microsoft
/
AttackSurfaceAnalyzer
зеркало из https://github.com/microsoft/AttackSurfaceAnalyzer.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
AttackSurfaceAnalyzer/analyses.json

395 строки
8.4 KiB
JSON
Исходник Постоянная ссылка Ответственный История

{
"rules": [
{
"Name": "Privileged ports",
"Description": "Flag when privileged ports are opened.",
"Flag": "WARNING",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "LT",
"Data": [
"1024"
]
}
]
},
{
"Name": "Privileged users",
"Description": "Flag when privileged users are modified.",
"Flag": "WARNING",
"ResultType": "USER",
"Clauses": [
{
"Field": "Privileged",
"Operation": "EQ",
"Data": [
"True"
]
}
]
},
{
"Name": "Hidden users",
"Description": "Flag when hidden user accounts are modified.",
"Flag": "WARNING",
"ResultType": "USER",
"Clauses": [
{
"Field": "Hidden",
"Operation": "EQ",
"Data": [
"True"
]
}
]
},
{
"Name": "Unsigned binaries",
"Description": "Flag when unsigned/incorrectly signed binaries are added.",
"Flag": "WARNING",
"platforms": [
"WINDOWS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [
"True"
]
},
{
"Field": "SignatureStatus",
"Operation": "NEQ",
"Data": [
"Valid"
]
}
]
},
{
"Name": "SetUid",
"Description": "Flag UID is set on a file.",
"Flag": "WARNING",
"platforms": [
"LINUX",
"MACOS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "SetUid",
"Operation": "EQ",
"Data": [
"True"
]
}
]
},
{
"Name": "SetGid",
"Description": "Flag GID is set on a file.",
"Flag": "WARNING",
"platforms": [
"LINUX",
"MACOS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "SetGid",
"Operation": "EQ",
"Data": [
"True"
]
}
]
},
{
"Name": "Missing ASLR",
"Description": "Flag when executables are created without ASLR.",
"Flag": "WARNING",
"platforms": [
"WINDOWS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [
"True"
]
},
{
"Field": "Characteristics",
"Operation": "DOES_NOT_CONTAIN",
"Data": [
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA"
]
}
]
},
{
"Name": "Missing DEP",
"Description": "Flag when executables are created without DEP.",
"Flag": "WARNING",
"platforms": [
"WINDOWS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [
"True"
]
},
{
"Field": "Characteristics",
"Operation": "DOES_NOT_CONTAIN",
"Data": [
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT"
]
}
]
},
{
"Name": "Missing Signed Enforcement",
"Description": "Flag when executables are signed binaries are created without Force Integrity Flag.",
"Flag": "DEBUG",
"platforms": [
"WINDOWS"
],
"changeTypes": [
"CREATED",
"MODIFIED"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [
"True"
]
},
{
"Field": "SignatureStatus",
"Operation": "EQ",
"Data": [
"Valid"
]
},
{
"Field": "Characteristics",
"Operation": "DOES_NOT_CONTAIN",
"Data": [
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY"
]
}
]
},
{
"Name": "Certificates",
"Description": "Flag when certificates are placed on disk.",
"Flag": "INFORMATION",
"ResultType": "FILE",
"Clauses": [
{
"Field": "Path",
"Operation": "ENDS_WITH",
"Data": [
".cer",
".der",
".crt"
]
}
]
},
{
"Name": "UPNP Ports",
"Description": "Universal Plug n' Play.",
"Flag": "INFORMATION",
"ResultType": "PORT",
"Clauses": [
{
"Field": "port",
"Operation": "EQ",
"Data": [
"1900"
]
}
]
},
{
"Name": "Keystore Files",
"Description": "Java keystore files contain encryption keys and certificates.",
"Flag": "INFORMATION",
"ResultType": "FILE",
"Clauses": [
{
"Field": "Path",
"Operation": "ENDS_WITH",
"Data": [
".keystore"
]
}
]
},
{
"Name": "Firewall Settings Modified",
"Description": "Flag when OS X firewall settings are modified.",
"Flag": "INFORMATION",
"platforms": [
"MACOS"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "Path",
"Operation": "EQ",
"Data": [
"/Library/Preferences/com.apple.alf.plist"
]
}
]
},
{
"Name": "COM Objects Modified",
"Description": "Flags when a COM Object has been Added, Removed or Modified.",
"Flag": "INFORMATION",
"platforms": [
"WINDOWS"
],
"ResultType": "REGISTRY",
"Clauses": [
{
"Field": "KEY",
"Operation": "CONTAINS",
"Data": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID"
]
}
]
},
{
"Name": "Weak Permissions on UID Binaries",
"Description": "Flags if a binary is Executable by everyone but has SETUID.",
"Flag": "WARNING",
"platforms": [
"LINUX",
"MACOS"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [ "True" ]
},
{
"Field": "SetUid",
"Operation": "EQ",
"Data": [ "True" ]
},
{
"Field": "Permissions",
"Operation": "CONTAINS",
"DictData": [
{
"Key": "Other",
"Value": "Execute"
}
]
}
]
},
{
"Name": "Weak Permissions on GID Binaries",
"Description": "Flags if a binary is Executable by everyone but has SETGID.",
"Flag": "WARNING",
"platforms": [
"LINUX",
"MACOS"
],
"ResultType": "FILE",
"Clauses": [
{
"Field": "IsExecutable",
"Operation": "EQ",
"Data": [ "True" ]
},
{
"Field": "SetGid",
"Operation": "EQ",
"Data": [ "True" ]
},
{
"Field": "Permissions",
"Operation": "CONTAINS",
"DictData": [
{
"Key": "Other",
"Value": "Execute"
}
]
}
]
},
{
"Name": "SIP Violation",
"Description": "Flags if System Integrity Protection prevented an action.",
"Flag": "WARNING",
"platforms": [
"MACOS"
],
"ResultType": "LOG",
"Clauses": [
{
"Field": "Summary",
"Operation": "CONTAINS",
"Data": [ "sandbox" ]
}
]
}
],
"meta": {
"defaultLevels": {
"PORT": "INFORMATION",
"FILE": "DEBUG",
"SERVICE": "INFORMATION",
"CERTIFICATE": "INFORMATION",
"USER": "INFORMATION",
"REGISTRY": "DEBUG",
"FIREWALL": "INFORMATION",
"COM": "INFORMATION",
"LOG": "DEBUG"
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку