System Security Analysis - Windows
Log In or Register to download the BES file, and more.

4 Votes

Description

An Aggregation of other queries and relevance's and some original that provides an all in one quick overview of the system.

Property Details

ID2998604
StatusBeta - Preliminary testing ready for more
TitleSystem Security Analysis - Windows
DomainBESC
KeywordsSecurity Analysis, Firewall, Remote Desktop, IIS, Apache, Telnet, Antivirus
Added by on 3/6/2020 10:51:34 AM
Last Modified by on 3/6/2020 10:52:49 AM
Counters 4797 Views / 100 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 2 ratings. ** Log In or Register to add your rating.

Properties

Windows Firewall
Period 5 minutes
 
  * Results in a true/false
Show indented relevance
If exists running service "MpsSvc" then "Running" Else "Warning"
IPSec Firewall
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local" whose (exists values whose(name of it = "ActivePolicy" ) of it) of registry) then "Yes" else "No"
GPO Applied IPSec
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy" whose (exists values whose(name of it = "DSIPSECPolicyFlags" ) of it) of registry) then "Yes" else "No"
File and Print Sharing
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if rule group currently enabled "File and Printer sharing" of firewall then "Enabled" else "Disabled"
RDP Services Running?
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if( exists services whose((service name of it as lowercase = "TermService" as lowercase ) AND (state of it= "Running") )) AND (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" whose (exists values whose(name of it = "fDenyTSConnections" AND it as string as lowercase = "1" as lowercase ) of it) of registry) then "Yes but denying connections" else if( exists services whose((service name of it as lowercase = "TermService" as lowercase ) AND (state of it= "Running")) ) AND (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" whose (exists values whose(name of it = "fDenyTSConnections" AND it as string as lowercase = "0" as lowercase ) of it) of registry) then "Yes and allowing connections" else "No"
RDP Port
Period 12 hours
 
  * Results in a true/false
Show indented relevance
Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry
RDP NLA Enabled?
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" Whose (exists values whose (name of it = "UserAuthentication" AND it as string as lowercase ="1" as lowercase) of it) of registry) then "Yes" else "No"
RDP in use on defined port
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists (sockets of network) whose ((local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) and (tcp state of it as string = "ESTABLISHED")) Then "Active" else "Not in use"
Incoming RDP Logs
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(preceding text of first "%0d%0a" of following text of first "User: " of description of it | "Unknown", time generated of it, (if (it = 21) then ("New Session") else ("Resumed Session")) of (event id of it), following text of last ": " of description of it) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 2000;item 1 of it))) of (record count of it, oldest record number of it)) whose (exists description of it and (event id of it = 21 or event id of it = 25) and description of it does not contain "LOCAL") of event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
Telnet Client running?
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if exists running service "TelnetClient" then "Yes" else "No"
Telnet Server Running
Period 15 minutes
 
  * Results in a true/false
Show indented relevance
if exists running service "TelnetServer" then "Yes" else "No"
FTP Running?
Period 15 minutes
 
  * Results in a true/false
Show indented relevance
If( exists services whose((service name of it as lowercase = "msftpsvc" as lowercase ) AND (state of it= "Running") OR (service name of it as lowercase = "ftpsvc" as lowercase ) AND (state of it= "Running")) ) then "Yes" else "No"
AntiVirus Installed
Period 15 minutes
 
  * Results in a true/false
Show indented relevance
if (exists running service whose (service name of it = "MsMpSvc")) then "MS.System Endpoint Protection" else if (exists running service whose (service name of it = "WinDefend")) then "Windows Defender" else if (exists running service whose (service name of it = "SepMasterService")) then "Symantec" else if (exists running service whose (service name of it = "Symantec AntiVirus")) then "Symantec" else if (exist running service whose (service name of it = "avast! Antivirus")) then "Avast" else if (exists running service whose (service name of it = "CmdAgent"))then "Comodo" else if (exists running service whose (service name of it contains "klnagent"))then "Kaspersky" else if (exists running service whose (service name of it starts with "Avg" as lowercase))then "AVG" else if (exists running service whose (service name of it starts with "ekrn"))then "Eset" else if (exists running service whose (service name of it starts with "Avira" as lowercase))then "Avira" else if (exists running service whose (service name of it starts with "norton antivirus client" as lowercase))then "Norton" else if (exists running service whose (service name of it starts with "mcshield" as lowercase))then "McAfee" else if (exists running service whose (service name of it starts with "InoRT" as lowercase))then "Trend" else if (exists running service whose (service name of it contains "MBAMService" as lowercase))then "MalwareBytes but may not be realtime " else "Investigate"
SQL Server running?
Period 1 day
 
  * Results in a true/false
Show indented relevance
if exists services whose((state of it= "Running") AND ((service name of it as lowercase = "MSSQL" as lowercase ) OR (service name of it as lowercase starts with "SQLBrowser" as lowercase ) OR (service name of it as lowercase starts with "SQLAgent" as lowercase )) ) = True Then "Yes" else "No"
IIS Running?
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if exists running service "W3SVC" then "Yes" else "No"
Apache/Tomcat Running?
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (exists running application whose (name of it as lowercase = "tomcat7.exe" as lowercase OR name of it as lowercase = "tomcat6.exe" as lowercase ) )or ( exists services whose((service name of it as lowercase starts with "Apache" as lowercase ) AND (state of it= "Running")) ) Then "Yes" Else "No"
Windows last patch date
Period 12 hours
 
  * Results in a true/false
Show indented relevance
preceding texts of last " " of preceding texts of last " " of (it as string) of (maximum of last write times of keys whose (name of it contains ".KB" or name of it contains "KB" or name of it starts with "KB") of keys( "HKEYLOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\";"HKEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion\Hotfix") of (registry; native registry))
Version of 32 Bit Java
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(concatenations ", " whose(it != "") of names of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment" of registry)
Version of 64 Bit Java
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(concatenations ", " whose(it != "") of names of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment" of x64 registry)
Number of Local Admins
Period 1 hour
 
  * Results in a true/false
Show indented relevance
number of members of local group "administrators"
Names of Administrators Group
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
members of local group "Administrators"
Local Users accounts and Password expiration status
Period 1 day
 
  * Results in a true/false
Show indented relevance
(name of it & (if (account disabled flag of it = TRUE) then " - Disabled" else " - Enabled") & (if (password expiration disabled flag of it = TRUE) then " No Password expiration" else "")) of local users
Password age of local users
Period 1 day
 
  * Results in a true/false
Show indented relevance
(name of it & " - " & password age of it as string) of local users
IE Proxy Server Status
Period 1 hour
 
  * Results in a true/false
Show indented relevance
if (exists key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" whose (value "ProxyEnable" of it as integer = 1) of current user keys (logged on users) of registry) then "Manual Proxy Enabled" else "Automatically Detect"
IE Proxy Server & Port
Period 15 minutes
 
  * Results in a true/false
Show indented relevance
if (exists key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" whose (exists value "ProxyServer" of it) of current user keys (logged on users) of registry) then (values "ProxyServer" of key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" of current user keys (logged on users) of registry as string) else ("not configured")
DNS Servers
Period 1 day
 
  * Results in a true/false
Show indented relevance
addresses of dns servers of network
Wireless SSID
Period 1 day
 
  * Results in a true/false
Show indented relevance
if version of client >="9.0" then ssids of wifis of adapters of network else "N/A"
Wireless Encryption Status
Period 6 hours
 
  * Results in a true/false
Show indented relevance
if version of client >="9.0" then encryptions of wifis of adapters of network else "N/A"
PPP Enabled
Period 1 day
 
  * Results in a true/false
Show indented relevance
exists ip interface whose (point to point of it = true) of networks
Scope of Remote Desktop Firewall
Period 1 day
 
  * Results in a true/false
Show indented relevance
if exists (rules of firewall) whose (name of it as string starts with "Remote Desktop" or name of it contains "RDP") then (remote addresses strings of (rules of firewall) whose (name of it as string starts with "Remote Desktop" or name of it contains "RDP")) else "No rule named RDP or Remote Desktop"
IP of Remote Desktop connection
Period Every Report
 
  * Results in a true/false
Show indented relevance
unique values of (remote addresses of (sockets of network) whose ((local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) and (tcp state of it as string= "ESTABLISHED")))
SSH Running? (port 22)
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists (sockets of network) whose ((local port of it = 22) and (tcp state of it as string = "ESTABLISHED")) Then "Active" else "Not in use"
IP of Remote SSH Connection (Port 22)
Period Every Report
 
  * Results in a true/false
Show indented relevance
unique values of (remote addresses of (sockets of network) whose ((local port of it = 22) and (tcp state of it as string= "ESTABLISHED")))
Winlogbeat Installed?
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
if (exists services whose ((service name of it = "winlogbeat") and (state of it = "Running"))) Then "Yes and Running" else if (exists services whose ((service name of it = "winlogbeat") and (state of it != "Running"))) then "Yes but not running" else "Not Installed"
Established TCP and UDP Connections
Period Every Report
 
  * Results in a true/false
Show indented relevance
names of processes of sockets whose ( established of tcp state of it and local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) of network
IE Automatic Configuration Script URL
Period 1 hour
 
  * Results in a true/false
Show indented relevance
If Exists value "AutoConfigURL" of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr" of registry then value "AutoConfigURL" of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr" of registry as string Else "Not used for any profiles"
Last Logged in User
Period 1 hour
 
  * Results in a "string"/number
Show indented relevance
if (name of operating system as lowercase contains "win") then (if ((name of operating system as lowercase contains "xp") or (name of operating system as lowercase contains "win2003")) then (if not exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "DefaultUserName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged") else (if NOT exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged")) else ("Not Win")
Names of Users in Remote Desktop Group
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
members of local group "Remote Desktop Users"
Warning: Number of patches missing
Period 5 minutes
 
  * Results in a true/false
Show indented relevance
number of relevant fixlets whose(exists values whose("Important" = it OR "Critical" = it) of headers "X-Fixlet-Source-Severity" of it AND not exists values whose(it contains " (Superseded)") of headers "Subject" of it AND exists (current date - it) whose(it > 30 * day) of (it as date) of values whose(exists it as date) of headers "X-Fixlet-Source-Release-Date" of it) of sites whose("Fixlet Site" = type of it AND exists names whose(it starts with "Updates for " OR it starts with "Patches for" OR it = "Enterprise Security") of it)

Relevance

isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
suzib6sw -
Good Catch. At the time, the Sql server service was just MSSQL with nothing else.
Raggsokk -
About "SQL Server running?" Shouldn't the first part be contains "MSSQL" not = "MSSQL" ? :) if exists services whose((state of it= "Running") AND ((service name of it as lowercase contains "MSSQL" as lowercase ) OR (service name of it as lowercase starts with "SQLBrowser" as lowercase ) OR (service name of it as lowercase starts with "SQLAgent" as lowercase )) ) = True Then "Yes" else "No"