Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Audit and Remediation: How does the EternalBlue Hardening query determine if SMB is checked via registry or feature?

Audit and Remediation: How does the EternalBlue Hardening query determine if SMB is checked via registry or feature?

Environment

  • Carbon Black Cloud: All Versions
    • Audit and Remediation

Question

How does Live Query determine which method, registry or feature setting, to check if SMB1 is enabled? 

Answer

  • This is determined by the OS value.
    • Windows 8 and above will check the feature setting
    • Windows 7 and below will check the registry value
  • This is present in the bottom of the query 
SELECT CASE
WHEN
(
(os.major == 10)
OR (os.major == 6 AND os.minor == 3)
)
THEN 'FEATURE'

WHEN
((os.major == 6))
AND (os.minor == 3)
THEN 'FEATURE'

WHEN
(
(os.major == 6)
AND (os.minor == 0 OR os.minor == 1)
)
THEN 'REGISTRY'

ELSE 'UNDETERMINED'
END "fetch_method"
FROM os_version AS os
WHERE os.platform = 'windows'

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-20-2021
Views:
142
Contributors