We are asked quite often if deploying the osquery agent is possible via Windows Group Policy Objects (GPOs).
[Updated March 11th] This article was written in May 2019 and updated in June 2019. We are updating it again, as CVE-2020-0796 is now public, and has not been patched yet.
CVE-2020-0796 is a remote code execution bug in Microsoft’s SMB (file sharing) server.
Expect attacks targeting this vulnerability soon. Use the queries in this article to find machines with port 445 exposed to the Internet.
As Microsoft recommends disabling compression as a workaround, which is configured in the registry, you can also query for the mitigation status of your systems.
Disabling SMBv3 Compression
A registry parameter can be configured, via PowerShell or any other method, to disable SMBv3 Compression.
| Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force |
Checking SMBv3 Compression is Disabled with osquery
This query only returns results if a machine has the workaround configured properly.
| SELECT name, data, key, type FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' AND name='DisableCompression' AND data=1; |
If you are sending osquery data to a centralized environment, configure this query to run, or run it as a real-time/distributed query. Any system that does not return data is unprotected at the moment, until a patch is released.
If you want more data, and want to get results from machines that are not protected as opposed to the other way around, this query will return a 0 if the key does not exist, a 1 if it exists but is misconfigured, or nothing if it is configured properly.
0 = Key missing
1 = Key misconfigured
Null results = all good
| SELECT IFNULL(key_count,0) AS key_state FROM (SELECT COUNT(*) AS key_count, data FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression') WHERE key_state!=1 OR data!=1; |
[Updated June 5th] Patching for the CVE (CVE-2019-0708) vulnerability (referred to as BlueKeep) appears to have been slow, according to Rob Graham among others. One security expert, Ryan McGeehan (@Magoo), with experience in modeling vulnerability exploit probability and has done just that with the BlueKeep security flaw.
His concerning summary concludes:
"Chances are about even ( 47.62%) for “in the wild” BlueKeep exploitation to be observed between now and end of June."
Follow the outline below to check your exposure using osquery.
Microsoft released an important patch to the remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.
The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike. Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance. Fortunately, osquery solves that for us.