Cyber Patriot 18 CP-18 Introductory Round / Round 2 Windows 11 Answer Key

Summary

• Total Checks: 158
• Positive Checks: 20
• Penalties: 137
• Maximum Possible Points: 100

Forensics Questions

Question 1

File Path: C:\Users\benjamin\Desktop\Forensics Question 1.txt

Content:

An external network scan identified an unauthorized web server running on this
machine and management has asked you to investigate it. The typical file path
for the web server files is C:\inetpub\wwwroot\, however, that directory is
empty.
What is the absolute file path of the configured root directory for the web
server?
( HINT: You can use inetmgr to view the web server configuration. )
( EXAMPLE: C:\Windows\System32\ )
ANSWER: <Type Answer Here>

Question 2

File Path: C:\Users\benjamin\Desktop\Forensics Question 2.txt

Content:

Remote Desktop access is determined by the local or domain security policy
called "Allow log on through Remote Desktop Services." This setting defines
which groups or users are permitted to connect using Remote Desktop Protocol.
By default, this policy usually includes two groups: Administrators and Remote
Desktop Users. However, additional groups or individual accounts can be added
manually through Group Policy or local security settings.
To find out who actually has RDP access, it is not enough to just look at the
Remote Desktop Users group. You must enumerate all users and nested groups
within the above permission to see who effectively can log in via RDP.
Based on the above information, please list all user accounts that can log in
via Remote Desktop Protocol (RDP) on this machine.
( HINT: The Administrators group does NOT currently have the permission. )
( HINT: You will NOT gain any points for removing anyone's RDP permission
as RDP is not a critical service and should be disabled. )
( EXAMPLE: Guest )
ANSWER: <Type Answer Here>
ANSWER: <Type Answer Here>
ANSWER: <Type Answer Here>
ANSWER: <Type Answer Here>
ANSWER: <Type Answer Here>

Category: Account policy (F) (ACT)

✅ Passwords are not stored using reversible encryption +4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F has Exists equal to true
• HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F matches pattern ^(..){76}0.

ID: REV

✅ A secure account lockout duration exists +4

Specific Conditions:

• Account Lockout Policy has Exists equal to true
• Account Lockout Policy has LockoutThreshold greater than 4
• Account Lockout Policy has LockoutThreshold less than 51
• Account Lockout Policy has LockoutDuration greater than 240

ID: DUR

Category: Application update (F) (AUP)

✅ 7-Zip has been updated +5

Specific Conditions:

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor equal to 25
• C:\Program Files\7-Zip\7z.exe has FileVersionMinor greater than 0

• OR

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor equal to 23
• C:\Program Files\7-Zip\7z.exe has FileVersionMinor greater than 0

• OR

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor equal to 19

• OR

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor equal to 16
• C:\Program Files\7-Zip\7z.exe has FileVersionMinor greater than 3

• OR

• C:\Program Files\7-Zip\7z.exe has Exists equal to true
• C:\Program Files\7-Zip\7z.exe has FileVersionMajor equal to 9
• C:\Program Files\7-Zip\7z.exe has FileVersionMinor greater than 19

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor equal to 25
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMinor greater than 0

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor equal to 23
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMinor greater than 0

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor equal to 19

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor equal to 16
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMinor greater than 3

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists equal to true
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMajor equal to 9
• C:\Program Files (x86)\7-Zip\7z.exe has FileVersionMinor greater than 19

ID: 7ZIP

✅ LibreOffice has been updated +5

Specific Conditions:

• C:\Program Files\LibreOffice\program\swriter.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\swriter.exe has FileVersionMajor equal to 25
• C:\Program Files\LibreOffice\program\swriter.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files\LibreOffice\program\swriter.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\swriter.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files (x86)\LibreOffice\program\swriter.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\swriter.exe has FileVersionMajor equal to 25
• C:\Program Files (x86)\LibreOffice\program\swriter.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files (x86)\LibreOffice\program\swriter.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\swriter.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files\LibreOffice\program\scalc.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\scalc.exe has FileVersionMajor equal to 25
• C:\Program Files\LibreOffice\program\scalc.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files\LibreOffice\program\scalc.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\scalc.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files (x86)\LibreOffice\program\scalc.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\scalc.exe has FileVersionMajor equal to 25
• C:\Program Files (x86)\LibreOffice\program\scalc.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files (x86)\LibreOffice\program\scalc.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\scalc.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files\LibreOffice\program\simpress.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\simpress.exe has FileVersionMajor equal to 25
• C:\Program Files\LibreOffice\program\simpress.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files\LibreOffice\program\simpress.exe has Exists equal to true
• C:\Program Files\LibreOffice\program\simpress.exe has FileVersionMajor greater than 25

• OR

• C:\Program Files (x86)\LibreOffice\program\simpress.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\simpress.exe has FileVersionMajor equal to 25
• C:\Program Files (x86)\LibreOffice\program\simpress.exe has FileVersionMinor greater than 2

• OR

• C:\Program Files (x86)\LibreOffice\program\simpress.exe has Exists equal to true
• C:\Program Files (x86)\LibreOffice\program\simpress.exe has FileVersionMajor greater than 25

ID: LOFF

Category: Defensive countermeasure (F) (DEF)

✅ Firewall protection has been enabled +5

Specific Conditions:

• Firewall has Exists equal to true
• Firewall has Enabled equal to true

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall has Value equal to 1

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall has Value equal to 1

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall has Value equal to 1

ID: FWALL

Category: Prohibited file (F) (FIL)

✅ Removed prohibited MP3 files +4

Specific Conditions:

• C:\Users\sthomas\Music\01-05- Vertigo Delight.mp3 has Exists equal to false

• OR

• C:\Users\sthomas\Music\01-02- Fall Festival.mp3 has Exists equal to false

• OR

• C:\Users\sthomas\Desktop\ has Exists equal to true

ID: MP3

Category: Forensic Question (F) (FOR)

✅ Forensics Question 1 correct +10

Specific Conditions:

• C:\Users\benjamin\Desktop\Forensics Question 1.txt has Exists equal to true
• Data of C:\Users\benjamin\Desktop\Forensics Question 1.txt matches pattern ANSWER: C:\Users\llitt\Documents\Personal\

ID: Q1

✅ Forensics Question 2 correct +10

Specific Conditions:

• C:\Users\benjamin\Desktop\Forensics Question 2.txt has Exists equal to true
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: benjamin
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: jpearson
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: kbennett
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: jquelling
• Data of C:\Users\benjamin\Desktop\Forensics Question 2.txt matches pattern ANSWER: dscott

ID: Q2

Category: Malware (F) (MAL)

✅ Removed Tini backdoor +6

Specific Conditions:

• C:\tini.exe has Exists equal to false

• OR

• C:\Windows\ has Exists equal to true

• OR

• Process \tini.exe does not exists

ID: TINI

Category: Penalty (F) (PEN)

➖ WARNING: VirtualBox is unsupported 0

Specific Conditions:

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion has Exists equal to true
• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion matches pattern VirtualBox

• OR

• HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__\None has Exists equal to true

ID: VBX

❌ Account lockout threshold less than 5 is deprecated -3

Specific Conditions:

• Account Lockout Policy has Exists equal to true
• Account Lockout Policy has LockoutThreshold greater than 0
• Account Lockout Policy has LockoutThreshold less than 5

ID: LOCK

❌ Google Chrome is not installed at the default location -5

Specific Conditions:

• C:\Program Files\Google\Chrome\Application\chrome.exe has Exists not equal to true

• OR

• C:\Program Files (x86)\Google\Chrome\Application\chrome.exe has Exists not equal to true

ID: SFT_GCHR

❌ Notepad++ is not installed at the default location -5

Specific Conditions:

• C:\Program Files\Notepad++\notepad++.exe has Exists not equal to true

• OR

• C:\Program Files (X86)\Notepad++\notepad++.exe has Exists not equal to true

ID: SFT_NPP

❌ 7-Zip is not installed at the default location -5

Specific Conditions:

• C:\Program Files\7-Zip\7z.exe has Exists not equal to true

• OR

• C:\Program Files (x86)\7-Zip\7z.exe has Exists not equal to true

ID: SFT_7ZIP

❌ Removed one or more authorized administrators -5

Specific Conditions:

• benjamin has Admin equal to false

• OR

• benjamin has Exists equal to false

• OR

• edarby has Admin equal to false

• OR

• edarby has Exists equal to false

• OR

• jpearson has Admin equal to false

• OR

• jpearson has Exists equal to false

• OR

• hspecter has Admin equal to false

• OR

• hspecter has Exists equal to false

• OR

• llitt has Admin equal to false

• OR

• llitt has Exists equal to false

ID: USRA

❌ Removed one or more authorized users -5

Specific Conditions:

• dscott has Exists equal to false

• OR

• nnesbitt has Exists equal to false

• OR

• pporter has Exists equal to false

• OR

• kbennett has Exists equal to false

• OR

• mross has Exists equal to false

• OR

• rzane has Exists equal to false

• OR

• dpaulsen has Exists equal to false

• OR

• shuntley has Exists equal to false

• OR

• jpomaville has Exists equal to false

• OR

• sbandaru has Exists equal to false

• OR

• sthomas has Exists equal to false

ID: USRS

❌ Removed one or more authorized user directories -5

Specific Conditions:

• C:\Users\benjamin has Exists equal to false

• OR

• C:\Users\edarby has Exists equal to false

• OR

• C:\Users\jpearson has Exists equal to false

• OR

• C:\Users\hspecter has Exists equal to false

• OR

• C:\Users\llitt has Exists equal to false

• OR

• C:\Users\dscott has Exists equal to false

• OR

• C:\Users\nnesbitt has Exists equal to false

• OR

• C:\Users\pporter has Exists equal to false

• OR

• C:\Users\kbennett has Exists equal to false

• OR

• C:\Users\mross has Exists equal to false

• OR

• C:\Users\rzane has Exists equal to false

• OR

• C:\Users\dpaulsen has Exists equal to false

• OR

• C:\Users\shuntley has Exists equal to false

• OR

• C:\Users\jpomaville has Exists equal to false

• OR

• C:\Users\sbandaru has Exists equal to false

• OR

• C:\Users\sthomas has Exists equal to false

ID: USRD

Category: Local policy (F) (POL)

✅ Do not require CTRL+ALT+DEL [disabled] +5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD has Value equal to 0

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD has Value equal to 0

ID: IL_CAD

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0001045c\Layout File has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0001045c\Layout File has Value equal to 1

ID: GAZZR

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0035\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0035\None has Value equal to 1

ID: KQGUS

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{2B1488D0-4158-4F7B-B43A-7A0725E370D9}\EnableLevel has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{2B1488D0-4158-4F7B-B43A-7A0725E370D9}\EnableLevel has Value equal to 1

ID: PVVDF

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{dcbe5aaa-16e2-457c-9337-366950045f0a}\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{dcbe5aaa-16e2-457c-9337-366950045f0a}\None has Value equal to 1

ID: GCQBY

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{08B0e5c0-4FCB-11CF-AAA5-00401C608501}\Compatibility Flags has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{08B0e5c0-4FCB-11CF-AAA5-00401C608501}\Compatibility Flags has Value equal to 1

ID: WLBEM

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Turks And Caicos Standard Time\Display has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Turks And Caicos Standard Time\Display has Value equal to 1

ID: UMZEQ

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDMANDK\DriverMajorVersion has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDMANDK\DriverMajorVersion has Value equal to 1

ID: WFJET

❌ Performed an unspecified action on the registry -2

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\COMPONENT\1440x576ix50Hz_4x3\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\COMPONENT\1440x576ix50Hz_4x3\None has Value equal to 1

ID: ZOXED

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\3029224078\RolloutState has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\3029224078\RolloutState has Value equal to 1

ID: TXUYV

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Locale\0000082c has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Locale\0000082c has Value equal to 1

ID: ARNZQ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208 has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208 has Value equal to 1

ID: NICRY

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{20338b7b-531c-4aad-8011-f5b3db2123ec}\TopViews\{9ef125c2-d179-4d37-b37d-3c52e4735abf}\Order has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{20338b7b-531c-4aad-8011-f5b3db2123ec}\TopViews\{9ef125c2-d179-4d37-b37d-3c52e4735abf}\Order has Value equal to 1

ID: BCIAA

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\25dfa149-5dd1-4736-b5ab-e8a37b5b8187\DefaultPowerSchemeValues\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\25dfa149-5dd1-4736-b5ab-e8a37b5b8187\DefaultPowerSchemeValues\None has Value equal to 1

ID: EMHCA

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{268c95a1-edfe-11d3-95c3-0010dc4050a5}\Class has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{268c95a1-edfe-11d3-95c3-0010dc4050a5}\Class has Value equal to 1

ID: HYIJE

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\credssp.dll\Comment has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\credssp.dll\Comment has Value equal to 1

ID: UICUM

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NtVdm64\ACMSETUP301\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NtVdm64\ACMSETUP301\None has Value equal to 1

ID: LHVEJ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog\{315a8872-923e-4ea2-9889-33cd4754bf64}\Enabled has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog\{315a8872-923e-4ea2-9889-33cd4754bf64}\Enabled has Value equal to 1

ID: JPEXO

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets has Value equal to 1

ID: AAFMG

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{8507cd07-f18b-54f0-b871-23c43a5bf118}\EnableProperty has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{8507cd07-f18b-54f0-b871-23c43a5bf118}\EnableProperty has Value equal to 1

ID: STMNG

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS_DHE_RSA_WITH_AES_256_CBC_SHA\Providers has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS_DHE_RSA_WITH_AES_256_CBC_SHA\Providers has Value equal to 1

ID: BKTQL

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing\ImagePath has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing\ImagePath has Value equal to 1

ID: YVRMJ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\US Eastern Standard Time\TZI has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\US Eastern Standard Time\TZI has Value equal to 1

ID: SPSCZ

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage\ACP has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage\ACP has Value equal to 1

ID: XPUVT

❌ Performed an unspecified action on the registry -3

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GenPass\Start has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GenPass\Start has Value equal to 1

ID: ICFQF

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScDeviceEnum\TriggerInfo\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScDeviceEnum\TriggerInfo\None has Value equal to 1

ID: UMWTI

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\North Asia Standard Time\MUI_Dlt has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\North Asia Standard Time\MUI_Dlt has Value equal to 1

ID: QIRDZ

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Notifications\02821B2CA3BC2075 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Notifications\02821B2CA3BC2075 has Value equal to 1

ID: CLJUI

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Pipeline\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Pipeline\None has Value equal to 1

ID: HMYMN

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Parameters\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Parameters\None has Value equal to 1

ID: VUXMC

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\MedLow\DisplayName has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\MedLow\DisplayName has Value equal to 1

ID: UHOEM

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9}\TopViews\{a34fce31-1399-42a7-b445-2a27e88f85f8}\ColumnList has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9}\TopViews\{a34fce31-1399-42a7-b445-2a27e88f85f8}\ColumnList has Value equal to 1

ID: GSGZW

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d\2\FriendlyName has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238c9fa8-0aad-41ed-83f4-97be242c8f20\bd3b718a-0680-4d9d-8ab2-e1d2b4ac806d\2\FriendlyName has Value equal to 1

ID: VLUYI

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Locale\0000044a has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Locale\0000044a has Value equal to 1

ID: WUEBI

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity has Value equal to 1

ID: VRMKX

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.EraseDisc.Action\ActionId has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell\Windows.EraseDisc.Action\ActionId has Value equal to 1

ID: LSIEF

❌ Performed an unspecified action on the registry -4

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e101\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\DCSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\75b0ae3f-bce0-45a7-8c89-c9611c25e101\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\DCSettingIndex has Value equal to 1

ID: SVWZG

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\UsageSubscriptions\1363780748\{ADA99BC0-C044-496A-B47D-A776D04FBC95}\ReportingKind has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\UsageSubscriptions\1363780748\{ADA99BC0-C044-496A-B47D-A776D04FBC95}\ReportingKind has Value equal to 1

ID: YCHHB

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\Default\AllowedBuses\Intel(R) PCI Express Root Port #5 - A294 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\Default\AllowedBuses\Intel(R) PCI Express Root Port #5 - A294 has Value equal to 1

ID: HMFBT

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000\VidPNSource0Height has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000\VidPNSource0Height has Value equal to 1

ID: MVRUA

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\629057167\VariantPayloadKind has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\4\629057167\VariantPayloadKind has Value equal to 1

ID: QDNMA

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60\DefaultPowerSchemeValues\a1841308-3541-4fab-bc81-f71556f20b4a\DCSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60\DefaultPowerSchemeValues\a1841308-3541-4fab-bc81-f71556f20b4a\DCSettingIndex has Value equal to 1

ID: OQMND

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-Tm\None has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-Kernel-Tm\None has Value equal to 1

ID: BFPQN

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{36c23e18-0e66-11d9-bbeb-505054503030}\MatchAllKeyword has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{36c23e18-0e66-11d9-bbeb-505054503030}\MatchAllKeyword has Value equal to 1

ID: INCBM

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HwNClx0101\ImagePath has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HwNClx0101\ImagePath has Value equal to 1

ID: HOCKL

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUDFWpdFs\Type has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUDFWpdFs\Type has Value equal to 1

ID: HDOZQ

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\180E has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\180E has Value equal to 1

ID: PPNFC

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Notifications\41840B3EA3BD0875 has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Notifications\41840B3EA3BD0875 has Value equal to 1

ID: RODGC

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{72d211e1-4c54-4a93-9520-4901681b2271}\EnableLevel has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{72d211e1-4c54-4a93-9520-4901681b2271}\EnableLevel has Value equal to 1

ID: UNORP

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{BFFD05D8-5655-11EF-AAA2-806E6F6E6963}\0002\VidPNSource0Height has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{BFFD05D8-5655-11EF-AAA2-806E6F6E6963}\0002\VidPNSource0Height has Value equal to 1

ID: LHMJT

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Syria Standard Time\Dynamic DST\2021 has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Syria Standard Time\Dynamic DST\2021 has Value equal to 1

ID: WUKEQ

❌ Performed an unspecified action on the registry -5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ebdrv\DisplayName has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ebdrv\DisplayName has Value equal to 1

ID: AJZVR

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MDCoreSvc\LaunchProtected has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MDCoreSvc\LaunchProtected has Value equal to 1

ID: QRQVD

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619b916-e004-4dd8-9b66-dae86f806698\c763ee92-71e8-4127-84eb-f6ed043a3e3d\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\DCSettingIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\8619b916-e004-4dd8-9b66-dae86f806698\c763ee92-71e8-4127-84eb-f6ed043a3e3d\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e\DCSettingIndex has Value equal to 1

ID: CJRXK

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\CPU\EfficiencyClass\0\PowerCurve\4\PowerEnvelope has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\CPU\EfficiencyClass\0\PowerCurve\4\PowerEnvelope has Value equal to 1

ID: ENCKZ

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WDI\Scenarios\{7AFB026E-9A24-4f4f-B193-CEB850EA611B}\DisplayResources\SourceNameResource has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WDI\Scenarios\{7AFB026E-9A24-4f4f-B193-CEB850EA611B}\DisplayResources\SourceNameResource has Value equal to 1

ID: OVWKO

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{2504BC27-0E8B-5FED-7A9F-D86972086285}\MatchAnyKeyword has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener\{2504BC27-0E8B-5FED-7A9F-D86972086285}\MatchAnyKeyword has Value equal to 1

ID: UJLNM

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\DVI\1280x720px59.94Hz_16x9\TimingId has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\DVI\1280x720px59.94Hz_16x9\TimingId has Value equal to 1

ID: ONUXU

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.mpv2 has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.mpv2 has Value equal to 1

ID: YFFRI

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\Low\TemplateIndex has Exists equal to false
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\Low\TemplateIndex has Value equal to 1

ID: NJJAA

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e}\LoggerName has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e}\LoggerName has Value equal to 1

ID: QCDPS

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Pipeline\23\Requests has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Pipeline\23\Requests has Value equal to 1

ID: JSCBW

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\ScenarioDependencies\HelperClasses\nid\Providers\{60523747-6516-48B7-84B1-3264FA2CB359}\Name has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\ScenarioDependencies\HelperClasses\nid\Providers\{60523747-6516-48B7-84B1-3264FA2CB359}\Name has Value equal to 1

ID: FWTHE

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vds\Security\Security has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vds\Security\Security has Value equal to 1

ID: EQJOS

❌ Performed an unspecified action on the registry -6

Specific Conditions:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiSystemHost\Security\Security has Exists equal to false
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiSystemHost\Security\Security has Value equal to 1

ID: MFTGD

Category: Penalty (F) (SCR)

❌ Removed multiple authorized users -6

Specific Conditions:

• dscott has Exists equal to false

• OR

• nnesbitt has Exists equal to false

• OR

• pporter has Exists equal to false

• OR

• kbennett has Exists equal to false

• OR

• mross has Exists equal to false

• OR

• rzane has Exists equal to false

• OR

• dpaulsen has Exists equal to false

• OR

• shuntley has Exists equal to false

• OR

• jpomaville has Exists equal to false

• OR

• sbandaru has Exists equal to false

• OR

• sthomas has Exists equal to false

• OR

• benjamin has Exists equal to false

• OR

• edarby has Exists equal to false

• OR

• jpearson has Exists equal to false

• OR

• hspecter has Exists equal to false

• OR

• llitt has Exists equal to false

ID: SCRU

❌ Removed multiple authorized user directories -6

Specific Conditions:

• C:\Users\benjamin has Exists equal to false

• OR

• C:\Users\edarby has Exists equal to false

• OR

• C:\Users\jpearson has Exists equal to false

• OR

• C:\Users\hspecter has Exists equal to false

• OR

• C:\Users\llitt has Exists equal to false

• OR

• C:\Users\dscott has Exists equal to false

• OR

• C:\Users\nnesbitt has Exists equal to false

• OR

• C:\Users\pporter has Exists equal to false

• OR

• C:\Users\kbennett has Exists equal to false

• OR

• C:\Users\mross has Exists equal to false

• OR

• C:\Users\rzane has Exists equal to false

• OR

• C:\Users\dpaulsen has Exists equal to false

• OR

• C:\Users\shuntley has Exists equal to false

• OR

• C:\Users\jpomaville has Exists equal to false

• OR

• C:\Users\sbandaru has Exists equal to false

• OR

• C:\Users\sthomas has Exists equal to false

ID: SCRD

Category: Unwanted software (F) (SFT)

✅ Removed TicTacToe +4

Specific Conditions:

• C:\Users\llitt\Documents\Personal\index.html has Exists equal to false

• OR

• C:\Users\llitt\Documents\ has Exists equal to true

ID: TICTAC

✅ Removed Cursor +4

Specific Conditions:

• C:\Program Files\cursor\Cursor.exe has Exists equal to false

• OR

• C:\Program Files\ has Exists equal to true

ID: CURSOR

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\Media\Windows Logon.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: FNOI

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\VolumeEncryption.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: FQLN

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\SettingSync.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: NXGP

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Program Files\Windows Defender\MpDlp.dll has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: USGY

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: AXCU

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\msched.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: GWOZ

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Program Files\Windows Defender\MpClient.dll has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: SAIP

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\Prefetch\CCSCLIENTDEBUG.EXE-61093714.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: WRSZ

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\IIS.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: KEPB

❌ Performed an unspecified action on the filesystem -2

Specific Conditions:

• C:\Windows\PolicyDefinitions\DeviceCredential.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: YICB

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\CEIPEnable.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: UOOV

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Media\Invoke_48000Hz.raw has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: TBKV

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\Taskbar.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: SRAU

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\PolicyDefinitions\LanmanServer.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: WARS

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\nc.exe has Exists equal to true

• OR

• C:\Windows has Exists equal to false

ID: HMJA

❌ Performed an unspecified action on the filesystem -3

Specific Conditions:

• C:\Windows\Prefetch\VMTOOLSD.EXE-CD82EC13.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: CQYY

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\Windows Minimize.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: CFDV

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Prefetch\SVCHOST.EXE-EBA34E64.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: JCGH

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Prefetch\SVCHOST.EXE-C9CCCC35.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: QGRC

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: KMMG

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\Explorer.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: GSGP

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\AttachmentManager.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: QQHH

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\inetres.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: WWLW

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\tada.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: JEFS

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll has Exists equal to true

• OR

• C:\Windows\Microsoft.NET\Framework has Exists equal to false

ID: MOTK

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsAnytimeUpgrade.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: FOPU

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\Media\Ring04.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: NWGT

❌ Performed an unspecified action on the filesystem -4

Specific Conditions:

• C:\Windows\PolicyDefinitions\TenantRestrictions.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: VVWL

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\Thumbnails.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: UYTR

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\ShellWelcomeCenter.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XHIN

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Program Files\Windows Media Player\wmprph.exe has Exists equal to true

• OR

• C:\Program Files\Windows Media Player has Exists equal to false

ID: GKEU

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\DWM.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: YQNB

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Prefetch\SETUP.EXE-9ABFCE17.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: ZNWP

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\SmartScreen.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: QQAK

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\chrome.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: BVDU

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsExplorer.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: WJMM

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Media\Speech Sleep.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: LAFU

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\fthsvc.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: IEAK

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Prefetch\DLLHOST.EXE-0AD6AC16.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: MFPF

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\Media\GoBack_48000Hz.raw has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: RAMX

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsRemoteManagement.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XYZM

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\EventLog.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: SXYV

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\ReAgent.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: RTJV

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\System32\setup\tssysprep.dll has Exists equal to true

• OR

• C:\Windows\System32\setup has Exists equal to false

ID: GFSG

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\UserProfiles.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: XEPJ

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\Sensors.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: GEOT

❌ Performed an unspecified action on the filesystem -5

Specific Conditions:

• C:\Windows\PolicyDefinitions\StorageHealth.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: ZTLH

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Windows Defender\MpRtp.dll has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: TLXN

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\NewsAndInterests.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: FNPG

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsMediaPlayer.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: YXHX

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Windows Defender\AmStatusInstall.mof has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: WGRJ

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\AllowBuildPreview.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: TKFR

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\Help.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: HKND

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf has Exists equal to true

• OR

• C:\Windows\Prefetch has Exists equal to false

ID: AZNL

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\WindowsUpdate.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: SMKF

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Internet Explorer\ExtExport.exe has Exists equal to true

• OR

• C:\Program Files\Internet Explorer has Exists equal to false

ID: XWEE

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\DCOM.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: HFZK

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\Display.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: VFES

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Program Files\Windows Defender\ProtectionManagement_Uninstall.mof has Exists equal to true

• OR

• C:\Program Files\Windows Defender has Exists equal to false

ID: VLPW

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\PolicyDefinitions\ActiveXInstallService.admx has Exists equal to true

• OR

• C:\Windows\PolicyDefinitions has Exists equal to false

ID: OHUK

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Media\Windows Balloon.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: PBUJ

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Microsoft.NET\Framework\sbscmp10.dll has Exists equal to true

• OR

• C:\Windows\Microsoft.NET\Framework has Exists equal to false

ID: XYWB

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\Media\Windows Notify System Generic.wav has Exists equal to true

• OR

• C:\Windows\Media has Exists equal to false

ID: RPTB

❌ Performed an unspecified action on the filesystem -6

Specific Conditions:

• C:\Windows\servicing\wrpintapi.dll has Exists equal to true

• OR

• C:\Windows\servicing has Exists equal to false

ID: GTAQ

Category: Service auditing (F) (SRV)

✅ World Wide Web Publishing service has been stopped and disabled +5

Specific Conditions:

• Service W3SVC has Exists equal to true
• Service W3SVC has State not equal to Running

• OR

• Service W3SVC has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start has Exists equal to true
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start has Value greater than 2

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start has Exists equal to false

ID: W3PUB

Category: Uncategorized operating system setting (F) (SYS)

✅ Remote desktop sharing is turned off +5

Specific Conditions:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections has Exists equal to true
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections has Value equal to 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Exists equal to false

• OR

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Exists equal to true
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections has Value equal to 1

ID: RDSK

Category: User auditing (F) (USR)

✅ Removed unauthorized user aholt +4

Specific Conditions:

• aholt has Exists equal to false

• OR

• aholt has Exists equal to true
• aholt has Enabled equal to false

ID: AHOL

✅ Removed unauthorized user jquelling +4

Specific Conditions:

• jquelling has Exists equal to false

• OR

• jquelling has Exists equal to true
• jquelling has Enabled equal to false

ID: JQUE

✅ User dscott is not an administrator +4

Specific Conditions:

• dscott has Exists equal to true
• dscott has Admin equal to false

ID: DSCO

✅ User shuntley is not an administrator +4

Specific Conditions:

• shuntley has Exists equal to true
• shuntley has Admin equal to false

ID: SHUN

✅ Changed insecure password for user llitt +4

Specific Conditions:

• llitt has Exists equal to true
• llitt has Password not equal to ugotlittup

ID: LLIT

✅ User sbandaru has a password +4

Specific Conditions:

• sbandaru has Exists equal to true
• sbandaru has Password not equal to None

ID: SBAN