C:\> sc queryC:\> sc config "<SERVICE_NAME>" start= disabledC:\> sc stop "<SERVICE_NAME>"C:\> wmic service where name='<SERVICE_NAME>' call ChangeStartmode Disabled
Host Firewall
View all rules:
C:\> netsh advfirewall firewall show rule name=all
Enable or disable the firewall:
C:\> netsh advfirewall set currentprofile state onC:\> netsh advfirewall set currentprofile firewallpolicy blockinboundalways,allowoutboundC:\> netsh advfirewall set publicprofile state onC:\> netsh advfirewall set privateprofile state onC:\> netsh advfirewall set domainprofile state onC:\> netsh advfirewall set allprofile state onC:\> netsh advfirewall set allprof ile state off
Creating and Using a Proxy Auto Config (PAC) File for Suspicious URLs and IPs:
functionFindProxyForURL(url, host) {// Send bad DNS name to the proxyif (dnsDomainIs(host,".badsite.com"))return"PROXY http://127.0.0.1:8080";// Send bad IPs to the proxyif (isInNet(myIpAddress(),"222.222.222.222","255.255.255.0"))return"PROXY http://127.0.0.1:8080";// All other traffic bypass proxyreturn"DIRECT";}
Application Restrictions
Using Applocker - for Server 2008 R2, Windows 7, or higher:
Rules for executable files (.exe, .com)
DLL rules (.dll, .ocx)
Script rules (.ps1, .bat, .cmd, .vbs, .js)
Installation program rules (.msi, .msp, .mst)
Working Steps with Applocker (Requires GUI):
Step 1: Create a new GPO.
Step 2: Right-click on it to edit, then navigate through Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > Applocker. Click "Configure Rule Enforcement".
Step 3: Under "Executable Rules", check the "Configured" box and ensure "Enforce Rules" is selected from the drop-down box. Click "OK".
Step 4: In the left pane, click "Executable Rules".
Step 5: Right-click in the right pane and select "Create New Rule".
Step 6: On the "Before You Begin" screen, click "Next".
Step 7: On the "Permissions" screen, click "Next".
Step 8: On the "Conditions" screen, select the "Publisher" condition and click "Next".
Step 9: Click the "Browse" button and navigate to any executable file on your system. It doesn’t matter which one.
Step 10: Drag the slider up to "Any Publisher" and then click "Next".
Step 11: Click "Next" on the "Exceptions" screen.
Step 12: Name the policy, for example, "only run executables that are signed" and click "Create".
Step 13: If this is your first time creating an Applocker policy, Windows will prompt you to create a default rule, click "Yes".
Step 14: Ensure "Application Identity Service" is Running.
PS C:\> netsh firewall set logging droppedpackets=enable connections=enable
Bash Script for Linux
Service Information, List, Start, and Stop services in Ubuntu, and List All Services:
ServiceInformation:service--status-allps-efps-aux# List, Start, and Stop services in Ubuntu:/etc/init.d/apache2start/etc/init.d/apache2restart/etc/init.d/apache2stop# (stops only until reboot)servicemysqlstartservicemysqlrestartservicemysqlstop# (stops only until reboot)# List All Boot Up services:ls/etc/init/*.conf# Check Boot Up service status:statusssh
Example Firewall (iptables) Commands:
SaveAllExistingiptablesRules:iptables-save>firewall.out# Edit File Containing Rules:vifirewall.out# Reload iptables Rules:iptables-restore<firewall.out# Example iptables Commands to Limit IPs and Ports:iptables-AINPUT-s10.10.10.10-jDROPiptables-AINPUT-s10.10.10.0/24-jDROPiptables-AINPUT-ptcp--dportssh-s10.10.10.10-jDROPiptables-AINPUT-ptcp--dportssh-jDROP# Block All Connections:iptables-PINPUTDROPiptables-POUTPUTDROPiptables-PFORWARDDROP# Logging All Denied Rules in iptables:iptables-IINPUT5-mlimit--limit5/min-jLOG--log-prefix"iptables denied: "--log-level7
Example Password Commands:
ChangePassword:passwd# (For current user)passwdbob# (For user Bob)sudosupasswd# (For root)
Example Host File Commands:
AddMaliciousDomainandRedirecttolocalhost:echo"127.0.0.1 <MALICIOUS DOMAIN>">>/etc/hosts# Check Host Files by Pinging 127.0.0.1:ping-c1<MALICIOUSDOMAIN># Restart DNS cache in Ubuntu:/etc/init.d/dns-cleanstart
Example IPSEC Commands:
AllowFirewallforIPSECTraffic:iptables-AINPUT-pesp-jACCEPTiptables-AINPUT-pah-jACCEPTiptables-AINPUT-pudp--dport500-jACCEPTiptables-AINPUT-pudp--dport4500-jACCEPT# IPSEC Traffic Pass Setup using Racoon:# Step 1: Install Racoon on <HOST1 IP ADDRESS> and <HOST2 IP ADDRESS> to enable IPSEC tunneling in Ubuntu.apt-getinstallracoon# Steps 2, 3, 4, and 5 need further manual configurations as per original text.