchers: | ||
- type: word | ||
words: | ||
- "LM Compatibility Level is misconfigured" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
id: max-password-age-too-high | ||
|
||
info: | ||
name: Maximum Password Age Set Too High or Unlimited | ||
author: princechaddha | ||
severity: medium | ||
description: Checks if the maximum password age allows passwords to be used indefinitely. | ||
impact: | | ||
Allowing long or unlimited password lifetimes increases the risk of compromised credentials. | ||
remediation: | | ||
Set a reasonable maximum password age to force regular password changes. | ||
tags: policy,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- cmd | ||
args: | ||
- /c | ||
pattern: "*.cmd" | ||
source: | | ||
net accounts | ||
matchers: | ||
- type: word | ||
words: | ||
- "Maximum password age (days): 0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
id: minimum-password-age-zero | ||
|
||
info: | ||
name: Minimum Password Age Set to Zero | ||
author: princechaddha | ||
severity: medium | ||
description: Checks if the minimum password age is set to zero, allowing immediate password changes and potential reuse. | ||
impact: | | ||
Allowing a password age of zero may lead to the rapid reuse of weak passwords, reducing account security. | ||
remediation: | | ||
Set a reasonable minimum password age to prevent users from reusing old passwords frequently. | ||
tags: windows, password, policy, code, windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- cmd | ||
args: | ||
- /c | ||
pattern: "*.cmd" | ||
source: | | ||
net accounts | ||
matchers-condition: and | ||
matchers: | ||
- type: word | ||
words: | ||
- "Minimum password age (days): 0" | ||
negative: true | ||
- type: word | ||
words: | ||
- "Minimum password age" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
id: null-session-allowed | ||
|
||
info: | ||
name: Null Session Allowed | ||
author: princechaddha | ||
severity: high | ||
description: Checks if null sessions are allowed via any entry in the NullSessionPipes registry key, posing a security risk. | ||
impact: | | ||
Allowing null sessions can lead to unauthorized access to network resources, increasing vulnerability to attacks. | ||
remediation: | | ||
Disable null sessions by ensuring no entries are allowed in the NullSessionPipes registry key. | ||
tags: windows,null-session,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
pattern: "*.ps1" | ||
source: | | ||
if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name 'NullSessionPipes').NullSessionPipes.Count -gt 0) { "Null sessions are allowed" } | ||
matchers: | ||
- type: word | ||
words: | ||
- "Null sessions are allowed" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
id: password-complexity-disabled | ||
|
||
info: | ||
name: Password Complexity Requirements Disabled | ||
author: princechaddha | ||
severity: high | ||
description: Checks if password complexity requirements are disabled. | ||
impact: | | ||
Disabling password complexity can lead to the use of weak, easily guessable passwords, increasing the risk of unauthorized access. | ||
remediation: | | ||
Enable password complexity requirements to enforce the use of strong, hard-to-guess passwords. | ||
tags: windows,code,windows-audit | ||
|
||
self-contained: true | ||
|
||
code: | ||
- pre-condition: | | ||
IsWindows(); | ||
engine: | ||
- powershell | ||
- powershell.exe | ||
args: | ||
- -ExecutionPolicy | ||
- Bypass | ||
pattern: "*.ps1" | ||
source: | | ||
if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LimitBlankPasswordUse').LimitBlankPasswordUse -eq 0) { "Password complexity is disabled" } | ||
matchers: | ||
- type: word | ||
words: | ||
- "Password complexity is disabled" |
Oops, something went wrong.