SpecterOps · rvazarkar · Mar 28, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025
diff --git a/src/CommonLib/OutputTypes/Computer.cs b/src/CommonLib/OutputTypes/Computer.cs
@@ -60,9 +60,6 @@ public override string ToString() {
 
     public class SmbInfo {
         public bool? SigningEnabled;
-        public string OsVersion;
-        public string OsBuild;
-        public string DnsComputerName { get; internal set; }
     }
 
     public class DCRegistryData {

diff --git a/src/CommonLib/OutputTypes/RegistryData.cs b/src/CommonLib/OutputTypes/RegistryData.cs
@@ -9,6 +9,9 @@ public class RegistryData {
     public uint? NtlmMinServerSec { get; set; } = null;
     public uint? NtlmMinClientSec { get; set; } = null;
     public uint? LmCompatibilityLevel { get; set; } = null;
-    public uint? UseMachine { get; set; } = null;
+    public uint? UseMachineId { get; set; } = null;
+    public uint? RequireSecuritySignature { get; set; } = null;
+    public uint? EnableSecuritySignature { get; set; } = null;
+    public string[]? ClientAllowedNTLMServers { get; set; } = null;
 }
 #nullable disable
diff --git a/src/CommonLib/Processors/CAEnrollmentProcessor.cs b/src/CommonLib/Processors/CAEnrollmentProcessor.cs
@@ -165,7 +165,7 @@ private async Task<APIResult<CAEnrollmentEndpoint>> GetNtlmEndpoint(Uri url, boo
                         return APIResult<CAEnrollmentEndpoint>.Success(output);
                     }
 
-                    Console.WriteLine($"WebException occurred: {ex}");
+                    _logger.LogError($"WebException occurred: {ex}");
 
                     return APIResult<CAEnrollmentEndpoint>
                         .Failure(

diff --git a/src/CommonLib/Processors/RegistryProcessor.cs b/src/CommonLib/Processors/RegistryProcessor.cs
@@ -26,18 +26,25 @@ public RegistryProcessor(ILogger log, string domain) {
         ];
 
         _queries = [
-            RegistryQuery.ForKey(RegistryHive.LocalMachine, @"System\CurrentControlSet\Control\Lsa\MSV1_0")
+            RegistryQuery.ForKey(RegistryHive.LocalMachine, @"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0")
                 .WithValues([
-                    "NtlmMinClientSec",
-                    "NtlmMinServerSec",
-                    "RestrictReceivingNTLMTraffic",
-                    "RestrictSendingNTLMTraffic",
+                    "ClientAllowedNTLMServers",     // Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
+                    "NtlmMinClientSec",             // Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+                    "NtlmMinServerSec",             // Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+                    "RestrictReceivingNTLMTraffic", // Network security: Restrict NTLM: Incoming NTLM traffic
+                    "RestrictSendingNTLMTraffic",   // Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
                 ]),
 
-            RegistryQuery.ForKey(RegistryHive.LocalMachine, @"System\CurrentControlSet\Control\Lsa\")
+            RegistryQuery.ForKey(RegistryHive.LocalMachine, @"SYSTEM\CurrentControlSet\Control\Lsa\")
                 .WithValues([
-                    "LMCompatibilityLevel",
-                    "UseMachineId"
+                    "LMCompatibilityLevel",         // Network security: LAN Manager authentication level
+                    "UseMachineId"                  // Network security: Allow Local System to use computer identity for NTLM
+                ]),
+
+            RegistryQuery.ForKey(RegistryHive.LocalMachine, @"SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters")
+                .WithValues([
+                    "EnableSecuritySignature",      // Microsoft network client: Digitally sign communications (if server agrees) 
+                    "RequireSecuritySignature",     // Microsoft network client: Digitally sign communications (always)
                 ])
         ];
     }
@@ -57,6 +64,9 @@ public async Task<APIResult<RegistryData>> ReadRegistrySettings(string targetMac
 
                 var name = key.ValueName;
                 switch (name) {
+                    case "ClientAllowedNTLMServers":
+                        output.ClientAllowedNTLMServers = (string[])key.Value;
+                        break;
                     case "NtlmMinClientSec":
                         output.NtlmMinClientSec = Convert.ToUInt32(key.Value);
                         break;
@@ -73,7 +83,13 @@ public async Task<APIResult<RegistryData>> ReadRegistrySettings(string targetMac
                         output.LmCompatibilityLevel = Convert.ToUInt32(key.Value);
                         break;
                     case "UseMachineId":
-                        output.UseMachine = Convert.ToUInt32(key.Value);
+                        output.UseMachineId = Convert.ToUInt32(key.Value);
+                        break;
+                    case "RequireSecuritySignature":
+                        output.RequireSecuritySignature = Convert.ToUInt32(key.Value);
+                        break;
+                    case "EnableSecuritySignature":
+                        output.EnableSecuritySignature = Convert.ToUInt32(key.Value);
                         break;
                 }
             }