Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<?xml version="1.0" encoding="utf-8"?>
<CyberPatriotResource>
<ResourceID>Windows8_r2_hs</ResourceID>
<Tier/>
<Branding>CyberPatriot</Branding>
<Title>CP-IX High School Round 2 Windows 8</Title>
<TeamKey>CyberPatriot9</TeamKey>
<ScoringUrl>http://54.243.182.228/ccs/upload</ScoringUrl>
<ScoreboardUrl>http://54.243.195.23</ScoreboardUrl>
<HideScoreboard>false</HideScoreboard>
<ReadmeUrl>http://www.uscyberpatriot.org/Pages/Readme/readme_hs_tvadjak3cg.aspx</ReadmeUrl>
<SupportUrl>https://fedgov.webex.com/fedgov/onstage/g.php?PRID=5632977f96b90348071a216c69912878</SupportUrl>
<TimeServers>
<Primary>http://54.243.195.23/message.php</Primary>
<Secondary>http://time.is/UTC</Secondary>
<Secondary>http://nist.time.gov/</Secondary>
<Secondary>http://www.zulutime.net/</Secondary>
<Secondary>http://time1.ucla.edu/home.php</Secondary>
<Secondary>http://viv.ebay.com/ws/eBayISAPI.dll?EbayTime</Secondary>
<Secondary>http://worldtime.io/current/utc_netherlands/8554</Secondary>
<Secondary>http://www.timeanddate.com/worldclock/timezone/utc</Secondary>
<Secondary>http://www.thetimenow.com/utc/coordinated_universal_time</Secondary>
<Secondary>http://www.worldtimeserver.com/current_time_in_UTC.aspx</Secondary>
</TimeServers>
<DestructImage>
<Before>2016-11-20 05:00</Before>
<After>2016-12-13 06:00</After>
<Uptime>07:00</Uptime>
<Playtime/>
<InvalidClient>true</InvalidClient>
<InvalidTeam>00:30</InvalidTeam>
</DestructImage>
<DisableFeedback>
<Before>2016-11-20 05:00</Before>
<After>2016-12-13 06:00</After>
<Uptime>06:30</Uptime>
<Playtime/>
<NoConnection>true</NoConnection>
<InvalidClient>true</InvalidClient>
<InvalidTeam>true</InvalidTeam>
</DisableFeedback>
<WarnAfter>05:30</WarnAfter>
<StopImageAfter>06:00</StopImageAfter>
<StopTeamAfter/>
<StartupTime>60</StartupTime>
<IntervalTime>60</IntervalTime>
<UploadTimeout>24</UploadTimeout>
<OnPointsGained>
<Execute>C:\CyberPatriot\sox.exe C:\CyberPatriot\gain.wav -d -q</Execute>
<Execute>C:\CyberPatriot\Notify.exe You Gained Points</Execute>
</OnPointsGained>
<OnPointsLost>
<Execute>C:\CyberPatriot\sox.exe C:\CyberPatriot\alarm.wav -d -q</Execute>
<Execute>C:\CyberPatriot\Notify.exe You Lost Points</Execute>
</OnPointsLost>
<OnInvalidTeam>
<Execute>C:\CyberPatriot\sox.exe C:\CyberPatriot\alarm.wav -d -q</Execute>
<Execute>C:\CyberPatriot\Notify.exe WARNING: Invalid Unique Identifier</Execute>
</OnInvalidTeam>
<AutoDisplayPoints>true</AutoDisplayPoints>
<InstallPath>C:\CyberPatriot</InstallPath>
<TeamConfig>ScoringConfig</TeamConfig>
<HtmlReport>ScoringReport</HtmlReport>
<HtmlReportTemplate>ScoringReportTemplate</HtmlReportTemplate>
<XmlReport>ScoringData/ScoringReport</XmlReport>
<RedShirt>tempfile</RedShirt>
<ValidClient>
<ResourcePath>C:\CyberPatriot\ScoringResource.dat</ResourcePath>
<ClientPath>C:\CyberPatriot\CCSClient.exe</ClientPath>
<ClientHash>5AA01BD7F0B02F599176A71A01FE7E1F9E8DE834C2C8EB13D9527AC10B7ACFA3</ClientHash>
<ProductID>Windows 8/8.1 Enterprise 32-bit</ProductID>
<DiskID>52ADBB20</DiskID>
<InstallDate>2013-Dec-06 22:07:13</InstallDate>
</ValidClient>
<Check>
<CheckID>FOR_Q1</CheckID>
<Description>1194BD08DD351DA0ED6B0AD1665318CD43E174114D3A20BC899362A2EAC68648E26666AECE8A794F668FB4DC591F8A07B85BC7E96224D1F72468811BA3D2E289</Description>
<Points>8</Points>
<Test>
<Type>file</Type>
<Name>T1</Name>
<FilePath>C:\Users\leonardo\Desktop\Forensics Question 1.txt</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Contains</Condition>
<Equals>(?i)ANSWER:[^\n]*Windows\s+update</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>FOR_Q2</CheckID>
<Description>CF41217935CF32C6C319E74B1EF36B0E497274C062D5A693A004902D1FC0C28600CB183BC1ECD4084B2DC16FE08C5C59588D898C39B68E56FC78811763F0C3C8</Description>
<Points>8</Points>
<Test>
<Type>file</Type>
<Name>T1</Name>
<FilePath>C:\Users\leonardo\Desktop\Forensics Question 2.txt</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Contains</Condition>
<Equals>(?i)ANSWER:\s*31337</Equals>
</T1>
<T1>
<Condition>Contains</Condition>
<NotEquals>(?i)ANSWER:\s*54321</NotEquals>
</T1>
<T1>
<Condition>Contains</Condition>
<NotEquals>(?i)ANSWER:\s*2</NotEquals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_BEBOP</CheckID>
<Description>6F651797674F743D882C7E957BC2F656B5006AE222995586D54BD48174109DA65AD658E0D9E2B8E374EF7DDE8BCB446B37110708DC6CBA8A632CC0B60D907818</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>bebop</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Enabled</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_ROCKSTEADY</CheckID>
<Description>FDE7584EB34B868C14449DFE68FB13C23805843E67DDFC24441705543518DE0B0B7B4DEFC7D362EF765E5A6919CE2501B71AB933F2595846A61419C3CD20628C67608D2BCF</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>rocksteady</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Enabled</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_RAY</CheckID>
<Description>505A61369AF5FDAE3574C0EECCC8B7D7AB9C26387E0B3B4C259077A13B9CE9BF16E700C17B2D45E049FBAFB36633A19DCB736DFE7F39E30F144E3C</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>ray</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Password</Condition>
<NotEquals/>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_SLASH</CheckID>
<Description>0048EA19E53702DCD7DF7B34EE065D9936DD1823442F9CCBFC3206714E857766E9CD96DF2B54DC0604BA6B8DC651E212A3F1A90617EDBD07769D48679D5CA074</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>slash</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>LockedOut</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_SLASH</CheckID>
<Description>914D608782981089C4BD2F93A1633A0C80D3EB00E4239EBC205EB9A414ECE3427E41F445FBB3ACFB8F3DFEA95BC428458205644D1120317B78AB132EEFEB2957D372D65484</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>screwloose</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>LockedOut</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_SPLNTR</CheckID>
<Description>01FC97E9629445C1AFCE1BFB7AF7EAF8FB98A9099507481EF7FE27BEC0340E377012850652783404B8615F2935298E6519190CD3F24EB484D1C8AD85ED1A1595031D75135D6577</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>splinter</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>USR_JAGWAR</CheckID>
<Description>543958D8544932E0C446C44BADCEDDAAD318D338BA22238AC116D55B064051537A892B07D38E41EA6C5FD41C089A22A6CD618C32B8B0CDBF97DDF7D07A46DCDC0C3D16A721EC82</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>jagwar</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>ACT_HIST</CheckID>
<Description>263FDFCBCC009E6AEFF20110A8C22E91614581108B71B01F9C5ADA943D504DBC4A57BB6FD202E1A993B5C284066BA96DCEFCF41BD61E6BB5946CA1AF6B3C7FB048F346B851C51A3B116D599822AD59</Description>
<Points>3</Points>
<Test>
<Name>T1</Name>
<Type>password_policy</Type>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>PasswordHistLen</Condition>
<GreaterThan>2</GreaterThan>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>POL_ALOGF</CheckID>
<Description>40442865BEF02747C966E2605A219DFB5D2033CEB63F79C8002B1B30230E9BA0AB0213C68EB21D4667E189FCDFDBA4C607475CDA77D14531C4A8F4F9D052A7B6F693B3</Description>
<Points>4</Points>
<Test>
<Name>T1</Name>
<Type>audit_policy</Type>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>AccountLogon</Condition>
<Equals>Failure</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>POL_AC_LBPU</CheckID>
<Description>07F11FBB667D8C330552151C4FA0C05A2EB9B1D731DF23E491ECCEAEA36619EC19495F37D92AB5428C84F74393B9441F53D168EE628B36B825CFA19C5DCD881154701E50F124C82963AFCF049BECCE380C1DC4BF8EB31405733F8238BC790C</Description>
<Points>4</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SYSTEM\CurrentControlSet\Control\Lsa</KeyPath>
<KeyName>LimitBlankPasswordUse</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>1</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>POL_MNC_SIG</CheckID>
<Description>AA9EB938B8E5AB50212C41ABF5232CC8ABE424585C758F6DE46E714DD07A7E36F278474BA08E893F0C95A5DBF2F5483CFF9BBA66043E2EA2B5D8C45DA734569CE9CB336BE4B4035A645F1E0433CA3CB9756F8F69DA2065616C19FA68C6E16008FA40A89D6B</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation\Parameters</KeyPath>
<KeyName>EnableSecuritySignature</KeyName>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Services\LanmanWorkstation\Parameters</KeyPath>
<KeyName>RequireSecuritySignature</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Value</Condition>
<Equals>1</Equals>
</T1>
</PassIf>
<PassIf>
<T2>
<Condition>Value</Condition>
<Equals>1</Equals>
</T2>
</PassIf>
</Check>
<Check>
<CheckID>POL_IL_DLUN</CheckID>
<Description>0DED4115C2C500047BDF3FBD83AE4DF00DA5294CEB9642605838AF4B431CE79B5D565DCF525EEA67DD6233BEB9A820ECA7ECCACADA1B8AC9829D2944DBF0125B0C0AC9F85DF167FF326E44</Description>
<Points>4</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<KeyName>DontDisplayLastUserName</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>1</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>POL_UAC_FAT</CheckID>
<Description>25465463AF3878BD3366BA51051EC181FA442BBB7F5BB6CE74657A06F0DF5A5350F759A31F51B73FD3B9F655B361DD8E4226F5981C1FC666C2899E06C0617525640BF43CAA69CC95F5794B61E356B447D00F04453EE66E4FE64A78A83F9C8C1AD2E9</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</KeyPath>
<KeyName>FilterAdministratorToken</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>1</Equals>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>DEF_FWALL</CheckID>
<Description>E686D051EC2FCC3272C952FEADE2CE6EF5E2F3535A4F307C184F370E4CB2EE5A51A5F6B51FD58E036DFFB35ACDF2AFE26C85BD9FF1FA99E0D2F223E96809FD0551334DAE69AEE7C0</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>firewall</Type>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile</KeyPath>
<KeyName>EnableFirewall</KeyName>
</Test>
<Test>
<Name>T3</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile</KeyPath>
<KeyName>EnableFirewall</KeyName>
</Test>
<Test>
<Name>T4</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile</KeyPath>
<KeyName>EnableFirewall</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Enabled</Condition>
<Equals>true</Equals>
</T1>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T3>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T3>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T2>
<Condition>Value</Condition>
<Equals>1</Equals>
</T2>
<T3>
<Condition>Value</Condition>
<Equals>1</Equals>
</T3>
<T4>
<Condition>Value</Condition>
<Equals>1</Equals>
</T4>
</PassIf>
</Check>
<Check>
<CheckID>SRV_WBCLT</CheckID>
<Description>D43FF1A535429F5235E9B8A3403AF9C0765111B70C67276D4CE39D3709A8E85269C7A6809715754030CE357B16CC080C4DC551FF75DE1E035E1E6596A6ABE855473F6AFA268404B5CE5F54D46F544D59740278</Description>
<Points>3</Points>
<Test>
<Name>T1</Name>
<Type>service</Type>
<ServiceName>WebClient</ServiceName>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SYSTEM\CurrentControlSet\Services\WebClient</KeyPath>
<KeyName>Start</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>State</Condition>
<NotEquals>Running</NotEquals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Equals</Condition>
<GreaterThan>2</GreaterThan>
</T2>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T2>
</PassIf>
</Check>
<Check>
<CheckID>SRV_W3PUB</CheckID>
<Description>023DF1DC6D3E201A749EA291EC872C93B84A77473B761A16B7FCE244515818495C1AAE8DCE5ECFB171F967084A9DF057AD0D9BB875EF1855FE5227AF91B4D3EDD4EF44A639E82C2879353ADD336AFCF8298C3222E8D98C396EE065F7DFCA3DF22236C1</Description>
<Points>3</Points>
<Test>
<Name>T1</Name>
<Type>service</Type>
<ServiceName>W3SVC</ServiceName>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SYSTEM\CurrentControlSet\Services\W3SVC</KeyPath>
<KeyName>Start</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>State</Condition>
<NotEquals>Running</NotEquals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Value</Condition>
<GreaterThan>2</GreaterThan>
</T2>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T2>
</PassIf>
</Check>
<Check>
<CheckID>OUP_WIN8</CheckID>
<Description>2448788BD75BA299E72651131034E668B73AA7E4B4FDD5C2B87BF9F287E3FD7E1B079A4BDDA0FBE0541ABF9D4F818E0D8234BBAD68B200FFDE6A6F3F3EAC180E46C3F59DF6E0ACA7327A0FE5E57E2FEC63</Description>
<Points>2</Points>
<Test>
<Type>file</Type>
<Name>T1</Name>
<FilePath>C:\Windows\System32\gdi32.dll</FilePath>
</Test>
<Test>
<Type>file</Type>
<Name>T2</Name>
<FilePath>C:\Windows\System32\crypt32.dll</FilePath>
</Test>
<Test>
<Type>file</Type>
<Name>T3</Name>
<FilePath>C:\Windows\System32\shell32.dll</FilePath>
</Test>
<Test>
<Type>file</Type>
<Name>T4</Name>
<FilePath>C:\Windows\System32\ntdll.dll</FilePath>
</Test>
<Test>
<Type>file</Type>
<Name>T5</Name>
<FilePath>C:\Windows\System32\ntoskrnl.exe</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>FileVersionRevision</Condition>
<GreaterThan>16384</GreaterThan>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>FileVersionRevision</Condition>
<GreaterThan>16384</GreaterThan>
</T2>
<T3>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T3>
<T3>
<Condition>FileVersionRevision</Condition>
<GreaterThan>16384</GreaterThan>
</T3>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>FileVersionRevision</Condition>
<GreaterThan>16384</GreaterThan>
</T4>
<T5>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T5>
<T5>
<Condition>FileVersionRevision</Condition>
<GreaterThan>16384</GreaterThan>
</T5>
</PassIf>
</Check>
<Check>
<CheckID>AUP_ADODC</CheckID>
<Description>D569C50328FB1A75A2586FC1C9058BA082863632356C9C617977AC0E1F7D34CF230ED3F8423A44934D906E58F305FDBB1962D4B5A4331D3BA9CCF69DB158FC2BC65FD0AE</Description>
<Points>3</Points>
<Test>
<Type>file</Type>
<Name>T1</Name>
<FilePath>C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>FileVersionMajor</Condition>
<GreaterThan>15</GreaterThan>
</T1>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>FileVersionMajor</Condition>
<Equals>15</Equals>
</T1>
<T1>
<Condition>FileVersionMinor</Condition>
<GreaterThan>7</GreaterThan>
</T1>
</PassIf>
</Check>
<Check>
<CheckID>FIL_BitComet</CheckID>
<Description>B58691C60357121528F3E74C787BDBA251730A51091019450B6E6D97FF41E720FB9B784EB33FCA9AD957F0606279DE58656BCB2DF23B9DBDC6BE0FF18F6E24632D9BE670A5</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>file</Type>
<FilePath>C:\Program Files\BitComet\BitComet.exe</FilePath>
</Test>
<Test>
<Name>T2</Name>
<Type>file</Type>
<FilePath>C:\Program Files</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
</PassIf>
</Check>
<Check>
<CheckID>FIL_SpeedBit</CheckID>
<Description>758E543E4020795DC1B5A585A73D40E7E4CD759A322BF238444BA4395EE260837AF3948EB30C1BE3760FD81CC82E67938F1CA378F8AE257F423E8975CCC2182EB75C6BD7D10ADD02E98F67140BC1AB81F82BE52D2FF9</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>file</Type>
<FilePath>C:\Program Files\SPEEDbit Video Downloader\Converter.exe</FilePath>
</Test>
<Test>
<Name>T2</Name>
<Type>file</Type>
<FilePath>C:\Program Files</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
</PassIf>
</Check>
<Check>
<CheckID>MAL_NCAT</CheckID>
<Description>74BF642E3E608D0DE305A0807F35E89EC1DE7AE9286CD7E349939D9F11603C3C7A4B34E5A674D4CBE6B2AFF780491EAD8F574EA0C38F3D40CC485E</Description>
<Points>7</Points>
<Test>
<Name>T1</Name>
<Type>file</Type>
<FilePath>C:\Windows\nc.exe</FilePath>
</Test>
<Test>
<Name>T2</Name>
<Type>file</Type>
<FilePath>C:\Windows</FilePath>
</Test>
<Test>
<Name>T3</Name>
<Type>process</Type>
<ProcessName>\Windows\nc.exe</ProcessName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T3>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T3>
</PassIf>
</Check>
<Check>
<CheckID>APP_RAUTH</CheckID>
<Description>9C39B31AB52806CE1D34EECEE0B9CA26ADCEAA528C752FCBF23C69CB1B5EAB6D49722862BACDD5673C4BFF788BCDA67168CECE0188BBFC0C5D0488FB0743A86AC062C9B14197240C91D82021</Description>
<Points>6</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Control\Terminal Server</KeyPath>
<KeyName>fDenyTSConnections</KeyName>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</KeyPath>
<KeyName>fDenyTSConnections</KeyName>
</Test>
<Test>
<Name>T3</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp</KeyPath>
<KeyName>UserAuthentication</KeyName>
</Test>
<Test>
<Name>T4</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</KeyPath>
<KeyName>UserAuthentication</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>0</Equals>
</T1>
<T3>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T3>
<T3>
<Condition>Value</Condition>
<Equals>1</Equals>
</T3>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>0</Equals>
</T1>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>Value</Condition>
<Equals>1</Equals>
</T4>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Value</Condition>
<Equals>0</Equals>
</T2>
<T3>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T3>
<T3>
<Condition>Value</Condition>
<Equals>1</Equals>
</T3>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Value</Condition>
<Equals>0</Equals>
</T2>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>Value</Condition>
<Equals>1</Equals>
</T4>
</PassIf>
</Check>
<Check>
<CheckID>APP_RSRPC</CheckID>
<Description>3A218A816E818272711215C9C5C6EFCF4061358350DB6F1DD58EE50FE1189831ED36413B761C9DC8B5F9E4863831759CD70CD804E68E1C4BC98B61790F17E3CFC0AF</Description>
<Points>6</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Control\Terminal Server</KeyPath>
<KeyName>fDenyTSConnections</KeyName>
</Test>
<Test>
<Name>T2</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</KeyPath>
<KeyName>fDenyTSConnections</KeyName>
</Test>
<Test>
<Name>T4</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</KeyPath>
<KeyName>fEncryptRPCTraffic</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<Equals>0</Equals>
</T1>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>Value</Condition>
<Equals>1</Equals>
</T4>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Value</Condition>
<Equals>0</Equals>
</T2>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>Value</Condition>
<Equals>1</Equals>
</T4>
</PassIf>
</Check>
<Penalty>
<CheckID>PEN_USRA</CheckID>
<Description>446142DC0DB4DF7D8732C3C8816CFA900E131A4B18184BADF6CB229C93D12C2396D7DBE4079C13929821ED1C875852A414E194AC1EDA5CC181381D74F43E840F7FBD9F903F28C4F687CBFB02E1CE</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>user</Type>
<UserName>leonardo</UserName>
</Test>
<Test>
<Name>T2</Name>
<Type>user</Type>
<UserName>michelangelo</UserName>
</Test>
<Test>
<Name>T3</Name>
<Type>user</Type>
<UserName>donatello</UserName>
</Test>
<Test>
<Name>T4</Name>
<Type>user</Type>
<UserName>raphael</UserName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T2>
<T2>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T2>
</PassIf>
<PassIf>
<T2>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T2>
</PassIf>
<PassIf>
<T3>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T3>
<T3>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T3>
</PassIf>
<PassIf>
<T3>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T3>
</PassIf>
<PassIf>
<T4>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T4>
<T4>
<Condition>Admin</Condition>
<Equals>false</Equals>
</T4>
</PassIf>
<PassIf>
<T4>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T4>
</PassIf>
</Penalty>
<Penalty>
<CheckID>PEN_LOCK</CheckID>
<Description>FFA7DFE129501A49FB7C796BB9DD8B0F5AF2205CC623081DC02FDC75D896B1A7238EC22EDE532CF44DA1CB42E31D99FC16FB345404B5C5808E55286709CBC43AC155942AF833811130B98D4F351C74749DA4B664</Description>
<Points>2</Points>
<Test>
<Name>T1</Name>
<Type>account_lockout_policy</Type>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>LockoutThreshold</Condition>
<GreaterThan>0</GreaterThan>
</T1>
<T1>
<Condition>LockoutThreshold</Condition>
<LessThan>3</LessThan>
</T1>
</PassIf>
</Penalty>
<Penalty>
<CheckID>PRDSK</CheckID>
<Description>A3D5755C9BF51D2BAF83F0F3DCEB2906C667C4384B1D6BAD15B29EDE08CDA4C11EAE646DB0F7F437EE0658316E02C5EFB3629DFDAA23A3636CC6D3E6C63A</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>registry</Type>
<Key>HKEY_LOCAL_MACHINE</Key>
<KeyPath>System\CurrentControlSet\Control\Terminal Server</KeyPath>
<KeyName>fDenyTSConnections</KeyName>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>true</Equals>
</T1>
<T1>
<Condition>Value</Condition>
<NotEquals>0</NotEquals>
</T1>
</PassIf>
</Penalty>
<Penalty>
<CheckID>PEN_FFOX</CheckID>
<Description>62211ED97C3D9C748456C1757F542B68AF33F11C7ADCAD7E6DA0DCDC36B64A9204B3471293EB741884AFB4FF8C85E74A01B0B896DC15314824C8D480F8493DAA9A28B1CB22714147BE67029F77B038CC62D53B6B</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>file</Type>
<FilePath>C:\Program Files\Mozilla Firefox\firefox.exe</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Penalty>
<Penalty>
<CheckID>PEN_ARODC</CheckID>
<Description>127E2AE760408864797717AF3B156CF967503F673278DD33299EC576145CAAEAA874703CC4A562923ED5A10200E82A2B55FA62977A8432F76C10D5A4E365334AFF2637737438FCA794E64C7B18D15E98A87B69EE9285662C2C021D90</Description>
<Points>5</Points>
<Test>
<Name>T1</Name>
<Type>file</Type>
<FilePath>C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe</FilePath>
</Test>
<PassIf>
<T1>
<Condition>Exists</Condition>
<Equals>false</Equals>
</T1>
</PassIf>
</Penalty>
<AllFiles>
<FilePath>C:\</FilePath>
<FilePath>C:\mytrojan.exe</FilePath>
<FilePath>C:\rootkit.exe</FilePath>
<FilePath>C:\Windows\</FilePath>
<FilePath>C:\Windows\mytrojan.exe</FilePath>
<FilePath>C:\Windows\en-US\</FilePath>
<FilePath>C:\Windows\Media\</FilePath>
<FilePath>C:\Windows\Microsoft.NET\Framework</FilePath>
<FilePath>C:\Windows\PolicyDefinitions\</FilePath>
<FilePath>C:\Windows\Prefetch\</FilePath>
<FilePath>C:\Windows\servicing\</FilePath>
<FilePath>C:\Windows\System32\rootkit.exe</FilePath>
<FilePath>C:\Windows\System32\GroupPolicy\Machine\</FilePath>
</AllFiles>
<AllQueries>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\auditbasedirectories</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\auditbaseobjects</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxPacketSize</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableEncryption</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\HibernateEnabled</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SNMP\Parameters\ExtensionAgents</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TermSrv\</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TermSrv\ServiceName</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NETFramework\Performance\Library</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser\Parameters\ServiceDll</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KeyIso\Security\Security</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Lsa\Performance\Library</Key>
<Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMPTRAP\Start</Key>
<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\</Key>
<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tcpip\CurrentVersion\</Key>
<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Build</Key>
<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\CleanupTime</Key>
</AllQueries>
</CyberPatriotResource>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.