Under Review

vulnerability_unrestricted_paths

vulnerability_unrestricted_paths

SCHEMA

analysis string JSON object representing the analysis
data string Data content of registry value
key string Name of the key
mtime long time of the most recent registry write
name string Name of the registry value entry
path string Full path to the value
type string Type of the registry value 

-- vulnerability_unrestricted_paths INFO
SELECT 
   -- Device ID DETAILS
   meta_hostname, meta_ip_address, 

   -- Query Details
   query_name, analysis, data, key, mtime,
   name, path, type,

   -- Decoration 
   meta_boot_time, meta_eid, meta_endpoint_type, 
   meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type,
   meta_os_version, meta_public_ip, meta_query_pack_version, meta_username,

   --- Generic
   calendar_time, counter, epoch, host_identifier, numerics
   osquery_action, unix_time,

   -- Data Lake
   customer_id, endpoint_id, upload_size

FROM xdr_data
WHERE query_name = 'vulnerability_unrestricted_paths'

RESULTS

+-----------------+-------------------+----------------------------------+------------------------------+--------+-------------------------------------------------------------------------------------+------------+--------+-------------------------------------------------------------------------------------------+--------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname   | meta_ip_address   | query_name                       | analysis                     |   data | key                                                                                 |      mtime | name   | path                                                                                      | type   |   meta_boot_time | meta_eid                             | meta_endpoint_type   | meta_ip_mask   | meta_mac_address   | meta_os_name                 | meta_os_platform   | meta_os_type   | meta_os_version   | meta_public_ip   | meta_query_pack_version   | meta_username   | calendar_time        |   counter |      epoch | host_identifier   | osquery_action   | unix_time            | customer_id                          | endpoint_id                          |   upload_size |
|-----------------+-------------------+----------------------------------+------------------------------+--------+-------------------------------------------------------------------------------------+------------+--------+-------------------------------------------------------------------------------------------+--------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| Victim3-EDR     | 192.168.100.143   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602029563 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T00:12:43Z |        13 | 1601805653 | Victim3-EDR       | False            | 2020-10-07T00:12:43Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           963 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602030864 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T00:34:24Z |        13 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T00:34:24Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           963 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602033143 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T01:12:23Z |        14 | 1601805653 | Victim3-EDR       | False            | 2020-10-07T01:12:23Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           963 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602034396 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-07T01:33:16Z |        14 | 1601805150 | Victim1-EDR       | False            | 2020-10-07T01:33:16Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           963 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602309884 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T06:04:44Z |        92 | 1601805150 | Victim1-EDR       | False            | 2020-10-10T06:04:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           963 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602313416 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T07:03:36Z |        93 | 1601805150 | Victim1-EDR       | False            | 2020-10-10T07:03:36Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           963 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602370082 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T22:48:02Z |        13 | 1602320453 | Victim3-EDR       | False            | 2020-10-10T22:48:02Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           963 |
| Victim1-EDR     | 192.168.100.164   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602369926 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer             | 255.255.255.0  | 00:50:56:25:94:3c  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T22:45:26Z |        13 | 1602319950 | Victim1-EDR       | False            | 2020-10-10T22:45:26Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 |           963 |
| Victim3-EDR     | 192.168.100.143   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602373655 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer             | 255.255.255.0  | 00:50:56:2a:3a:13  | Microsoft Windows 7 Ultimate | windows            | client         | 6.1.7601          | 73.69.54.187     | 1.1.12                    | test            | 2020-10-10T23:47:35Z |        14 | 1602320453 | Victim3-EDR       | False            | 2020-10-10T23:47:35Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 |           963 |
| DESKTOP-RB61UC8 | 192.168.1.173     | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602362472 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601472787 | eface84e-4db6-344f-a89d-90801856834f | computer             | 255.255.255.0  | 5c:ea:1d:c1:aa:55  | Microsoft Windows 10 Pro     | windows            | client         | 10.0.19041        | 73.69.54.187     | 1.1.12                    | Admin           | 2020-10-10T20:41:12Z |        20 | 1602286841 | DESKTOP-RB61UC8   | False            | 2020-10-10T20:41:12Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 |           967 |
| Victim4-Win10   | 192.168.100.162   | vulnerability_unrestricted_paths | {"srp_path_rules_missing":1} |      0 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144 | 1602364061 | Paths  | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths | subkey |       1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer             | 255.255.255.0  | 00:50:56:3c:c7:00  | Microsoft Windows 10 Pro     | windows            | client         | 10.0.18363        | 73.69.54.187     | 1.1.12                    | Admin           | 2020-10-10T21:07:41Z |        10 | 1602321709 | Victim4-Win10     | False            | 2020-10-10T21:07:41Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c |           965 |

Karl_Ackerman
Unfiltered HTML