Built off the open source project Osquery
Description: This query looks to see if NetBioS is enabled. Part 1 of 2 for stopping Responder.
What The Data Shows: This query shows Windows machines that have NetBIOS enabled. NetBIOS can be abused and poisioned so victims can communicate with malicious machines on the network. NetBIOS should be disabled to reduce attackers possibly obtaining NTLMv2 hashes with Responder or similiar tools.
SQL:
SELECT
CASE COUNT(*)
WHEN 2 THEN "DISABLED"
ELSE "ENABLED"
END "NetBIOS Status"
FROM registry
WHERE key LIKE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{%"
AND data = 2
AND name="NetbiosOptions";
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.