Detect disabled exception chain validation. https://www.windowsworkstation.com/win2012/disable-sehop/
SCHEMA
| analysis | string | JSON object representing the analysis |
| data | string | Data content of registry value |
| key | string | Name of the key |
| mtime | long | time of the most recent registry write |
| name | string | Name of the registry value entry |
| path | string | Full path to the value |
| type | string | Type of the registry value |
-- vulnerability_app_disabled_exception_chain_validation INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, analysis, data, key, mtime, name, path, type, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'vulnerability_app_disabled_exception_chain_validation'
Someone needs to turn off SHEOP protection,probably have to disable Intercept X exploit protection to do it.
