Cyber Patriot 18 CP-18 Round 2 Server 2022 Answer Key

Summary

• Total Checks: 167
• Positive Checks: 26
• Penalties: 140
• Maximum Possible Points: 100

Forensics Questions

Question 1

File Path: C:\Users\benjamin\Desktop\Forensics Question 1.txt

Content:

A user reported a file will be accessable via the authorized SMB share that
may leak credentials. Management has asked you to find and remove this file
before creating the authorized SMB share.
What is the leaked password of the user "mross" according to this file?
( EXAMPLE: Password123! )
ANSWER: <Type Answer Here>

Question 2

File Path: C:\Users\benjamin\Desktop\Forensics Question 2.txt

Content:

During a recent audit, it was discovered that there is an open SMB share on
this machine. However, none should have been created just yet.
What user is responsible for creating the unauthorized SMB share?
( EXAMPLE: Guest )
ANSWER: <Type Answer Here>

Question 3

File Path: C:\Users\benjamin\Desktop\Forensics Question 3.txt

Content:

Management captured wireshark traffic of an attempted FTP brute force attack.
The pcap file is located on your desktop.
What is the username and password of the user that successfully logged in
during the attack?
( EXAMPLE: anonymous )
( EXAMPLE: Password123! )
ANSWER: <Type Answer Here>
ANSWER: <Type Answer Here>

Category: Account policy (F) (ACT)

✅ A secure minimum password length is required +2

Specific Conditions:

• Password Policy has Exists equal to true
• Password Policy has MinPasswordLen greater than 9

ID: MINL

✅ A secure lockout threshold exists +2

Specific Conditions:

• Account Lockout Policy has Exists equal to true
• Account Lockout Policy has LockoutThreshold greater than 4
• Account Lockout Policy has LockoutThreshold less than 51

ID: THR

Category: Application security (F) (APP)

✅ Exec SMB share permissions have been correctly configured +5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC has Exists equal to true
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC matches pattern FF011F0001050000000000051500000073A8A7EE22E82BB11DC0FF17
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC matches pattern FF011F0001020000000000052000000020020000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC does not match pattern FF011F00010100000000000100000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC does not match pattern A9001200010100000000000100000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\EXEC does not match pattern BF011300010100000000000100000000

ID: SMB_EXEC_PERM

✅ SMB 1.x removed or disabled +5

Specific Conditions:

• Service mrxsmb10 has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10\Start has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 has Exists equal to true
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 has Value equal to 0

• OR

• OR

• OR

• OR

• C:\Windows\Sysnative\Drivers\mrxsmb10.sys has Exists equal to false

ID: SMB_NOV1

Category: Application update (F) (AUP)

✅ Notepad++ has been updated +3

Specific Conditions:

• C:\Program Files\Notepad++\notepad++.exe has Exists equal to true
• C:\Program Files\Notepad++\notepad++.exe has FileVersionMajor greater than 8

• OR

• C:\Program Files\Notepad++\notepad++.exe has Exists equal to true
• C:\Program Files\Notepad++\notepad++.exe has FileVersionMajor equal to 8
• C:\Program Files\Notepad++\notepad++.exe has FileVersionMinor greater than 5

• OR

• C:\Program Files (x86)\Notepad++\notepad++.exe has Exists equal to true
• C:\Program Files (x86)\Notepad++\notepad++.exe has FileVersionMajor greater than 8

• OR

• C:\Program Files (x86)\Notepad++\notepad++.exe has Exists equal to true
• C:\Program Files (x86)\Notepad++\notepad++.exe has FileVersionMajor equal to 8
• C:\Program Files (x86)\Notepad++\notepad++.exe has FileVersionMinor greater than 5

ID: NTPP

✅ Wireshark has been updated +3

Specific Conditions:

• C:\Program Files\Wireshark\Wireshark.exe has Exists equal to true
• C:\Program Files\Wireshark\Wireshark.exe has FileVersionMajor greater than 4

• OR

• C:\Program Files\Wireshark\Wireshark.exe has Exists equal to true
• C:\Program Files\Wireshark\Wireshark.exe has FileVersionMajor equal to 4
• C:\Program Files\Wireshark\Wireshark.exe has FileVersionMinor greater than 5

• OR

• C:\Program Files (x86)\Wireshark\Wireshark.exe has Exists equal to true
• C:\Program Files (x86)\Wireshark\Wireshark.exe has FileVersionMajor greater than 4

• OR

• C:\Program Files (x86)\Wireshark\Wireshark.exe has Exists equal to true
• C:\Program Files (x86)\Wireshark\Wireshark.exe has FileVersionMajor equal to 4
• C:\Program Files (x86)\Wireshark\Wireshark.exe has FileVersionMinor greater than 5

ID: WRSHRK

Category: Prohibited file (F) (FIL)

✅ Removed plain text file with passwords in it +4

Specific Conditions:

• C:\Exec\staff.csv has Exists equal to false

• OR

• C:\Exec\staff.csv has Exists equal to true
• Data of C:\Exec\staff.csv does not match pattern T00GooD4Harvard!
• Data of C:\Exec\staff.csv does not match pattern ugotlittup
• Data of C:\Exec\staff.csv does not match pattern HGrD48hwZ6
• Data of C:\Exec\staff.csv does not match pattern LZNg3yfiHU

• OR

• C:\Exec\Merger Press Release.pdf has Exists equal to true

• OR

• C:\Exec\Merger Press Release.pdf has Exists equal to true

ID: PWRD

Category: Forensic Question (F) (FOR)

✅ Forensics Question 1 correct +7

Specific Conditions:

• C:\Users\benjamin\Desktop\Forensics Question 1.txt has Exists equal to true
• Data of C:\Users\benjamin\Desktop\Forensics Question 1.txt matches pattern ANSWER: T00GooD4Harvard!

ID: Q1

✅ Forensics Question 2 correct +7

Specific Conditions:

• C:\Users\benjamin\Desktop\Forensics Question 2.txt has Exists equal to true
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: jpearson

ID: Q2

✅ Forensics Question 3 correct +7

Specific Conditions:

• C:\Users\benjamin\Desktop\Forensics Question 3.txt has Exists equal to true
• Data of C:\Users\benjamin\Desktop\Forensics Question 3.txt matches pattern ANSWER: dscott
• Data of C:\Users\benjamin\Desktop\Forensics Question 3.txt matches pattern ANSWER: harvey123

ID: Q3

Category: Malware (F) (MAL)

✅ Removed netcat backdoor +5

Specific Conditions:

• C:\Windows\Sysnative\exportfile.exe has Exists equal to false

• OR

• C:\Windows\ has Exists equal to true

• OR

• Process \Windows\System32\exportfile.exe does not exists

ID: NCAT

Category: Operating system update (F) (OUP)

✅ Windows automatically checks for updates +3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate has Value not equal to 1

ID: AUTO_10

Category: Penalty (F) (PEN)

➖ WARNING: VirtualBox is unsupported 0

Specific Conditions:

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion has Exists equal to true
• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion matches pattern VirtualBox

• OR

• HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__\None has Exists equal to true

ID: VBX

❌ Account lockout threshold less than 5 is deprecated -3

Specific Conditions:

• Account Lockout Policy has Exists equal to true
• Account Lockout Policy has LockoutThreshold greater than 0
• Account Lockout Policy has LockoutThreshold less than 5

ID: LOCK

❌ Remote Desktop is disabled -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Exists equal to true
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Value not equal to 0

ID: RDSK

❌ SMB client service (v2/v3) disabled -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mrxsmb20\Start has Exists equal to true
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mrxsmb20\Start has Value equal to 4

• OR

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mrxsmb20\Start has Exists equal to false

ID: SRV_SMBC

❌ Google Chrome is not installed at the default location -5

Specific Conditions:

• C:\Program Files\Google\Chrome\Application\chrome.exe has Exists not equal to true

• OR

• C:\Program Files (x86)\Google\Chrome\Application\chrome.exe has Exists not equal to true

ID: SFT_GCHR

❌ Notepad++ is not installed at the default location -5

Specific Conditions:

• C:\Program Files\Notepad++\notepad++.exe has Exists not equal to true

• OR

• C:\Program Files (X86)\Notepad++\notepad++.exe has Exists not equal to true

ID: SFT_NPP

❌ 7-Zip is not installed at the default location -5

Specific Conditions:

• C:\Program Files\7-Zip\7z.exe has Exists not equal to true

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists not equal to true

ID: SFT_7ZIP

❌ Wireshark is not installed at the default location -5

Specific Conditions:

• C:\Program Files\Wireshark\Wireshark.exe has Exists not equal to true

• OR

• C:\Program Files (x86)\Wireshark\Wireshark.exe has Exists not equal to true

ID: SFT_WRSH

❌ Critical business file(s) deleted from SMB share -5

Specific Conditions:

• C:\Exec\Merger press release.pdf has Exists equal to false

ID: FIL_SMB

❌ Removed one or more authorized administrators -5

Specific Conditions:

• benjamin has Admin equal to false

• OR

• benjamin has Exists equal to false

• OR

• edarby has Admin equal to false

• OR

• edarby has Exists equal to false

• OR

• jpearson has Admin equal to false

• OR

• jpearson has Exists equal to false

• OR

• hspecter has Admin equal to false

• OR

• hspecter has Exists equal to false

• OR

• llitt has Admin equal to false

• OR

• llitt has Exists equal to false

ID: USRA

❌ Removed one or more authorized users -5

Specific Conditions:

• dscott has Exists equal to false

• OR

• nnesbitt has Exists equal to false

• OR

• pporter has Exists equal to false

• OR

• kbennett has Exists equal to false

• OR

• mross has Exists equal to false

• OR

• rzane has Exists equal to false

• OR

• dpaulsen has Exists equal to false

• OR

• shuntley has Exists equal to false

• OR

• jpomaville has Exists equal to false

• OR

• sbandaru has Exists equal to false

• OR

• sthomas has Exists equal to false

ID: USRS

❌ Removed one or more authorized user directories -5

Specific Conditions:

• C:\Users\benjamin has Exists equal to false

• OR

• C:\Users\edarby has Exists equal to false

• OR

• C:\Users\jpearson has Exists equal to false

• OR

• C:\Users\hspecter has Exists equal to false

• OR

• C:\Users\llitt has Exists equal to false

• OR

• C:\Users\dscott has Exists equal to false

• OR

• C:\Users\nnesbitt has Exists equal to false

• OR

• C:\Users\pporter has Exists equal to false

• OR

• C:\Users\kbennett has Exists equal to false

• OR

• C:\Users\mross has Exists equal to false

• OR

• C:\Users\rzane has Exists equal to false

• OR

• C:\Users\dpaulsen has Exists equal to false

• OR

• C:\Users\shuntley has Exists equal to false

• OR

• C:\Users\jpomaville has Exists equal to false

• OR

• C:\Users\sbandaru has Exists equal to false

• OR

• C:\Users\sthomas has Exists equal to false

ID: USRD

Category: Local policy (F) (POL)

✅ Everyone may not access this computer from the network +3

Specific Conditions:

• User Rights object Everyone has Exists equal to true
• User Rights object Everyone has SeNetworkLogonRight not equal to true

ID: SE_NLR

✅ Limit local use of blank passwords to console only [enabled] +3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse has Exists equal to true
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse has Value equal to 1

ID: AC_LBPU

✅ Microsoft network server: Digitally sign communications (always) [enabled] +3

Specific Conditions:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature has Value equal to 1

ID: MNS_RSIG

✅ Audit File Share [Success] +2

Specific Conditions:

• Audit Policy has Exists equal to true
• Audit Policy has ObjectAccess.FileShare equal to Success

ID: AU_FSS

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\Name has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1C2AC1DC-4358-4B6C-9733-AF21156576F0}\Name has Value equal to 1

ID: CXCCF

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\637ea02f-bbcb-4015-8e2c-a1c7b9c0b546\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\ACSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\e73a048d-bf27-4f12-9731-8b2076e8891f\637ea02f-bbcb-4015-8e2c-a1c7b9c0b546\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\ACSettingIndex has Value equal to 1

ID: JQKYF

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CaretTracking\{DE66E1FD-06EE-4677-813A-D791EE9DBB06}\12.0.0.0\paneClassDC\UsePreXPCaretTranslation has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CaretTracking\{DE66E1FD-06EE-4677-813A-D791EE9DBB06}\12.0.0.0\paneClassDC\UsePreXPCaretTranslation has Value equal to 1

ID: FZKAL

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso\FirewallRules\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe_S-1-5-21-4003965043-2972444706-402636829-1000_In_emptyRemoteName_All has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso\FirewallRules\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe_S-1-5-21-4003965043-2972444706-402636829-1000_In_emptyRemoteName_All has Value equal to 1

ID: LVPVB

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\New Zealand Standard Time\Dynamic DST\LastEntry has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\New Zealand Standard Time\Dynamic DST\LastEntry has Value equal to 1

ID: QERBA

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e96a-e325-11ce-bfc1-08002be10318}\Configuration\Variables\UseBusDeviceDesc\KeyRoot has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e96a-e325-11ce-bfc1-08002be10318}\Configuration\Variables\UseBusDeviceDesc\KeyRoot has Value equal to 1

ID: UICDG

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{aa3aa23b-bb6d-425a-b58c-1d7e37f5d02a}\MatchAllKeyword has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{aa3aa23b-bb6d-425a-b58c-1d7e37f5d02a}\MatchAllKeyword has Value equal to 1

ID: FHYKR

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{86841137-ed8e-4d97-9975-f2ed56b4430e}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&217be3d6&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}\DeviceInstance has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{86841137-ed8e-4d97-9975-f2ed56b4430e}\##?#HDAUDIO#FUNC_01&VEN_15AD&DEV_1975&SUBSYS_15AD1975&REV_1001#5&217be3d6&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}\DeviceInstance has Value equal to 1

ID: DSWPX

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS\Group has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS\Group has Value equal to 1

ID: RZTRS

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTPROMPT\ALLOW\HKeyRoot has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\SCRIPTING\SCRIPTPROMPT\ALLOW\HKeyRoot has Value equal to 1

ID: CJXUI

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0123\InfPath has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0123\InfPath has Value equal to 1

ID: FOVCE

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc\TriggerInfo\0\DataType0 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc\TriggerInfo\0\DataType0 has Value equal to 1

ID: OTZQI

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{631958a6-ad0f-4035-a745-28ac066dc6ed}\TopViews\{2c0bc161-7181-49ba-8337-10584d53d8d0}\PrimaryProperty has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{631958a6-ad0f-4035-a745-28ac066dc6ed}\TopViews\{2c0bc161-7181-49ba-8337-10584d53d8d0}\PrimaryProperty has Value equal to 1

ID: JLKLV

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Events\EmailImage\GUID has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StillImage\Events\EmailImage\GUID has Value equal to 1

ID: TFULU

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\HelpPane.exe has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\HelpPane.exe has Value equal to 1

ID: RHSQU

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{207CF9D5-B3E5-5F45-9A58-C1308F9ABDDA}\MatchAnyKeyword has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{207CF9D5-B3E5-5F45-9A58-C1308F9ABDDA}\MatchAnyKeyword has Value equal to 1

ID: EBNWL

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\ACPI\PNP0A05\39 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\ACPI\PNP0A05\39 has Value equal to 1

ID: ZVRDD

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Turks And Caicos Standard Time\MUI_Std has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Turks And Caicos Standard Time\MUI_Std has Value equal to 1

ID: EVYGZ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVEdrv\Security\Security has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVEdrv\Security\Security has Value equal to 1

ID: FOFDN

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING\CheckedValue has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING\CheckedValue has Value equal to 1

ID: EBEHA

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UALSVC\ObjectName has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UALSVC\ObjectName has Value equal to 1

ID: QHQSQ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost\DependOnService has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost\DependOnService has Value equal to 1

ID: NJBXY

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax\None has Value equal to 1

ID: OIWMI

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bindflt\Parameters\WppRecorder_TraceGuid has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bindflt\Parameters\WppRecorder_TraceGuid has Value equal to 1

ID: XNZOA

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4bdaf4e9-d103-46d7-a5f0-6280121616ef\DefaultPowerSchemeValues\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4bdaf4e9-d103-46d7-a5f0-6280121616ef\DefaultPowerSchemeValues\None has Value equal to 1

ID: NSRPX

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\25dfa149-5dd1-4736-b5ab-e8a37b5b8187\DefaultPowerSchemeValues\a1841308-3541-4fab-bc81-f71556f20b4a\ACSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\25dfa149-5dd1-4736-b5ab-e8a37b5b8187\DefaultPowerSchemeValues\a1841308-3541-4fab-bc81-f71556f20b4a\ACSettingIndex has Value equal to 1

ID: JHRGB

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner\None has Value equal to 1

ID: GRGGH

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CoreUI\Navigation\Timeouts\BeginHide has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CoreUI\Navigation\Timeouts\BeginHide has Value equal to 1

ID: SQXML

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CompositeBus\Start has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CompositeBus\Start has Value equal to 1

ID: OFDLN

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010\Ndi\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010\Ndi\None has Value equal to 1

ID: MCZDD

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\1facfc65-a930-4bc5-9f38-504ec097bbc0\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\DCSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\1facfc65-a930-4bc5-9f38-504ec097bbc0\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\DCSettingIndex has Value equal to 1

ID: SOIOO

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-WMPNSS-Service\ProviderGuid has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-WMPNSS-Service\ProviderGuid has Value equal to 1

ID: MMMGP

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService\Security\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService\Security\None has Value equal to 1

ID: TMGHZ

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\dhcp_wpp\Providers\{CC3DF8E3-4111-48D0-9B21-7631021F7CA6}\Level has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\dhcp_wpp\Providers\{CC3DF8E3-4111-48D0-9B21-7631021F7CA6}\Level has Value equal to 1

ID: HNXKB

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wdf\Schema\UmdfImpersonationLevel\Map\Delegation has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wdf\Schema\UmdfImpersonationLevel\Map\Delegation has Value equal to 1

ID: QCEIY

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\{c0c9c676-ac38-40d4-a23c-69f05d12a306}\Last Counter has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\{c0c9c676-ac38-40d4-a23c-69f05d12a306}\Last Counter has Value equal to 1

ID: HOEKV

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemEventsBroker\Parameters\EventPolicyTable\SebSmartCardFieldEntryNotification\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemEventsBroker\Parameters\EventPolicyTable\SebSmartCardFieldEntryNotification\None has Value equal to 1

ID: KDJJA

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0124\ResourcePickerExceptions has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0124\ResourcePickerExceptions has Value equal to 1

ID: BMPTF

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00030437\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00030437\None has Value equal to 1

ID: QBMUY

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch\FailureActions has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch\FailureActions has Value equal to 1

ID: GSMRN

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\WirelessDisplay\Providers\{db6f6ddb-ac77-4e88-8253-819df9bbf140}\Name has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\WirelessDisplay\Providers\{db6f6ddb-ac77-4e88-8253-819df9bbf140}\Name has Value equal to 1

ID: EYNYC

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{7d49d726-3c21-4f05-99aa-fdc2c9474656}\Modifiers\SearchResults has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{7d49d726-3c21-4f05-99aa-fdc2c9474656}\Modifiers\SearchResults has Value equal to 1

ID: LUCER

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\Wireless LAN Helper Class\HelperClasses\AutoConfig Helper Class\RRMap\{ABCED36C-0543-4d71-B276-EA2DBA1AB9E1}\{69847C11-A993-41b7-AC2C-FB926C906339} has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\Wireless LAN Helper Class\HelperClasses\AutoConfig Helper Class\RRMap\{ABCED36C-0543-4d71-B276-EA2DBA1AB9E1}\{69847C11-A993-41b7-AC2C-FB926C906339} has Value equal to 1

ID: HBTKK

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{24ccb8a6-c45a-477d-b940-3382b9225668}\CanonicalName has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{24ccb8a6-c45a-477d-b940-3382b9225668}\CanonicalName has Value equal to 1

ID: PQWFA

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f565999f-3fb0-411a-a226-3f0198dec130\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\f565999f-3fb0-411a-a226-3f0198dec130\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\None has Value equal to 1

ID: QHYWI

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\cb2ff72d-d4e4-585d-33f9-f3a395c40be7 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\cb2ff72d-d4e4-585d-33f9-f3a395c40be7 has Value equal to 1

ID: MWGYI

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.DisconnectNetworkDrive\command\DelegateExecute has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.DisconnectNetworkDrive\command\DelegateExecute has Value equal to 1

ID: GEVNA

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{66a5c15c-4f8e-4044-bf6e-71d896038977}\LoggerName has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{66a5c15c-4f8e-4044-bf6e-71d896038977}\LoggerName has Value equal to 1

ID: XTNRC

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{db00dfb6-29f9-4a9c-9b3b-1f4f9e7d9770}\Enabled has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{db00dfb6-29f9-4a9c-9b3b-1f4f9e7d9770}\Enabled has Value equal to 1

ID: SLRPW

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Config\RC\{3564f41a-6610-4c46-8df2-9b490f2f4169} has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Config\RC\{3564f41a-6610-4c46-8df2-9b490f2f4169} has Value equal to 1

ID: ZSGDC

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DeviceInstall\TriggerInfo\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DeviceInstall\TriggerInfo\None has Value equal to 1

ID: HHYLY

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\Flags has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\Flags has Value equal to 1

ID: KUHVS

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6a527\ImagePath has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6a527\ImagePath has Value equal to 1

ID: LQECI

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaCategories\{65e8773e-8f56-11d0-a3b9-00a0c9223196}\Name has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaCategories\{65e8773e-8f56-11d0-a3b9-00a0c9223196}\Name has Value equal to 1

ID: NGXHU

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0038\DriverDate has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0038\DriverDate has Value equal to 1

ID: ZLCFN

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\wireless_dbg\Dependencies\nid_wpp has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses\wireless_dbg\Dependencies\nid_wpp has Value equal to 1

ID: DIDXS

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{89300202-3cec-4981-9171-19f59559e0f2}\Status has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{89300202-3cec-4981-9171-19f59559e0f2}\Status has Value equal to 1

ID: TLPJQ

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VAN\{1B02C1F5-555B-4802-96A7-ADDDCCBCA38A}\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VAN\{1B02C1F5-555B-4802-96A7-ADDDCCBCA38A}\None has Value equal to 1

ID: MVQSG

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0036\DriverDateData has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0036\DriverDateData has Value equal to 1

ID: OUOVI

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\PinnedItems\Devices\Type has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\PinnedItems\Devices\Type has Value equal to 1

ID: LMUMA

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\{9189F203-8AF5-11EC-942E-806E6F6E6963}\0000\DefaultSettings.Flags has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\{9189F203-8AF5-11EC-942E-806E6F6E6963}\0000\DefaultSettings.Flags has Value equal to 1

ID: IQQZJ

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller\Start has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller\Start has Value equal to 1

ID: ODPXZ

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{0ecef634-6ef0-472a-8085-5ad023ecbccd}\##?#SWD#PRINTENUM#{CECFA109-1C57-4FA9-9356-AC955F6019F4}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{0ecef634-6ef0-472a-8085-5ad023ecbccd}\##?#SWD#PRINTENUM#{CECFA109-1C57-4FA9-9356-AC955F6019F4}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}\None has Value equal to 1

ID: PDEOH

Category: Penalty (F) (SCR)

❌ Removed multiple authorized user directories -2

Specific Conditions:

• C:\Users\benjamin has Exists equal to false

• OR

• C:\Users\edarby has Exists equal to false

• OR

• C:\Users\jpearson has Exists equal to false

• OR

• C:\Users\hspecter has Exists equal to false

• OR

• C:\Users\llitt has Exists equal to false

• OR

• C:\Users\dscott has Exists equal to false

• OR

• C:\Users\nnesbitt has Exists equal to false

• OR

• C:\Users\pporter has Exists equal to false

• OR

• C:\Users\kbennett has Exists equal to false

• OR

• C:\Users\mross has Exists equal to false

• OR

• C:\Users\rzane has Exists equal to false

• OR

• C:\Users\dpaulsen has Exists equal to false

• OR

• C:\Users\shuntley has Exists equal to false

• OR

• C:\Users\jpomaville has Exists equal to false

• OR

• C:\Users\sbandaru has Exists equal to false

• OR

• C:\Users\sthomas has Exists equal to false

ID: SCRD

❌ Removed multiple authorized users -3

Specific Conditions:

• dscott has Exists equal to false

• OR

• nnesbitt has Exists equal to false

• OR

• pporter has Exists equal to false

• OR

• kbennett has Exists equal to false

• OR

• mross has Exists equal to false

• OR

• rzane has Exists equal to false

• OR

• dpaulsen has Exists equal to false

• OR

• shuntley has Exists equal to false

• OR

• jpomaville has Exists equal to false

• OR

• sbandaru has Exists equal to false

• OR

• sthomas has Exists equal to false

• OR

• benjamin has Exists equal to false

• OR

• edarby has Exists equal to false

• OR

• jpearson has Exists equal to false

• OR

• hspecter has Exists equal to false

• OR

• llitt has Exists equal to false

ID: SCRU

Category: Unwanted software (F) (SFT)

✅ Removed TightVNC Server +5

Specific Conditions:

• C:\Program Files\TightVNC\tvnserver.exe has Exists equal to false

• OR

• C:\Program Files\ has Exists equal to true

• OR

• Process \tvnserver.exe does not exists

ID: TIVNC

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\wlansvc.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: JLDW

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\Winsrv.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: SSED

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\StartMenu.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: DENF

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\Radar.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: OKCO

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\Speech.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: MKWA

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\DeviceGuard.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: QZUN

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\Media\notify.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: BLQF

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\Reliability.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: MPGI

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\MMCSnapins.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XEFN

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\Media\Windows User Account Control.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: YVRS

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini has Exists equal to true

• OR

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs has Exists equal to false

ID: SCEA

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\Ring01.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: OFXQ

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsUpdate.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: TVFH

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\CEIPEnable.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: QYDZ

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\DeliveryOptimization.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: ZRKV

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\Windows Feed Discovered.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: DXRN

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\RPC.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: RZSF

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\fthsvc.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: JQVK

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\Alarm09.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: QZCO

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\SoundRec.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: ZLMN

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\NetworkConnections.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: KGBB

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\MobilePCMobilityCenter.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XZRW

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\CredentialProviders.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: WYBG

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\Focus2_48000Hz.raw has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: GKFH

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsConnectNow.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: UJII

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\tada.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: NXWB

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\EnhancedStorage.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: VFOK

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\SharedFolders.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: JJWB

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\DiskQuota.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: PYJH

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\Windows Balloon.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: EMWB

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\Windows Unlock.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: BLUA

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\EncryptFilesonMove.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: IWAW

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\Windows Battery Critical.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: WNUO

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\DnsClient.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: KMKE

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\flourish.mid has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: JXQM

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\EdgeUI.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: MIFC

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsSandbox.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: WOPC

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\trojan.dll has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: PNZL

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\AllowBuildPreview.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: DTKZ

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Program Files\Windows Media Player\wmpnetwk.exe has Exists equal to true

• OR

• C:\Program Files\Windows Media Player has Exists equal to false

ID: BQMX

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsProducts.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: ZZNJ

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\TabletShell.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: DOGP

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Media\Ring06.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: CTQU

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\mytrojan.dll has Exists equal to true

• OR

• C:\Windows has Exists equal to false

ID: USKD

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Program Files\Windows NT\Accessories\IrisProtocol.dll has Exists equal to true

• OR

• C:\Program Files\Windows NT\Accessories has Exists equal to false

ID: JPRN

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\LanmanWorkstation.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XFQZ

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: VMJV

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Server Manager.lnk has Exists equal to true

• OR

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs has Exists equal to false

ID: IAAQ

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\System32\GroupPolicy\User\ has Exists equal to true

• OR

• C:\Windows\System32\GroupPolicy\User has Exists equal to false

ID: EZUS

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsMediaDRM.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: BBHV

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\WPN.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: DADW

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Media\Windows Proximity Connection.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: VNKA

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsInkWorkspace.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: GYAT

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\EAIME.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: GFBF

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\AppXRuntime.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: FCQY

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Media\Windows Menu Command.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: BWDP

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Windows Media Player\WMPNSSUI.dll has Exists equal to true

• OR

• C:\Program Files\Windows Media Player has Exists equal to false

ID: TXXT

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\InkWatson.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: UAUE

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Media\Alarm05.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: KGDP

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Media\Windows Error.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: NPQG

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\FileHistory.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XYXO

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Windows Defender\MpEvMsg.dll has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: ANAC

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\WinLogon.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: FRAI

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\PeerToPeerCaching.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: DQEA

Category: Uncategorized operating system setting (F) (SYS)

✅ File sharing disabled for hidden share Private$ +4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Private$ has Exists equal to false

ID: SHHDN

✅ Created Executive SMB Share +4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\EXEC has Exists equal to true

• OR

• C:\EXEC has Exists equal to true

ID: SMB_EXEC

Category: User auditing (F) (USR)

✅ Created group Exec SMB Users +4

Specific Conditions:

• Group Exec SMB Users has Exists equal to true

ID: SMB_GRP1

✅ Added users to group Exec SMB Users +4

Specific Conditions:

• Group Exec SMB Users has Exists equal to true
• Group Exec SMB Users has Member equal to jpearson
• Group Exec SMB Users has Member equal to edarby
• Group Exec SMB Users has Member equal to dpaulsen

ID: SMB_GRP2

✅ Removed unauthorized user ttanner +3

Specific Conditions:

• ttanner has Exists equal to false

• OR

• ttanner has Exists equal to true
• ttanner has Enabled equal to false

ID: TTAN

✅ Removed unauthorized user tgianopolous +3

Specific Conditions:

• tgianopolous has Exists equal to false

• OR

• tgianopolous has Exists equal to true
• tgianopolous has Enabled equal to false

ID: TGIA

✅ User kbennett is not an administrator +3

Specific Conditions:

• kbennett has Exists equal to true
• kbennett has Admin equal to false

ID: KBEN

✅ User rzane is not an administrator +3

Specific Conditions:

• rzane has Exists equal to true
• rzane has Admin equal to false

ID: RZAN

✅ Changed insecure password for user dscott +3

Specific Conditions:

• dscott has Exists equal to true
• dscott has Password not equal to harvey123

ID: DSCO