Privacy     T.O.S.     F.A.Q.     Why Cats?     Endpoint     Donate     WhiskerHub     Status     Contact  

Black Cat White Hat Security

BCWHSendpoint 1.0

BCWHSendpointIR 1.0

Windows Endpoint Protection

PowerShell for Endpoint Security. These commands will close up some endpoint issues that are defined in Microsoft's Secure Score and other Windows security products. You can download them all using BCWHSendpoint 1.0.

PowerShell - BCWHSendpoint 1.0

The install and use of the BCWHSendpoint is pretty straight forward. Open Windows PowerShell with Administrative access and copy and paste the commands below. Each function is listed below with more information.

BCWHSendpoint 1.0 Installation

Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
 
Install-Module -Name BCWHSendpoint -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpoint -RequiredVersion 1.0;

The module can be found at PowerShell Gallery

Microsoft Secure Score

Microsoft has 190 security controls covering 4 categories (Identity, Data, Device & Apps) totaling 1094 points.
When these commands are enabled you will gain 171 points towards your device secure score for 15.63% increase in endpoint device security.
 
To enable all modules: BCWHSallOn
 
To revert all modules: BCWHSallOff

1) Block outdated ActiveX controls for Internet Explorer

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod1On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 0;

BCWHSendpoint 1.0: BCWHSmod1Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

2) Disable 'Autoplay for non-volume devices'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows" -Name 'Explorer' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod2On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;

BCWHSendpoint 1.0: BCWHSmod2Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

3) Disable 'Autoplay' for all drives

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 255;

 
BCWHSendpoint 1.0: BCWHSmod3On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 0;

BCWHSendpoint 1.0: BCWHSmod3Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

4) Disable 'Continue running background apps when Google Chrome is closed'

Set
New-Item -Path "HKLM:\Software\Policies" -Name 'Google' -Force;
New-Item -Path "HKLM:\Software\Policies\Google" -Name 'Chrome' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod4On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 1;

BCWHSendpoint 1.0: BCWHSmod4Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

5) Disable 'Enumerate administrator accounts on elevation'

Set
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" -Name 'CredUI' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod5On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 1;

BCWHSendpoint 1.0: BCWHSmod5Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

6) Disable Anonymous enumeration of shares

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod6On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 0;

BCWHSendpoint 1.0: BCWHSmod6Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

7) Disable IP Source routing

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;

 
BCWHSendpoint 1.0: BCWHSmod7On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;

BCWHSendpoint 1.0: BCWHSmod7Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

8) Disable JavaScript/Flash on Adobe Reader DC

Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\" -Name 'Acrobat Reader' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" -Name 'DC' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" -Name 'FeatureLockDown' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod8On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 0;

BCWHSendpoint 1.0: BCWHSmod8Off
 

This action will increase your organizations Microsoft Secure Score by: 10 points or 0.92%.

9) Disable Microsoft Defender Firewall notifications when programs are blocked for Domain/Public/Private profile

Set
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name 'WindowsFirewall' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'DomainProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PrivateProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PublicProfile' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod9On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 0;

BCWHSendpoint 1.0: BCWHSmod9Off
 

This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.

10) Disable running or installing downloaded software with invalid signature

Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\" -Name 'Internet Explorer' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer" -Name 'Download' -Force;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod10On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 1;

BCWHSendpoint 1.0: BCWHSmod10Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

11) Enable 'Apply UAC restrictions to local accounts on network logons'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod11On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 1;

BCWHSendpoint 1.0: BCWHSmod11Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

12) Enable 'Block third party cookies'

Set
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod12On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 0;

BCWHSendpoint 1.0: BCWHSmod12Off
 

This action will increase your organizations Microsoft Secure Score by: 2 points or 0.18%.

13) Enable 'Microsoft network client: Digitally sign communications (always)'

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod13On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 0;

BCWHSendpoint 1.0: BCWHSmod13Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

14) Enable Microsoft Defender Antivirus Email Scanning

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod14On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 1
BCWHSendpoint 1.0: BCWHSmod14Off
 

This action will increase your organizations Microsoft Secure Score by: 9 points or 0.82%.

15) Enable scanning of removable drives during a full scan

Set
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name 'Scan' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod15On
 
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 1;

BCWHSendpoint 1.0: BCWHSmod15Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

16) Hide Option & Enable Automatic Updates

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 1;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft" -Name 'Office' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office" -Name '16.0' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0" -Name 'Common' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common" -Name 'Officeupdate' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod16On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 0;

BCWHSendpoint 1.0: BCWHSmod16Off
 

This action will increase your organizations Microsoft Secure Score by: 10 points or 0.92%.

17) Prohibit use of Internet Connection Sharing on your DNS domain network

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod17On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 1;

BCWHSendpoint 1.0: BCWHSmod17Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

18) Set 'Account lockout duration' to 15 minutes or more

Set
net accounts /lockoutduration:15
 
BCWHSendpoint 1.0: BCWHSmod18On
 
BCWHSendpoint 1.0: BCWHSmod18Off
 

This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.

19) Set 'Account lockout threshold' to 1-10 invalid login attempts

Set
net accounts /lockoutthreshold:10
 
BCWHSendpoint 1.0: BCWHSmod19On
 
BCWHSendpoint 1.0: BCWHSmod19Off
 

This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.

20) Set 'Enforce Password History' to '24 or more password(s)'

Set
net accounts /uniquepw:24
 
BCWHSendpoint 1.0: BCWHSmod20On
 
BCWHSendpoint 1.0: BCWHSmod20Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

21) Set 'Interactive logon: Machine inactivity limit' to '1-900 seconds'

Set
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'InactivityTimeoutSecs' -PropertyType DWORD -Value 0x00000384 -Force
 
BCWHSendpoint 1.0: BCWHSmod21On
 
BCWHSendpoint 1.0: BCWHSmod21Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

22) set 'Minimum Password Age' to '1 or more day(s)'

Set
net accounts /minpwage:1
 
BCWHSendpoint 1.0: BCWHSmod22On
 
BCWHSendpoint 1.0: BCWHSmod22Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

23) Set 'Reset account lockout counter after' to 15 minutes or more

Set
net accounts /lockoutwindow:15
 
BCWHSendpoint 1.0: BCWHSmod23On
 
BCWHSendpoint 1.0: BCWHSmod23Off
 

This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.

24) Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 1;

 
BCWHSendpoint 1.0: BCWHSmod24On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 0;

BCWHSendpoint 1.0: BCWHSmod24Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

25) Set IPV6 source routing to highest protection

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;

 
BCWHSendpoint 1.0: BCWHSmod25On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;

BCWHSendpoint 1.0: BCWHSmod25Off
 

This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.

26) Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'

Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 5;

 
BCWHSendpoint 1.0: BCWHSmod26On
 
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 3;

BCWHSendpoint 1.0: BCWHSmod26Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

27) Set User Account Control (UAC) to automatically deny elevation requests

Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 0;

 
BCWHSendpoint 1.0: BCWHSmod27On
 
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 3;

BCWHSendpoint 1.0: BCWHSmod27Off
 

This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.

Windows Incident Response

PowerShell for Incident Response. These commands are a good start and will help you Threat Hunt and with Incident Response.

PowerShell - BCWHSendpointIR 1.0

The install and use of the BCWHSendpointIR is pretty straight forward. Open Windows PowerShell with Administrative access and copy and paste the commands below. Each function is listed below with more information.

BCWHSendpointIR 1.0 Installation

Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
 
Install-Module -Name BCWHSendpointIR -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpointIR -RequiredVersion 1.0;

The module can be found at PowerShell Gallery

1) Check BitLocker Status

manage-bde -status
 
Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.
 
BCWHSendpointIR 1.0: BCWHScheckIRBLStatus
 

2) Check BitLocker Volume

Get-BitLockerVolume
 
Gets information about volumes that BitLocker can protect.
 
BCWHSendpointIR 1.0: BCWHScheckIRBLVolume
 

3) Check for malicious process

Get-Process | Sort-Object -Descending WS
 
Get-Process cmdlet can be used to get currently executing processes.
 
BCWHSendpointIR 1.0: BCWHScheckIRProcess
 

4) List Application Event Log Data

Get-EventLog -logName "Application" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the Application logs
 
BCWHSendpointIR 1.0: BCWHScheckIRAppLogs
 

5) List Logged In Users

Get-CimInstance –ClassName Win32_ComputerSystem
 
Gets the CIM instances of a class from a CIM server.
 
BCWHSendpointIR 1.0: BCWHScheckIRUsers
 

6) List of Recently Installed Software (Events)

Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *
 
Gets events from event logs and event tracing log files on local and remote computers.
 
BCWHSendpointIR 1.0: BCWHScheckIRSoftware
 

7) List performance data

Get-Counter
 
The Get-Counter cmdlet gets performance counter data directly from the performance monitoring instrumentation in the Windows family of operating systems. Get-Counter gets performance data from a local computer or remote computers.
 
BCWHSendpointIR 1.0: BCWHScheckIRCounter
 

8) List Scheduled Tasks

Get-ScheduledTask
 
The Get-ScheduledTask cmdlet gets the task definition object of a scheduled task that is registered on a computer.
 
BCWHSendpointIR 1.0: BCWHScheckIRTasks
 

9) List Security Event Log Data

Get-EventLog -logName "Security" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the Security logs
 
BCWHSendpointIR 1.0: BCWHScheckIRSecurityLogs
 

10) List Services

Get-Service | Select-Object Name, DisplayName, Status, StartType
 
The Get-Service cmdlet gets objects that represent the services on a computer, including running and stopped services. By default, when Get-Service is run without parameters, all the local computer's services are returned.
 
BCWHSendpointIR 1.0: BCWHScheckIRServices
 

11) List System Event Log Data

Get-EventLog -logName "System" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
 
The "Windows Logs" section contains (of note) the System logs
 
BCWHSendpointIR 1.0: BCWHScheckIRSystemLogs
 

12) List Users (Administrators)

Get-LocalGroupMember Administrators
 
The Get-LocalGroupMember cmdlet gets members from a local group.
 
BCWHSendpointIR 1.0: BCWHScheckIRListUsers
 

13) Network Activity

Get-NetTCPConnection | Select-Object creationtime, localaddress, localport, RemoteAddress, Remoteport
 
The Get-NetTCPConnection cmdlet gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state.
 
BCWHSendpointIR 1.0: BCWHScheckIRNetwork
 

14) Terminate malicious process

Get-Process "process" | Stop-Process
 
Stop-Process can be used to terminate processes based on process name or process ID (PID).
 

© 2024 Black Cat White Hat Security ℠* All rights reserved.