Skip to main content

Table Of Contents

  • WINDOWS
    • DISABLE/STOP SERVICES
    • HOST SYSTEM FIREWALLS
    • PASSWORDS
    • HOST FILE
    • WHITELIST
    • APPLICATION RESTRICTIONS
    • IPSEC
    • ACTIVE DIRECTORY (AD) - GROUP POLICY OBJECT (GPO)
    • STAND ALONE SYSTEM - WITHOUT ACTIVE DIRECTORY (AD)

WINDOWS

DISABLE/STOP SERVICES

Get a list of services and disable or stop:

sc query
sc config "<SERVICE NAME>" start= disabled
sc stop "<SERVICE NAME>"
wmic service where name='<SERVICE NAME>' call ChangeStartmode Disabled

HOST SYSTEM FIREWALLS

Show all rules:

netsh advfirewall firewall show rule name=all

Set firewall on/off:

netsh advfirewall set currentprofile state on
netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
netsh advfirewall set publicprofile state on
netsh advfirewall set privateprofile state on
netsh advfirewall set domainprofile state on
netsh advfirewall set allprofile state on
netsh advfirewall set allprofile state off

Set firewall rules examples:

netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnetprofile=domain
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnetprofile=private
netsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe"
netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
netsh advfirewall firewall set rule group="remote desktop" new enable=No profile=public

Setup togging location:

netsh advfirewall set currentprofile logging C:\<LOCATION>\<FILE NAME>

Windows firewall log location and settings:

more %systemroot%\system32\LogFiles\Firewall\pfirewall.log
netsh advfirewall set allprofile logging maxfilesize 4096
netsh advfirewall set allprofile logging droppedconnections enable
netsh advfirewall set allprofile logging allowedconnections enable

Display firewall logs:

Get-Content $env:systemroot\system32\LogFiles\Firewall\pfirewall.log

PASSWORDS

Change password:

net user <USER NAME> * /domain
net user <USER NAME> <NEW PASSWORD>

Change password remotely:

pspasswd.exe \\<IP ADDRESS or NAME OF REMOTE COMPUTER> -u <REMOTE USER NAME> -p <NEW PASSWORD>

Change password remotely:

pspasswd.exe \\<IP ADDRESS or NAME OF REMOTE COMPUTER>

HOST FILE

Flush DNS of malicious domain/IP:

ipconfig /flushdns

Flush NetBios cache of host/IP:

nbtstat -R

Add new malicious domain to hosts file, and route to localhost:

echo 127.0.0.1 <MALICIOUS DOMAIN> >> C:\Windows\System32\drivers\etc\hosts

Check if hosts file is working, by sending ping to 127.0.0.1:

ping <MALICIOUS DOMAIN> -n 1

WHITELIST

Use a Proxy Auto Config(PAC) file to create Bad URL or IP List (IE, Firefox, Chrome):

function FindProxyForURL(url, host) {
    // Send bad DNS name to the proxy
    if (dnsDomainIs(host, ".badsite.com"))
        return "PROXY http://127.0.0.1:8080";
    // Send bad IPs to the proxy
    if (isInNet(myipAddress(), "222.222.222.222","255.255.255.0"))
        return "PROXY http://127.0.0.1:8080";
    // All other traffic bypass proxy
    return "DIRECT";
}

APPLICATION RESTRICTIONS

Applocker - Server 2008 R2 or Windows 7 or higher:

Using GUI Wizard configure:

  • Executable Rules (.exe, .com)
  • DLL Rules (.dll, .ocx)
  • Script Rules (.psl, .bat, .cmd, .vbs, .js)
  • Windows Install Rules (.msi, .msp, .mst)

Steps to employ Applocker (GUI is needed for digital signed app restrictions):

  • Step 1: Create a new GPO.
  • Step 2: Right-click on it to edit, and then navigate through Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies and Applocker. Click Configure Rule Enforcement.
  • Step 3: Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  • Step 4: In the left pane, click Executable Rules.
  • Step 5: Right-click in the right pane and select Create New Rule.
  • Step 6: On the Before You Begin screen, click Next.
  • Step 7: On the Permissions screen, click Next.
  • Step 8: On the Conditions screen, select the Publisher condition and click Next.
  • Step 9: Click the Browse button and browse to any executable file on your system. It doesn't matter which.
  • Step 10: Drag the slider up to Any Publisher and then click Next.
  • Step 11: Click Next on the Exceptions screen.
  • Step 12: Name policy, Example uonly run executables that are signed" and click Create.
  • Step 13: If this is your first time creating an Applocker policy, Windows will prompt you to create default rule, click Yes.
  • Step 14: Ensure Application Identity Service is Running. 
    net start AppIDSvc
    ```batch
    ```batch
    REG add "HKLM\SYSTEM\CurrentControlSet\services\AppIDSvc" /v Start /t REG_DWORD /d 2 /f
  • Step 15: Changes require reboot. 
    shutdown.exe /r
    ```batch
    ```batch
    shutdown.exe /r /m \\<IP ADDRESS OR COMPUTER NAME> /f
    ```batch

Add the Applocker cmdlets into PowerShell:

import-module AppLocker

Gets the file information for all of the executable files and scripts in the directory C:\Windows\System32:

Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script

Create a AppLocker Policy that allow rules for all of the executable files in C:\Windows\System32:

Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32

Sets the local AppLocker policy to the policy specified in C:\Policy.xml:

Set-AppLockerPolicy -XMLPolicy C:\Policy.xml

Uses the AppLocker policy in C:\Policy.xml to test whether calc.exe and notepad.exe are allowed to run for users who are members of the Everyone group. If you do not specify a group, the Everyone group is used by default:

Test-AppLockerPolicy -XMLPolicy C:\Policy.xml -Path C:\Windows\System32\calc.exe,C:\Windows\System32\notepad.exe -User Everyone

Review how many times a file would have been blocked from running if rules were enforced:

Get-AppLockerFileInformation -EventLog -Logname "Microsoft-Windows-AppLocker\EXE and DLL" -EventType Audited -Statistics

Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, applied to <GROUP> and current AppLocker policy will be overwritten:

Get-AppLockerFileInformation -Eventlog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User domain\<GROUP> -IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP "LDAP://<DC>,<DOMAIN>.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<DOMAIN>,DC=com"

Export the local AppLocker policy, comparing User's explicitly denied access to run, and output text file:

Get-AppLockerPolicy -Local | Test­-AppLockerPolicy -Path C:\Windows\System32\*.exe -User domain\<USER NAME> -Filter Denied | Format-List -Property Path > C:\DeniedFiles.txt

Export the results of the test to a file for analysis:

Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy <PathToExportedPolicyFile> -User <domain\username> -Filter <TypeofRuletoFilterFor> | Export-CSV <PathToExportResultsTo.CSV>

GridView list of any local rules applicable:

Get-AppLockerPolicy -Local -Xml | Out­-GridView

IPSEC

Create a IPSEC Local Security Policy, applied to any connection, any protocol, and using a preshared key:

netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY
netsh ipsec static add filteraction name=MyIPsecAction action=negotiate
netsh ipsec static add policy name=MyIPsecPolicy assign=yes
netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=<PASSWORD>

Add rule to allow web browsing port 80(HTTP) and 443(HTTPS) over IPSEC:

netsh ipsec static add filteraction name=Allow action=permit
netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80
netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443
netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=<PASSWORD>

Shows the IPSEC Local Security Policy with name "MyIPsecPolicy":

netsh ipsec static show policy name=MyIPsecPolicy

Stop or Unassign a IPSEC Policy:

netsh ipsec static set policy name=MyIPsecPolicy

Create a IPSEC Advance Firewall Rule and Policy and preshared key from and to any connections:

netsh advfirewall consec add rule name="IPSEC" endpointl=any endpoint2=any action=requireinrequireout qmsecmethods=default

Require IPSEC preshared key on all outgoing requests:

netsh advfirewall firewall add rule name="IPSEC_Out" dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate

Create a rule for web browsing:

netsh advfirewall firewall add rule name="Allow Outbound Port 80" dir=out localport=80 protocol=TCP action=allow

Create a rule for DNS:

netsh advfirewall firewall add rule name="Allow Outbound Port 53" dir=out localport=53 protocol=UDP action=allow

Delete ISPEC Rule:

netsh advfirewall firewall delete rule name="IPSEC_RULE"

ACTIVE DIRECTORY (AD) - GROUP POLICY OBJECT (GPO)

Get and force new policies:

gpupdate /force
gpupdate /sync

Audit Success and Failure for user Bob:

auditpol /set /user:bob /category:"Detailed Tracking" /include /success:enable /failure:enable

Create an Organization Unit to move suspected or infected users and machines:

dsadd OU <QUARANTINE BAD OU>

Move an active directory user object into NEW GROUP:

Move-ADObject 'CN=<USER NAME>,CN=<OLD USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>' -TargetPath 'OU=<NEW USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>'

Alt Option:

dsmove "CN=<USER NAME>,OU=<OLD USER OU>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>" -newparent OU=<NEW USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>

STAND ALONE SYSTEM - WITHOUT ACTIVE DIRECTORY (AD)

Disallow running a .exe file:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v badfile.exe /t REG_SZ /d <BAD FILE NAME>.exe /f

Disable Remote Desktop:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer" /f /v fDenyTSConnections /t REG_DWORD /d 1

Send NTLMv2 response only/refuse LM and NTLM: (Windows 7 default)

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f

Restrict Anonymous Access:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f

Do not allow anonymous enumeration of SAM accounts and shares:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f

Disable IPV6:

reg add HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

Disable sticky keys:

reg add "HKCU\ControlPanel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f

Disable Toggle Keys:

reg add "HKCU\ControlPanel\Accessibility\ToggleKeys" /v Flags /t REG_SZ /d 58 /f

Disable Filter Keys:

reg add "HKCU\ControlPanel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 122 /f

Disable On-screen Keyboard:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI /f /v ShowTabletKeyboard /t REG_DWORD /d 0

Disable Administrative Shares - Workstations:

reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareWks /t REG_DWORD /d 0

Disable Administrative Shares - Severs

reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareServer /t REG_DWORD /d 0

Remove Creation of Hashes Used to Pass the Hash Attack (Requires password reset and reboot to purge old hashes):

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /f /v NoLMHash /t REG_DWORD /d 1

To Disable Registry Editor: (High Risk)

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

Disable IE Password Cache:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings /v DisablePasswordCaching /t REG_DWORD /d 1 /f

Disable CMD prompt:

reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

Disable Admin credentials cache on host when using RDP:

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Do not process the run once list:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Require User Access Control (UAC) Permission:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

Change password at next logon:

Set-ADAccountPassword <USER> -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Change password at next logon for OU Group:

Get-ADuser -filter "department -eq '<OUGROUP>' -AND enabled -eq 'True'" | Set-ADuser -ChangePasswordAtLogon $True

Enabled Firewall logging:

netsh firewall set logging droppedpackets connections = enable