Query Exchange

ksnihur · ‎07-24-2019

Fixed based on a recommendation by @ben_bass

Description: This query looks to see if SMBv1 is enabled in the windows Registry. Eternal Blue used a vulnerability in SMBv1.

What The Data Shows: This data shows if machines have SMBv1 enabled so users can reduce the attack surface.

SQL:

SELECT name,type,
  CASE cnt
    WHEN 0 THEN "DISABLED"
    ELSE "ENABLED"
  END "SMBv1 Status",
datetime(mtime,"unixepoch","localtime") AS last_registry_write
FROM (SELECT *,COUNT(*) AS cnt
      FROM registry
      WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' AND data != 0);

> Requirement: Please test all submissions using Live Query or Osquery before posting.

mjomha · ‎07-25-2019

Great query, people would be surprised on how many environments have smbv1 enabled on all their servers when it’s not needed.

jnelson · ‎07-30-2019

ben_bass · ‎08-12-2019

This query looks to see if the SMB1 key is there, but not the value of the key. We have ours explicitly set to 0, yet with this query we are coming back as "ENABLED".

I suggest updating the query to something like this:

SELECT name,type,
                 CASE cnt

                         WHEN 0 THEN "DISABLED"

                         ELSE "ENABLED"

                 END "SMBv1 Status",
             datetime(mtime,"unixepoch","localtime") AS last_registry_write

     FROM (SELECT *,COUNT(*) AS cnt
     FROM registry

     WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' AND data != 0);

Query Exchange

Eternal Blue - Disable SMBv1