-

7 min read

Windows Security Hardening and Auditing - Nuclei Templates v10.1.0 🎉

Windows Security Hardening and Auditing - Nuclei Templates v10.1.0 🎉

We're thrilled to introduce Nuclei Templates release v10.1.0! In this update, we are focusing on Windows Security Hardening and Auditing. Our latest release expands your toolkit with new Windows security templates, designed to automate and enhance the security auditing of Windows systems. Here, we'll explore how to use these templates effectively, customize them for your specific security needs, and share results on the PDCP Cloud for review.

Windows operating systems, widely utilized in both enterprise and personal environments, are often targeted by attackers due to their prevalence. Recognizing the critical need for rigorous security measures, this release aims to simplify Windows security reviews much like we did with Kubernetes in our previous releases.

For those particularly interested in using the Windows Audit templates, feel free to skip to the end of the blog

Windows Security Auditing, a vital practice for ensuring a robust security posture, involves reviewing and monitoring Windows systems to detect and mitigate potential vulnerabilities.

Key Activities in Windows Security Auditing include:

  • Security Policy Enforcement: This check involves ensuring that security policies, such as account lockout policies and password policies, are properly configured according to best practices.
  • User Access Control: Reviewing user permissions and access controls to ensure that users have the minimum necessary privileges.
  • Service Configuration: Ensuring that Windows services are configured securely, including disabling or restricting services that are not required.
  • Network Security Settings: Examining network configurations to prevent unauthorized access and protect against network-based attacks.
  • Operating System Updates: Checking that Windows Update is enabled and properly configured to ensure that the system receives all critical security updates.
  • Logging and Monitoring: Making sure that event logging and monitoring are enabled to track security events and potential breaches.

The templates we've added carry out comprehensive checks to assess the security configurations and compliance of Windows systems. These templates use PowerShell to interact with the Windows Management Instrumentation (WMI) API, offering flexibility to customize security checks or automate specific tasks. Our templates provide extensive control over Windows resources, aiding in thorough security audits.

What are Code Protocol Templates?

Nuclei enables users to execute external code on the host operating system, expanding the tool's capabilities beyond standard protocol-based testing. This functionality allows for interaction with the underlying OS, executing custom scripts or commands to manage system configurations, file operations, and more. Such control enhances the ability to tailor security assessments to specific needs. Users can explore Code Protocol templates in our documentation for further customization.

Because these templates can execute potentially harmful commands on hosts, users must first sign the templates using their keys. These signed templates are not included in default scans for safety reasons. To use these templates, sign them with the -sign flag. After signing, run the templates with the -code flag.

Example #1:

In this example, we create a Nuclei template that identifies if the SMB v1 protocol is enabled on a Windows system, a critical vulnerability that can expose the system to numerous network attacks, including the notorious WannaCry ransomware.

  • We've set self-contained: true because this Nuclei template operates independently of any specific host, using local Windows configurations to fetch and analyze SMB protocol data.
  • The initial code block specifies using PowerShell as the engine for executing the command to check the SMB v1 status. Here's the command included in the source section: (Get-SmbServerConfiguration).EnableSMB1Protocol. This PowerShell command retrieves the current SMB v1 protocol configuration.
  • The template includes a pre-condition to ensure it only runs on Windows systems. This is crucial as running this check on non-Windows systems would not yield meaningful results.
  • After executing the PowerShell command, we use a matcher to verify if the returned result includes the word "True," indicating that SMB v1 is enabled.
  • If SMB v1 is enabled, this presents a critical security risk due to the vulnerabilities associated with this outdated protocol.

yaml

1id: smb-v1-enabled
2
3info:
4  name: SMB v1 Protocol Enabled
5  author: princechaddha
6  severity: critical
7  description: Detects if SMB v1 protocol is enabled, which is vulnerable to numerous exploits.
8  impact: |
9    SMB v1 is vulnerable to multiple attacks, including the infamous WannaCry ransomware.
10  remediation: |
11    Disable SMB v1 protocol to enhance the security of your system.
12  tags: windows,smb,network,protocol,code,windows-audit
13
14self-contained: true
15
16code:
17  - pre-condition: |
18      IsWindows();
19    engine:
20      - powershell
21      - powershell.exe
22    args:
23      - -ExecutionPolicy
24      - Bypass
25    pattern: "*.ps1"
26    source: |
27      (Get-SmbServerConfiguration).EnableSMB1Protocol
28
29    matchers:
30      - type: word
31        words:
32          - "True"

Example #2:

This Nuclei template checks if Windows Firewall is disabled on any network profile, a significant security concern. By running a PowerShell command, the template assesses the firewall status across all profiles to ensure protection against external threats. If the firewall is found to be disabled, it provides a critical alert to enable the Windows Firewall to safeguard the system from potential attacks.

yaml

1id: windows-firewall-disabled
2
3info:
4  name: Windows Firewall Disabled
5  author: princechaddha
6  severity: high
7  description: Checks if Windows Firewall is disabled on any network profile.
8  impact: |
9    Disabling the firewall may leave the system vulnerable to external attacks.
10  remediation: |
11    Ensure that the Windows Firewall is enabled for all network profiles.
12  tags: windows,firewall,code,windows-audit
13
14self-contained: true
15
16code:
17  - pre-condition: |
18      IsWindows();
19    engine:
20      - powershell
21      - powershell.exe
22    args:
23      - -ExecutionPolicy
24      - Bypass
25    pattern: "*.ps1"
26    source: |
27      Get-NetFirewallProfile | Where-Object { $_.Enabled -eq "False" }
28
29    matchers:
30      - type: word
31        words:
32          - "False"

Example #3:

This Nuclei template assesses whether LSA (Local Security Authority) protection is disabled or not configured on Windows systems. By querying the system registry via PowerShell, it checks the RunAsPPL key to determine the status of LSA protection, which is crucial for preventing credential dumping attacks. If LSA protection is found to be off, the template alerts users to enable it, thereby enhancing the system's defense against unauthorized access to sensitive credentials.

yaml

1id: windows-lsa-protection-not-enabled
2
3info:
4  name: LSA Protection Not Enabled or Not Configured
5  author: princechaddha
6  severity: high
7  description: |
8    Checks if LSA (Local Security Authority) protection is disabled or not configured.
9  impact: |
10    Disabling or not configuring LSA protection can allow attackers to perform credential dumping.
11  remediation: |
12    Enable LSA protection to prevent malicious actors from dumping credentials from the system.
13  tags: windows,lsa,code,windows-audit
14
15self-contained: true
16
17code:
18  - pre-condition: |
19      IsWindows();
20    engine:
21      - powershell
22      - powershell.exe
23    args:
24      - -ExecutionPolicy
25      - Bypass
26    pattern: "*.ps1"
27    source: |
28      ($null -eq (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0)
29
30    matchers:
31      - type: word
32        words:
33          - "True"

Check out all the other windows audit templates by visiting the Nuclei Templates GitHub repository.

Custom Templates for Specific Use Cases

We can create custom Windows security checks tailored to your environment. This flexibility allows security teams, system administrators, and IT professionals to address unique security concerns within their Windows networks. Here are some scenarios where creating custom Nuclei Windows templates could be particularly useful:

  • Custom Security Policy Checks: Templates could ensure that group policies are enforced according to organizational security standards.
  • Specific Compliance Audits: For industries with stringent regulatory requirements, custom templates can verify that systems comply with regulations like HIPAA or GDPR by checking security settings and access controls.
  • Integration with SIEM Systems: Custom templates can be designed to extract and format security logs for integration with Security Information and Event Management (SIEM) systems for enhanced monitoring.
  • Advanced Persistent Threat (APT) Detection: Tailor templates to look for signs of APT activities, such as unusual outbound connections or modifications to critical system files.

Running Windows Security Templates

To use these templates effectively, ensure your environment is configured properly. You need to have PowerShell set up with the appropriate execution policies.

To ensure these templates function correctly, you must be using the latest version of nuclei, which is v3.3.7 as of this writing.

Once configured, execute the following command to check the setup before running the full profile:

yaml

1PS C:\Users\Administrator\Desktop> nuclei -id smb-v1-enabled -code -duc
2
3                     __     _
4   ____  __  _______/ /__  (_)
5  / __ \/ / / / ___/ / _ \/ /
6 / / / / /_/ / /__/ /  __/ /
7/_/ /_/\__,_/\___/_/\___/_/   v3.3.7
8
9                projectdiscovery.io
10
11[INF] Current nuclei version: v3.3.7 (outdated)
12[INF] Current nuclei-templates version: v10.1.0 (latest)
13[WRN] Scan results upload to cloud is disabled.
14[INF] New templates added in latest release: 68
15[INF] Templates loaded for current scan: 1
16[INF] Executing 1 signed templates from projectdiscovery
17[smb-v1-enabled] [code] [critical]
18PS C:\Users\Administrator\Desktop>

Now we can execute all the templates using the following command or using the scan profile (`-profile windows-audit`)

Uploading Results to ProjectDiscovery

After running your scans, it's beneficial for teams to save the results for reporting or remediation. You can upload these results to the PDCP Cloud using the -dashboard flag.

To do this:

  1. Visit PDCP Cloud and log into your account.
  2. Click on your profile picture and select 'API Key'.
  3. Copy your API key and type in your terminal:

cli

1nuclei -auth <your-api-key>

Now you're ready to run the templates and upload the results:

Logging into the PDCP Cloud will then display a new scan entry with all the results.

Conclusion

The Nuclei templates for Windows provide significant flexibility, allowing users to create checks that suit their specific operational and security needs. This approach not only helps in identifying and mitigating security issues but also in maintaining continuous oversight of the overall security posture of Windows environments.


You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!

By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.