1mm0rt41PC · February 10, 2023 16:40
diff --git a/RegSecurityCheck.ps1 b/RegSecurityCheck.ps1

 $tests = @'
 {
    "RDP server configuration": {
        "Hive": {
            "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services": {
                "KeepAliveInterval": "DWord:1",
                "DeleteTempDirsOnExit": "DWord:1",
                "SecurityLayer": "DWord:2",
                "UserAuthentication": "DWord:1",
                "MaxIdleTime": "DWord:900000",
                "MaxDisconnectionTime": "DWord:900000",
                "RemoteAppLogoffTimeLimit": "DWord:300000",
                "fEncryptRPCTraffic": "DWord:1",
                "MinEncryptionLevel": "DWord:3",
                "AllowEncryptionOracle": "DWord:0"
            },
            "HKLM\\System\\CurrentControlSet\\Control\\Lsa": {
                "DisableDomainCreds": "DWord:1"
            }
        }
    },
    "Network security: Restrict NTLM outgoing authentication for machine account (Coercing)": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0": {
                "RestrictSendingNTLMTraffic": "DWord:2"
            }
        }
    },
    "Network security: Send NTLMv2 response only. Refuse LM & NTLM": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Control\\Lsa": {
                "LmCompatibilityLevel": "DWord:5"
            },
            "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0": {
                "NTLMMinClientSec": "DWord:537395200",
                "NTLMMinServerSec": "DWord:537395200"
            },
            "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters": {
                "SupportedEncryptionTypes": "DWord:24"
            }
        }
    },
    "Encryption & sign communications": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters": {
                "RequireSignOrSeal": "DWord:1",
                "SealSecureChannel": "DWord:1",
                "SignSecureChannel": "DWord:1"
            }
        }
    },
    "LDAP client configuration": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Services\\LDAP": {
                "LDAPClientIntegrity": "DWord:2"
            }
        }
    },
    "LDAP server configuration": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters": {
                "LDAPServerIntegrity": "DWord:2",
                "LdapEnforceChannelBinding": "DWord:2"
            }
        }
    },
    "SMB client configuration": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters": {
                "EnableSecuritySignature": "DWord:1",
                "RequireSecuritySignature": "DWord:1",
                "EnablePlainTextPassword": "DWord:0"
            }
        }
    },
    "LAPS": {
        "Hive": {
            "HKLM\\Software\\Policies\\Microsoft Services\\AdmPwd": {
                "AdmPwdEnabled": "Dword:1",
                "PwdExpirationProtectionEnabled": "Dword:1",
                "PasswordComplexity": "Dword:4",
                "PasswordLength": "Dword:16",
                "PasswordAgeDays": "Dword:30"
            },
            "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\{D76B9641-3288-4f75-942D-087DE603E3EA}": {
                "ExtensionDebugLevel": "Dword:2"
            }
        }
    },	
    "Machine Password Rotation": {
        "Hive": {
            "HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters": {
                "DisablePasswordChange": "DWord:0",
                "MaximumPasswordAge": "DWord:30"
            }
        }
    },
    "UAC configuration": {
        "Hive": {
            "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System": {
                "FilterAdministratorToken": "DWord:1",
                "LocalAccountTokenFilterPolicy": "DWord:0"
            }
        }
    },
    "Auto lock session after 15min": {
        "Hive": {
            "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System": {
                "InactivityTimeoutSecs": "DWord:900"
            }
        }
    },
    "LSASS Protection (Mimikatz)": {
        "Hive": {
            "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest": {
                "UseLogonCredential": "DWord:0",
                "Negotiate": "DWord:0"
            },
            "HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA": {
                "RunAsPPL": "DWord:1",
                "DisableRestrictedAdmin": "DWord:0",
                "DisableRestrictedAdminOutboundCreds": "DWord:1"
            }
        }
    },
    "Deny anonymous SMB (Block CobaltStrike)": {
        "Hive": {
            "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation": {
                "AllowInsecureGuestAuth": "DWord:0"
            }
        }
    },
    "WIFI-Protection - AirStrike": {
        "Hive": {
            "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System": {
                "DontDisplayNetworkSelectionUI": "DWord:1"
            },
            "HKLM\\Software\\Microsoft\\PolicyManager\\default\\WiFi\\AllowAutoConnectToWiFiSenseHotspots": {
                "value": "DWord:0"
            }
        }
    },    
    "SMB server - FileServer configuration": {
        "Hive": {
            "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters": {
                "SMB1": "Dword:0",
                "EnableSecuritySignature": "Dword:1",
                "RequireSecuritySignature": "Dword:1",
                "AutoShareWks": "Dword:0",
                "AutoShareServer": "Dword:0",
                "AutoDisconnect": "Dword:60",
                "RestrictNullSessAccess": "Dword:1"
            },
            "HKLM\\System\\CurrentControlSet\\Services\\Rdr\\Parameters": {
                "EnableSecuritySignature": "DWord:1",
                "RequireSecuritySignature": "DWord:1"
            }
        }
    },

    "Bitlocker": {
        "Hive": {
            "HKLM\\Software\\Policies\\Microsoft\\FVE": {
                "ActiveDirectoryBackup": "DWord:1",
                "OSActiveDirectoryBackup": "DWord:1",
                "FDVActiveDirectoryBackup": "DWord:1",
                "RDVActiveDirectoryBackup": "DWord:1",
                "OSRecovery": "DWord:1",
                "RequireActiveDirectoryBackup": "DWord:1",
                "ActiveDirectoryInfoToStore": "DWord:1",
                "EncryptionMethodWithXtsOs": "DWord:7",
                "EncryptionMethodWithXtsFdv": "DWord:7",
                "EncryptionMethodWithXtsRdv": "DWord:7",
                "EncryptionMethodNoDiffuser": "DWord:4",
                "EncryptionMethod": "DWord:2"
            },
 			"HKLM\\SYSTEM\\CurrentControlSet\\Control\\BitLockerStatus": {
 				"BootStatus": "Dword:1"
 			}
        }
    },
    "LLMNR": {
        "Hive": {
            "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient": {
                "EnableMulticast": "Dword:0"
            }
        }
    },
    "NetBios": {
        "Hive": {
            "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters": {
                "NodeType": "Dword:2"
            }
        }
    },
    "mDNS": {
        "Hive": {
            "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters": {
                "EnableMDNS": "DWord:0"
            }
        }
    },
    "WPAD": {
        "Hive": {
            "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc": {
                "Start": "Dword:4"
            },
            "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad": {
                "WpadOverride": "Dword:1"
            },
            "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad": {
                "WpadOverride": "Dword:1"
            },
            "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings": {
                "AutoDetect": "Dword:0"
            },
            "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings": {
                "AutoDetect": "Dword:0"
            }
        }
    }
 }
 '@ | ConvertFrom-Json

 $e = [char]0x1b
 $colSize = @(114,13,10,7)
 $tests | Get-Member -MemberType NoteProperty  | foreach {
 	$header = ("+".PadRight($colSize[0]+1,'-')+"+".PadRight($colSize[1]+1,'-')+"+".PadRight($colSize[2]+1,'-')+"+".PadRight($colSize[3]+1,'-')+"+")
 	Write-Host $header
 	Write-Host ("| "+($_.Name.PadRight($colSize[0]-1,' '))+"| VALUE       | EXPECTED |  ETA  |")
 	Write-Host $header
 	$title = $_.Name

 	$tests."$title".Hive | Get-Member -MemberType NoteProperty | foreach {
 		$hive = $_.Name
 		$hiveps = $_.Name.Replace('HKLM','HKLM:\').Replace('HKCU','HKCU:\')
 		Write-Host ("| > $hive ".PadRight($colSize[0]+1,'=')+"|=============|==========|=======|")
 		$tests."$title".Hive."$hive" | Get-Member -MemberType NoteProperty | foreach {
 			$key = $_.Name
 			try {
 				$val = Get-ItemPropertyValue $hiveps $key -ErrorAction Stop
 			}catch{
 				$val = 'NOT DEFINED'
 			}
 			$expected = ($tests."$title".Hive."$hive"."$key").Split(':')[1]
 			$prnt = "| $key ".PadRight($colSize[0]+1,' ')+"| $val".PadRight($colSize[1]+1,' ')+"| $expected".PadRight($colSize[2]+1,' ')

 			if( $val -eq $expected ){
 				Write-Host "$prnt| $e[42mOK$e[0m    |"
 			}else{
 				Write-Host "$prnt| $e[41mVULN$e[0m  |"
 			}
 		}
 	}

 	Write-Host $header
 	Write-Host " "
 }

	$tests = @'
	{
	"RDP server configuration": {
	"Hive": {
	"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services": {
	"KeepAliveInterval": "DWord:1",
	"DeleteTempDirsOnExit": "DWord:1",
	"SecurityLayer": "DWord:2",
	"UserAuthentication": "DWord:1",
	"MaxIdleTime": "DWord:900000",
	"MaxDisconnectionTime": "DWord:900000",
	"RemoteAppLogoffTimeLimit": "DWord:300000",
	"fEncryptRPCTraffic": "DWord:1",
	"MinEncryptionLevel": "DWord:3",
	"AllowEncryptionOracle": "DWord:0"
	},
	"HKLM\\System\\CurrentControlSet\\Control\\Lsa": {
	"DisableDomainCreds": "DWord:1"
	}
	}
	},
	"Network security: Restrict NTLM outgoing authentication for machine account (Coercing)": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0": {
	"RestrictSendingNTLMTraffic": "DWord:2"
	}
	}
	},
	"Network security: Send NTLMv2 response only. Refuse LM & NTLM": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Control\\Lsa": {
	"LmCompatibilityLevel": "DWord:5"
	},
	"HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0": {
	"NTLMMinClientSec": "DWord:537395200",
	"NTLMMinServerSec": "DWord:537395200"
	},
	"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters": {
	"SupportedEncryptionTypes": "DWord:24"
	}
	}
	},
	"Encryption & sign communications": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters": {
	"RequireSignOrSeal": "DWord:1",
	"SealSecureChannel": "DWord:1",
	"SignSecureChannel": "DWord:1"
	}
	}
	},
	"LDAP client configuration": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Services\\LDAP": {
	"LDAPClientIntegrity": "DWord:2"
	}
	}
	},
	"LDAP server configuration": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters": {
	"LDAPServerIntegrity": "DWord:2",
	"LdapEnforceChannelBinding": "DWord:2"
	}
	}
	},
	"SMB client configuration": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters": {
	"EnableSecuritySignature": "DWord:1",
	"RequireSecuritySignature": "DWord:1",
	"EnablePlainTextPassword": "DWord:0"
	}
	}
	},
	"LAPS": {
	"Hive": {
	"HKLM\\Software\\Policies\\Microsoft Services\\AdmPwd": {
	"AdmPwdEnabled": "Dword:1",
	"PwdExpirationProtectionEnabled": "Dword:1",
	"PasswordComplexity": "Dword:4",
	"PasswordLength": "Dword:16",
	"PasswordAgeDays": "Dword:30"
	},
	"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\{D76B9641-3288-4f75-942D-087DE603E3EA}": {
	"ExtensionDebugLevel": "Dword:2"
	}
	}
	},
	"Machine Password Rotation": {
	"Hive": {
	"HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters": {
	"DisablePasswordChange": "DWord:0",
	"MaximumPasswordAge": "DWord:30"
	}
	}
	},
	"UAC configuration": {
	"Hive": {
	"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System": {
	"FilterAdministratorToken": "DWord:1",
	"LocalAccountTokenFilterPolicy": "DWord:0"
	}
	}
	},
	"Auto lock session after 15min": {
	"Hive": {
	"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System": {
	"InactivityTimeoutSecs": "DWord:900"
	}
	}
	},
	"LSASS Protection (Mimikatz)": {
	"Hive": {
	"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest": {
	"UseLogonCredential": "DWord:0",
	"Negotiate": "DWord:0"
	},
	"HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA": {
	"RunAsPPL": "DWord:1",
	"DisableRestrictedAdmin": "DWord:0",
	"DisableRestrictedAdminOutboundCreds": "DWord:1"
	}
	}
	},
	"Deny anonymous SMB (Block CobaltStrike)": {
	"Hive": {
	"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation": {
	"AllowInsecureGuestAuth": "DWord:0"
	}
	}
	},
	"WIFI-Protection - AirStrike": {
	"Hive": {
	"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System": {
	"DontDisplayNetworkSelectionUI": "DWord:1"
	},
	"HKLM\\Software\\Microsoft\\PolicyManager\\default\\WiFi\\AllowAutoConnectToWiFiSenseHotspots": {
	"value": "DWord:0"
	}
	}
	},
	"SMB server - FileServer configuration": {
	"Hive": {
	"HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters": {
	"SMB1": "Dword:0",
	"EnableSecuritySignature": "Dword:1",
	"RequireSecuritySignature": "Dword:1",
	"AutoShareWks": "Dword:0",
	"AutoShareServer": "Dword:0",
	"AutoDisconnect": "Dword:60",
	"RestrictNullSessAccess": "Dword:1"
	},
	"HKLM\\System\\CurrentControlSet\\Services\\Rdr\\Parameters": {
	"EnableSecuritySignature": "DWord:1",
	"RequireSecuritySignature": "DWord:1"
	}
	}
	},

	"Bitlocker": {
	"Hive": {
	"HKLM\\Software\\Policies\\Microsoft\\FVE": {
	"ActiveDirectoryBackup": "DWord:1",
	"OSActiveDirectoryBackup": "DWord:1",
	"FDVActiveDirectoryBackup": "DWord:1",
	"RDVActiveDirectoryBackup": "DWord:1",
	"OSRecovery": "DWord:1",
	"RequireActiveDirectoryBackup": "DWord:1",
	"ActiveDirectoryInfoToStore": "DWord:1",
	"EncryptionMethodWithXtsOs": "DWord:7",
	"EncryptionMethodWithXtsFdv": "DWord:7",
	"EncryptionMethodWithXtsRdv": "DWord:7",
	"EncryptionMethodNoDiffuser": "DWord:4",
	"EncryptionMethod": "DWord:2"
	},
	"HKLM\\SYSTEM\\CurrentControlSet\\Control\\BitLockerStatus": {
	"BootStatus": "Dword:1"
	}
	}
	},
	"LLMNR": {
	"Hive": {
	"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient": {
	"EnableMulticast": "Dword:0"
	}
	}
	},
	"NetBios": {
	"Hive": {
	"HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netbt\\Parameters": {
	"NodeType": "Dword:2"
	}
	}
	},
	"mDNS": {
	"Hive": {
	"HKLM\\SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters": {
	"EnableMDNS": "DWord:0"
	}
	}
	},
	"WPAD": {
	"Hive": {
	"HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinHttpAutoProxySvc": {
	"Start": "Dword:4"
	},
	"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad": {
	"WpadOverride": "Dword:1"
	},
	"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad": {
	"WpadOverride": "Dword:1"
	},
	"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings": {
	"AutoDetect": "Dword:0"
	},
	"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings": {
	"AutoDetect": "Dword:0"
	}
	}
	}
	}
	'@ \| ConvertFrom-Json

	$e = [char]0x1b
	$colSize = @(114,13,10,7)
	$tests \| Get-Member -MemberType NoteProperty \| foreach {
	$header = ("+".PadRight($colSize[0]+1,'-')+"+".PadRight($colSize[1]+1,'-')+"+".PadRight($colSize[2]+1,'-')+"+".PadRight($colSize[3]+1,'-')+"+")
	Write-Host $header
	Write-Host ("\| "+($_.Name.PadRight($colSize[0]-1,' '))+"\| VALUE \| EXPECTED \| ETA \|")
	Write-Host $header
	$title = $_.Name

	$tests."$title".Hive \| Get-Member -MemberType NoteProperty \| foreach {
	$hive = $_.Name
	$hiveps = $_.Name.Replace('HKLM','HKLM:\').Replace('HKCU','HKCU:\')
	Write-Host ("\| > $hive ".PadRight($colSize[0]+1,'=')+"\|=============\|==========\|=======\|")
	$tests."$title".Hive."$hive" \| Get-Member -MemberType NoteProperty \| foreach {
	$key = $_.Name
	try {
	$val = Get-ItemPropertyValue $hiveps $key -ErrorAction Stop
	}catch{
	$val = 'NOT DEFINED'
	}
	$expected = ($tests."$title".Hive."$hive"."$key").Split(':')[1]
	$prnt = "\| $key ".PadRight($colSize[0]+1,' ')+"\| $val".PadRight($colSize[1]+1,' ')+"\| $expected".PadRight($colSize[2]+1,' ')

	if( $val -eq $expected ){
	Write-Host "$prnt\| $e[42mOK$e[0m \|"
	}else{
	Write-Host "$prnt\| $e[41mVULN$e[0m \|"
	}
	}
	}

	Write-Host $header
	Write-Host " "
	}