logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Check if NetBios is Enabled - Stopping Responder

Status: Approved Submitted by on ‎08-12-2019 07:39 PM

Description: This query looks to see if NetBioS is enabled.  Part 1 of 2 for stopping Responder.

What The Data Shows: This query shows Windows machines that have NetBIOS enabled. NetBIOS can be abused and poisioned so victims can communicate with malicious machines on the network. NetBIOS should be disabled to reduce attackers possibly obtaining NTLMv2 hashes with Responder or similiar tools. 

SQL:


SELECT
CASE COUNT(*)
WHEN 2 THEN "DISABLED"
ELSE "ENABLED"
END "NetBIOS Status"
FROM registry
WHERE key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{%"
AND data = 2
AND name="NetbiosOptions";

 

3 Comments
jnelson
Carbon Black Employee
‎08-13-2019 07:32 PM
‎08-13-2019 07:32 PM
Status changed to: Under Review

@ksnihur while your query runs fine, would you consider changing it so that it would give a definitive result? Here is an example:

SELECT
    CASE COUNT(*)
         WHEN 2 THEN "DISABLED"
        ELSE "ENABLED"
     END "NetBIOS Status"
FROM registry
WHERE key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{%"
    AND data = 2
    AND name="NetbiosOptions";
ksnihur
Contributor II
‎08-14-2019 07:16 PM
‎08-14-2019 07:16 PM

@jnelson, changed as requested.

jnelson
Carbon Black Employee
‎08-20-2019 08:12 AM
‎08-20-2019 08:12 AM
Status changed to: Approved
 
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.