Under Review

vulnerability_disallowed_paths

Detect disallowed paths, need to get a definition of such from MRT

SCHEMA

analysis string JSON object representing the analysis
data string Data content of registry value
key string Name of the key
mtime long time of the most recent registry write
name string Name of the registry value entry
path string Full path to the value
type string Type of the registry value 

-- vulnerability_disallowed_paths INFO
SELECT 
   -- Device ID DETAILS
   meta_hostname, meta_ip_address, 

   -- Query Details
   query_name, analysis, data, key, mtime,
   name, path, type,

   -- Decoration 
   meta_boot_time, meta_eid, meta_endpoint_type, 
   meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type,
   meta_os_version, meta_public_ip, meta_query_pack_version, meta_username,

   --- Generic
   calendar_time, counter, epoch, host_identifier, numerics
   osquery_action, unix_time,

   -- Data Lake
   customer_id, endpoint_id, upload_size

FROM xdr_data
WHERE query_name = 'vulnerability_disallowed_paths'

Lots of stuff in my env.  now I really need to learn what this is trying to detect.

+-----------------+-------------------+--------------------------------+------------------------------+--------+--------------------------------------------------------------------------------+------------+--------+--------------------------------------------------------------------------------------+--------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname   | meta_ip_address   | query_name                     | analysis                     |   data | key                                                                            |      mtime | name   | path                                                                                 | type   |   meta_boot_time | meta_eid                             | meta_endpoint_type   | meta_ip_mask   | meta_mac_address   | meta_os_name                 | meta_os_platform   | meta_os_type   | meta_os_version   | meta_public_ip   | meta_query_pack_version   | meta_username   | calendar_time        |   counter |      epoch | host_identifier   | osquery_action   | unix_time            | customer_id                          | endpoint_id                          |   upload_size |
|-----------------+-------------------+--------------------------------+------------------------------+--------+--------------------------------------------------------------------------------+------------+--------+--------------------------------------------------------------------------------------+--------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| Victim5-Win10   | 192.168.100.129   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602415384 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer             | 255.255.255.0  | 00:0c:29:56:e8:01  | Microsoft Windows 10 Pro     | windows            | client         | 10.0.18363        | 73.69.54.187     | 1.1.12                    | Admin           | 2020-10-11T11:23:04Z |         0 | 1602413479 | Victim5-Win10     | False            | 2020-10-11T11:23:04Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c |           952 |
| Victim5-Win10   | 192.168.100.129   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602419076 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer             | 255.255.255.0  | 00:0c:29:56:e8:01  | Microsoft Windows 10 Pro     | windows            | client         | 10.0.18363        | 73.69.54.187     | 1.1.12                    | Admin           | 2020-10-11T12:24:36Z |         1 | 1602413479 | Victim5-Win10     | False            | 2020-10-11T12:24:36Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c |           952 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602397550 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-11T06:25:50Z |        20 | 1602320453 | Victim3-EDR       | False            | 2020-10-11T06:25:50Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           951 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602397075 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-11T06:17:55Z |        21 | 1602319950 | Victim1-EDR       | False            | 2020-10-11T06:17:55Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           951 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602400500 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-11T07:15:00Z |        22 | 1602319950 | Victim1-EDR       | False            | 2020-10-11T07:15:00Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           951 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602401224 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-11T07:27:04Z |        21 | 1602320453 | Victim3-EDR       | False            | 2020-10-11T07:27:04Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           951 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602036963 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T02:16:03Z |        15 | 1601805653 | Victim3-EDR       | False            | 2020-10-07T02:16:03Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           951 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602037616 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T02:26:56Z |        15 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T02:26:56Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           951 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602040636 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T03:17:16Z |        16 | 1601805653 | Victim3-EDR       | False            | 2020-10-07T03:17:16Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           951 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602041040 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T03:24:00Z |        16 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T03:24:00Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           951 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_disallowed_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 | 1602058158 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T08:09:18Z |        21 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T08:09:18Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           951 |

Karl_Ackerman
Unfiltered HTML