Under Review

vulnerability_app_compatibility

This detects a potential vulnerability in application compatibility mode being set

https://www.itnews.com.au/news/windows-compatibility-mode-resurfaces-old-flaws-473058

Schema

analysis string JSON object representing the analysis
data string Data content of registry value
key string Name of the key
mtime long time of the most recent registry write
name string Name of the registry value entry
path string Full path to the value
type string Type of the registry value

-- vulnerability_app_compatibility INFO
SELECT 
   -- Device ID DETAILS
   meta_hostname, meta_ip_address, 

   -- Query Details
   query_name, analysis, data, key, mtime,
   name, path, type,

   -- Decoration 
   meta_boot_time, meta_eid, meta_endpoint_type, 
   meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type,
   meta_os_version, meta_public_ip, meta_query_pack_version, meta_username,

   --- Generic
   calendar_time, counter, epoch, host_identifier, numerics
   osquery_action, unix_time,

   -- Data Lake
   customer_id, endpoint_id, upload_size

FROM xdr_data
WHERE query_name = 'vulnerability_app_compatibility'

RESULTS

None yet in my env. someone can test perhaps Slight smile