Protect Defend

Protection and Defense Windows

Disabling or Stopping Services

List of stopped or disabled services:

C:\> sc query
C:\> sc config "<SERVICE_NAME>" start= disabled
C:\> sc stop "<SERVICE_NAME>"
C:\> wmic service where name='<SERVICE_NAME>' call ChangeStartmode Disabled

Host Firewall

View all rules:

C:\> netsh advfirewall firewall show rule name=all

Enable or disable the firewall:

C:\> netsh advfirewall set currentprofile state on
C:\> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutbound
C:\> netsh advfirewall set publicprofile state on
C:\> netsh advfirewall set privateprofile state on
C:\> netsh advfirewall set domainprofile state on
C:\> netsh advfirewall set allprofile state on
C:\> netsh advfirewall set allprof ile state off

Setting a New Rule for the Firewall:

C:\> netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80

C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes

C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain

C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private

C:\> netsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe"

C:\> netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500

C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain

C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=No profile=public

Setting the Location of Reports:

C:\> netsh advfirewall set currentprofile logging C:\<LOCATION>\<FILE_NAME>

Setting and Changing the Location of Firewall Reports:

C:\> more %systemroot%\system32\LogFiles\Firewall\pfirewall.log

C:\> netsh advfirewall set allprofile logging maxfilesize 4096

C:\> netsh advfirewall set allprofile logging droppedconnections enable

C:\> netsh advfirewall set allprofile logging allowedconnections enable

Viewing Firewall Reports:

PS C:\> Get-Content $env:systemroot\system32\LogFiles\Firewall\pfirewall.log

Passwords

Changing the Password:

C:\> net user <USER_NAME> * /domain
C:\> net user <USER_NAME> <NEW_PASSWORD>

Changing Password Remotely: Source: Technet Microsoft

C:\> pspasswd.exe \\<IP_ADDRESS_or_NAME_OF_REMOTE_COMPUTER> -u <REMOTE_USER_NAME> -p <NEW_PASSWORD>

PS C:\> pspasswd.exe \\<IP_ADDRESS_or_NAME_OF_REMOTE_COMPUTER>

Host Files

Resetting DNS:

C:\> ipconfig /flushdns

Resetting NetBios Cache:

C:\> nbtstat -R

Adding Malicious Domain and Redirecting it to Localhost:

C:\> echo 127.0.0.1 <MALICIOUS_DOMAIN> >> C:\Windows\System32\drivers\etc\hosts

Checking Host Files by Pinging 127.0.0.1:

C:\> ping <MALICIOUS_DOMAIN> -n 1

Whitelist

Creating and Using a Proxy Auto Config (PAC) File for Suspicious URLs and IPs:

function FindProxyForURL(url, host) {
    // Send bad DNS name to the proxy
    if (dnsDomainIs(host, ".badsite.com"))
        return "PROXY http://127.0.0.1:8080";
    // Send bad IPs to the proxy
    if (isInNet(myIpAddress(), "222.222.222.222", "255.255.255.0"))
        return "PROXY http://127.0.0.1:8080";
    // All other traffic bypass proxy
    return "DIRECT";
}

Application Restrictions

Using Applocker - for Server 2008 R2, Windows 7, or higher:
- Rules for executable files (.exe, .com)
- DLL rules (.dll, .ocx)
- Script rules (.ps1, .bat, .cmd, .vbs, .js)
- Installation program rules (.msi, .msp, .mst)

Working Steps with Applocker (Requires GUI):

Step 1: Create a new GPO.

Step 2: Right-click on it to edit, then navigate through Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > Applocker. Click "Configure Rule Enforcement".

Step 3: Under "Executable Rules", check the "Configured" box and ensure "Enforce Rules" is selected from the drop-down box. Click "OK".

Step 4: In the left pane, click "Executable Rules".

Step 5: Right-click in the right pane and select "Create New Rule".

Step 6: On the "Before You Begin" screen, click "Next".

Step 7: On the "Permissions" screen, click "Next".

Step 8: On the "Conditions" screen, select the "Publisher" condition and click "Next".

Step 9: Click the "Browse" button and navigate to any executable file on your system. It doesn’t matter which one.

Step 10: Drag the slider up to "Any Publisher" and then click "Next".

Step 11: Click "Next" on the "Exceptions" screen.

Step 12: Name the policy, for example, "only run executables that are signed" and click "Create".

Step 13: If this is your first time creating an Applocker policy, Windows will prompt you to create a default rule, click "Yes".

Step 14: Ensure "Application Identity Service" is Running.

C:\> net start AppIDSvc
C:\> REG add "HKLM\SYSTEM\CurrentControlSet\services\AppIDSvc" /v Start /t REG_DWORD /d 2 /f

Step 15: Changes require a reboot.

C:\> shutdown.exe /r
C:\> shutdown.exe /r /m \\<IP ADDRESS OR COMPUTER NAME> /f

Using the Applocker Module in PowerShell:

Import the Applocker Module:

PS C:\> import-module Applocker

Display Information about Files and Executables in the Path C:\Windows\System32:

PS C:\> Get-ApplockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script

Create an Applocker Policy for All Executable Files in the Path C:\Windows\System32:

PS C:\> Get-ApplockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script

Create an Applocker Policy to Allow All Executable Files in the Path C:\Windows\System32:

PS C:\> Get-Childitem C:\Windows\System32\*,exe | Get-ApplockerFileInformation | New-ApplockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32

Change Existing Policies Using the File C:\Policy.xml:

PS C:\> Set-AppLockerPolicy -XMLPolicy C:\Policy.xml

Use Applocker Policies to Allow Running notepad and calc for Users Who are Members of the 'everyone' Group:

PS C:\> Test-AppLockerPolicy -XMLPolicy C:\Policy.xml -Path C:\Windows\System32\calc.exe, C:\Windows\System32\notepad.exe -User Everyone

Create a Restriction for the Number of Executions:

PS C:\> Get-ApplockerFileInformation -EventLog -Logname "Microsoft-Windows-Applocker\EXE and DLL" -EventType Audited -Statistics

Create a Policy for Applocker from Audited Events for exe and dll Files:

PS C:\> Get-ApplockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-ApplockerPolicy -RuleType Publisher, Hash -User domain\<GROUP> -IgnoreMissingFileInformation | Set-ApplockerPolicy -LDAP "LDAP://<DC>,<DOMAIN>.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<DOMAIN>,DC=com"

Extracting All Applocker Policies:

PS C:\> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User domain\<USER NAME> -Filter Denied | Format-List -Property Path > C:\DeniedFiles.txt

Review and Test the Extracted Applocker Policy File:

PS C:\> Get-Childitem <DirectoryPathToReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-ApplockerPolicy -XMLPolicy <PathToExportedPolicyFile> -User <domain\username> -Filter <TypeOfRuleToFilterFor> | Export-CSV <PathToExportResultsTo.CSV>

Display a GridView List for All Rules:

PS C:\> Get-AppLockerPolicy -Local -Xml | Out-GridView

IPSEC Commands

Create a Local Security Policy for Applocker for Any Type of Connection and Protocol Using a Preshared Key:

C:\> netsh ipsec static add filter filterlist=MyIPsecFilter srcaddr=Any dstaddr=Any protocol=ANY
C:\> netsh ipsec static add filteraction name=MyIPsecAction action=negotiate
C:\> netsh ipsec static add policy name=MyIPsecPolicy assign=yes
C:\> netsh ipsec static add rule name=MyIPsecRule policy=MyIPsecPolicy filterlist=MyIPsecFilter filteraction=MyIPsecAction conntype=all activate=yes psk=<PASSWORD>

Add a Rule for Allowing Ports 80 and 443 in IPSEC:

C:\> netsh ipsec static add filteraction name=Allow action=permit
C:\> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=80
C:\> netsh ipsec static add filter filterlist=WebFilter srcaddr=Any dstaddr=Any protocol=TCP dstport=443
C:\> netsh ipsec static add rule name=WebAllow policy=MyIPsecPolicy filterlist=WebFilter filteraction=Allow conntype=all activate=yes psk=<PASSWORD>

Display All Local Security Policies in IPSEC Named "MyIPsecPolicy":

C:\> netsh ipsec static show policy name=MyIPsecPolicy

Stop or Disable Policies in IPSEC:

C:\> netsh ipsec static set policy name=MyIPsecPolicy

Create a New Policy, Rule, and Preshared Key for Any Type of Connection:

C:\> netsh advfirewall consec add rule name="IPSEC" endpoint1=any endpoint2=any action=requireinrequireout qmsecmethods=default

Require a Preshared Key for All Outgoing Requests in IPSEC:

C:\> netsh advfirewall firewall add rule name="IPSEC_Out" dir=out action=allow enable=yes profile=any localip=any remoteip=any protocol=any interfacetype=any security=authenticate

Create a Rule for Web Browsing:

C:\> netsh advfirewall firewall add rule name="Allow Outbound Port 80" dir=out localport=80 protocol=TCP action=allow

Create a Rule for DNS:

C:\> netsh advfirewall firewall add rule name="Allow Outbound Port 53" dir=out localport=53 protocol=UDP action=allow

Delete Rule in IPSEC:

C:\> netsh advfirewall firewall delete rule name="IPSEC_RULE"

ACTIVE DIRECTORY (AD) and GROUP POLICY OBJECT (GPO)

Retrieve and Apply New Policies:

C:\> gpupdate /force
C:\> gpupdate /sync

Audit Success and Failure for User Bob:

C:\> auditpol /set /user:bob /category:"Detailed Tracking" /include /success:enable /failure:enable

Create an Organization Unit to Transfer Suspect Users and Computers:

C:\> dsadd OU <QUARANTINE BAD OU>

Transfer active directory users to a new group "NEW GROUP":

PS C:\> Move-ADObject 'CN=<USER NAME>,CN=<OLD USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>' -TargetPath 'OU=<NEW USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>'

Similar Method:

C:\> dsmove "CN=<USER NAME>,OU=<OLD USER OU>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>" -newparent OU=<NEW USER GROUP>,DC=<OLD DOMAIN>,DC=<OLD EXTENSION>

System Without ACTIVE DIRECTORY (AD)

Prevent .exe file:

C:\> reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
C:\> reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v badfile.exe /t REG_SZ /d <BAD FILE NAME>.exe /f

Disable Remote Desktop:

C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 1

Only send NTLMv2 responses to LM & NTLM: (default in Windows 7)

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f

Limit anonymous access:

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f

Do not allow anonymous access to SAM accounts and shares:

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f

Disable IPV6:

C:\> reg add HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f

Disable sticky keys:

C:\> reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f

Disable toggle keys:

C:\> reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_SZ /d 58 /f

Disable filter keys:

C:\> reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 122 /f

Disable On-screen Keyboard:

C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI /f /v ShowTabletKeyboard /t REG_DWORD /d 0

Disable Administrative Shares - Workstations:

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareWks /t REG_DWORD /d 0

Disable Administrative Shares - Servers:

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareServer /t REG_DWORD /d 0

Delete hashes related to the Pass the Hash attack (requires reboot and password change for old hashes):

C:\> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /f /v NoLMHash /t REG_DWORD /d 1

Disable Registry Editing: (High Risk)

C:\> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

Disable IE Password Cache:

C:\> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings /v DisablePasswordCaching /t REG_DWORD /d 1 /f

Disable CMD prompt:

C:\> reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

Disable caching of admin credentials in the host using rdp:

C:\> reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

Do not process files that have only been run once:

C:\> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1
C:\> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Require User Access Control (UAC):

C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

Change the password after logging in again:

PS C:\> Set-ADAccountPassword <USER> -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

PowerShell Script for Windows

Change the password on the next login for the OU Group:

PS C:\> Get-ADuser -filter "department -eq '<OU GROUP>' -AND enabled -eq 'True'" | Set-ADuser -ChangePasswordAtLogon $True

Enable logging in the firewall:

PS C:\> netsh firewall set logging droppedpackets=enable connections=enable

Bash Script for Linux

Service Information, List, Start, and Stop services in Ubuntu, and List All Services:

Service Information:
service --status-all
ps -ef
ps -aux
# List, Start, and Stop services in Ubuntu:
/etc/init.d/apache2 start
/etc/init.d/apache2 restart
/etc/init.d/apache2 stop # (stops only until reboot)
service mysql start
service mysql restart
service mysql stop # (stops only until reboot)
# List All Boot Up services:
ls /etc/init/*.conf
# Check Boot Up service status:
status ssh

Example Firewall (iptables) Commands:

Save All Existing iptables Rules:
iptables-save > firewall.out
# Edit File Containing Rules:
vi firewall.out
# Reload iptables Rules:
iptables-restore < firewall.out
# Example iptables Commands to Limit IPs and Ports:
iptables -A INPUT -s 10.10.10.10 -j DROP
iptables -A INPUT -s 10.10.10.0/24 -j DROP
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
iptables -A INPUT -p tcp --dport ssh -j DROP
# Block All Connections:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Logging All Denied Rules in iptables:
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Example Password Commands:

Change Password:
passwd # (For current user)
passwd bob # (For user Bob)
sudo su passwd # (For root)

Example Host File Commands:

Add Malicious Domain and Redirect to localhost:
echo "127.0.0.1 <MALICIOUS DOMAIN>" >> /etc/hosts
# Check Host Files by Pinging 127.0.0.1:
ping -c 1 <MALICIOUS DOMAIN>
# Restart DNS cache in Ubuntu:
/etc/init.d/dns-clean start

Example IPSEC Commands:

Allow Firewall for IPSEC Traffic:
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# IPSEC Traffic Pass Setup using Racoon:
# Step 1: Install Racoon on <HOST1 IP ADDRESS> and <HOST2 IP ADDRESS> to enable IPSEC tunneling in Ubuntu.
apt-get install racoon
# Steps 2, 3, 4, and 5 need further manual configurations as per original text.

PreviousIdentify Scope NextDetect Visibility

Last updated 9 months ago