PowerShell for Endpoint Security. These commands will close up some endpoint issues that are defined in Microsoft's Secure Score and other Windows security products. You can download them all using BCWHSendpoint 1.0.
PowerShell - BCWHSendpoint 1.0
The install and use of the BCWHSendpoint is pretty straight forward.
Open Windows PowerShell with Administrative access and copy and paste the commands below.
Each function is listed below with more information.
BCWHSendpoint 1.0 Installation
How-To install and use BCWHSendpoint 1.0
|
Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
Install-Module -Name BCWHSendpoint -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpoint -RequiredVersion 1.0;
The module can be found at PowerShell Gallery
Microsoft Secure Score
Microsoft has 190 security controls covering 4 categories (Identity, Data, Device & Apps) totaling 1094 points.
When these commands are enabled you will gain 171 points towards your device secure score for 15.63% increase in endpoint device security.
To enable all modules: BCWHSallOn
To revert all modules: BCWHSallOff
1) Block outdated ActiveX controls for Internet Explorer
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 1;
BCWHSendpoint 1.0: BCWHSmod1On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext" -Name 'VersionCheckEnabled' -Value 0;
BCWHSendpoint 1.0: BCWHSmod1Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
2) Disable 'Autoplay for non-volume devices'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows" -Name 'Explorer' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 1;
BCWHSendpoint 1.0: BCWHSmod2On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name 'NoAutoplayfornonVolume' -Value 0;
BCWHSendpoint 1.0: BCWHSmod2Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
3) Disable 'Autoplay' for all drives
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 255;
BCWHSendpoint 1.0: BCWHSmod3On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoDriveTypeAutoRun' -Value 0;
BCWHSendpoint 1.0: BCWHSmod3Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
4) Disable 'Continue running background apps when Google Chrome is closed'
Set
New-Item -Path "HKLM:\Software\Policies" -Name 'Google' -Force;
New-Item -Path "HKLM:\Software\Policies\Google" -Name 'Chrome' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 0;
BCWHSendpoint 1.0: BCWHSmod4On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BackgroundModeEnabled' -Value 1;
BCWHSendpoint 1.0: BCWHSmod4Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
5) Disable 'Enumerate administrator accounts on elevation'
Set
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" -Name 'CredUI' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 0;
BCWHSendpoint 1.0: BCWHSmod5On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" -Name 'EnumerateAdministrators' -Value 1;
BCWHSendpoint 1.0: BCWHSmod5Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
6) Disable Anonymous enumeration of shares
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 1;
BCWHSendpoint 1.0: BCWHSmod6On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name 'RestrictAnonymous' -Value 0;
BCWHSendpoint 1.0: BCWHSmod6Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
7) Disable IP Source routing
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;
BCWHSendpoint 1.0: BCWHSmod7On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;
BCWHSendpoint 1.0: BCWHSmod7Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
8) Disable JavaScript/Flash on Adobe Reader DC
Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\" -Name 'Acrobat Reader' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" -Name 'DC' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" -Name 'FeatureLockDown' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 1;
BCWHSendpoint 1.0: BCWHSmod8On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bDisableJavaScript' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name 'bEnableFlash' -Value 0;
BCWHSendpoint 1.0: BCWHSmod8Off
This action will increase your organizations Microsoft Secure Score by: 10 points or 0.92%.
9) Disable Microsoft Defender Firewall notifications when programs are blocked for Domain/Public/Private profile
Set
New-Item -Path "HKLM:\Software\Policies\Microsoft" -Name 'WindowsFirewall' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'DomainProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PrivateProfile' -Force;
New-Item -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall" -Name 'PublicProfile' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 1;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 1;
BCWHSendpoint 1.0: BCWHSmod9On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" -Name 'DisableNotifications' -Value 0;
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" -Name 'DisableNotifications' -Value 0;
BCWHSendpoint 1.0: BCWHSmod9Off
This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.
10) Disable running or installing downloaded software with invalid signature
Set
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\" -Name 'Internet Explorer' -Force;
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer" -Name 'Download' -Force;
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 0;
BCWHSendpoint 1.0: BCWHSmod10On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Download\" -Name 'RunInvalidSignatures' -Value 1;
BCWHSendpoint 1.0: BCWHSmod10Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
11) Enable 'Apply UAC restrictions to local accounts on network logons'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 0;
BCWHSendpoint 1.0: BCWHSmod11On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name 'LocalAccountTokenFilterPolicy' -Value 1;
BCWHSendpoint 1.0: BCWHSmod11Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
12) Enable 'Block third party cookies'
Set
New-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 1;
BCWHSendpoint 1.0: BCWHSmod12On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Google\Chrome" -Name 'BlockThirdPartyCookies' -Value 0;
BCWHSendpoint 1.0: BCWHSmod12Off
This action will increase your organizations Microsoft Secure Score by: 2 points or 0.18%.
13) Enable 'Microsoft network client: Digitally sign communications (always)'
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 1;
BCWHSendpoint 1.0: BCWHSmod13On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name 'RequireSecuritySignature' -Value 0;
BCWHSendpoint 1.0: BCWHSmod13Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
14) Enable Microsoft Defender Antivirus Email Scanning
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 0;
BCWHSendpoint 1.0: BCWHSmod14On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableEmailScanning' -Value 1
BCWHSendpoint 1.0: BCWHSmod14Off
This action will increase your organizations Microsoft Secure Score by: 9 points or 0.82%.
15) Enable scanning of removable drives during a full scan
Set
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name 'Scan' -Force;
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 0;
BCWHSendpoint 1.0: BCWHSmod15On
Revert
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender\Scan" -Name 'DisableRemovableDriveScanning' -Value 1;
BCWHSendpoint 1.0: BCWHSmod15Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
16) Hide Option & Enable Automatic Updates
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 1;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft" -Name 'Office' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office" -Name '16.0' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0" -Name 'Common' -Force;
New-Item -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common" -Name 'Officeupdate' -Force;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 1;
New-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 1;
BCWHSendpoint 1.0: BCWHSmod16On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\cloud\office\16.0\common\officeupdate" -Name 'enableautomaticupdates' -Value 0;
Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'hideenabledisableupdates' -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\policies\Microsoft\Office\16.0\Common\Officeupdate" -Name 'enableautomaticupdates' -Value 0;
BCWHSendpoint 1.0: BCWHSmod16Off
This action will increase your organizations Microsoft Secure Score by: 10 points or 0.92%.
17) Prohibit use of Internet Connection Sharing on your DNS domain network
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 0;
BCWHSendpoint 1.0: BCWHSmod17On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name 'NC_ShowSharedAccessUI' -Value 1;
BCWHSendpoint 1.0: BCWHSmod17Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
18) Set 'Account lockout duration' to 15 minutes or more
Set
net accounts /lockoutduration:15
BCWHSendpoint 1.0: BCWHSmod18On
BCWHSendpoint 1.0: BCWHSmod18Off
This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.
19) Set 'Account lockout threshold' to 1-10 invalid login attempts
Set
net accounts /lockoutthreshold:10
BCWHSendpoint 1.0: BCWHSmod19On
BCWHSendpoint 1.0: BCWHSmod19Off
This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.
20) Set 'Enforce Password History' to '24 or more password(s)'
Set
net accounts /uniquepw:24
BCWHSendpoint 1.0: BCWHSmod20On
BCWHSendpoint 1.0: BCWHSmod20Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
21) Set 'Interactive logon: Machine inactivity limit' to '1-900 seconds'
Set
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'InactivityTimeoutSecs' -PropertyType DWORD -Value 0x00000384 -Force
BCWHSendpoint 1.0: BCWHSmod21On
BCWHSendpoint 1.0: BCWHSmod21Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
22) set 'Minimum Password Age' to '1 or more day(s)'
Set
net accounts /minpwage:1
BCWHSendpoint 1.0: BCWHSmod22On
BCWHSendpoint 1.0: BCWHSmod22Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
23) Set 'Reset account lockout counter after' to 15 minutes or more
Set
net accounts /lockoutwindow:15
BCWHSendpoint 1.0: BCWHSmod23On
BCWHSendpoint 1.0: BCWHSmod23Off
This action will increase your organizations Microsoft Secure Score by: 6 points or 0.54%.
24) Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 1;
BCWHSendpoint 1.0: BCWHSmod24On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name 'NoAutorun' -Value 0;
BCWHSendpoint 1.0: BCWHSmod24Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
25) Set IPV6 source routing to highest protection
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 2;
BCWHSendpoint 1.0: BCWHSmod25On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name 'DisableIPSourceRouting' -Value 0;
BCWHSendpoint 1.0: BCWHSmod25Off
This action will increase your organizations Microsoft Secure Score by: 5 points or 0.46%.
26) Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Set
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 5;
BCWHSendpoint 1.0: BCWHSmod26On
Revert
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name 'LmCompatibilityLevel' -Value 3;
BCWHSendpoint 1.0: BCWHSmod26Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
27) Set User Account Control (UAC) to automatically deny elevation requests
Set
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 0;
BCWHSendpoint 1.0: BCWHSmod27On
Revert
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name 'ConsentPromptBehaviorUser' -Value 3;
BCWHSendpoint 1.0: BCWHSmod27Off
This action will increase your organizations Microsoft Secure Score by: 8 points or 0.73%.
Windows Incident Response
PowerShell for Incident Response. These commands are a good start and will help you Threat Hunt and with Incident Response.
PowerShell - BCWHSendpointIR 1.0
The install and use of the BCWHSendpointIR is pretty straight forward.
Open Windows PowerShell with Administrative access and copy and paste the commands below.
Each function is listed below with more information.
How-To install and use BCWHSendpointIR 1.0
|
BCWHSendpointIR 1.0 Installation
Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201 -Force;
Import-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201;
Install-Module -Name BCWHSendpointIR -RequiredVersion 1.0 -Force;
Import-Module -Name BCWHSendpointIR -RequiredVersion 1.0;
The module can be found at PowerShell Gallery
1) Check BitLocker Status
manage-bde -status
Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.
BCWHSendpointIR 1.0: BCWHScheckIRBLStatus
2) Check BitLocker Volume
Get-BitLockerVolume
Gets information about volumes that BitLocker can protect.
BCWHSendpointIR 1.0: BCWHScheckIRBLVolume
3) Check for malicious process
Get-Process | Sort-Object -Descending WS
Get-Process cmdlet can be used to get currently executing processes.
BCWHSendpointIR 1.0: BCWHScheckIRProcess
4) List Application Event Log Data
Get-EventLog -logName "Application" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the Application logs
BCWHSendpointIR 1.0: BCWHScheckIRAppLogs
5) List Logged In Users
Get-CimInstance –ClassName Win32_ComputerSystem
Gets the CIM instances of a class from a CIM server.
BCWHSendpointIR 1.0: BCWHScheckIRUsers
6) List of Recently Installed Software (Events)
Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *
Gets events from event logs and event tracing log files on local and remote computers.
BCWHSendpointIR 1.0: BCWHScheckIRSoftware
7) List performance data
Get-Counter
The Get-Counter cmdlet gets performance counter data directly from the performance monitoring instrumentation in the Windows family of operating systems. Get-Counter gets performance data from a local computer or remote computers.
BCWHSendpointIR 1.0: BCWHScheckIRCounter
8) List Scheduled Tasks
Get-ScheduledTask
The Get-ScheduledTask cmdlet gets the task definition object of a scheduled task that is registered on a computer.
BCWHSendpointIR 1.0: BCWHScheckIRTasks
9) List Security Event Log Data
Get-EventLog -logName "Security" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the Security logs
BCWHSendpointIR 1.0: BCWHScheckIRSecurityLogs
10) List Services
Get-Service | Select-Object Name, DisplayName, Status, StartType
The Get-Service cmdlet gets objects that represent the services on a computer, including running and stopped services. By default, when Get-Service is run without parameters, all the local computer's services are returned.
BCWHSendpointIR 1.0: BCWHScheckIRServices
11) List System Event Log Data
Get-EventLog -logName "System" -newest 500 | Select MachineName,TimeGenerated,EntryType,Source,Message
The "Windows Logs" section contains (of note) the System logs
BCWHSendpointIR 1.0: BCWHScheckIRSystemLogs
12) List Users (Administrators)
Get-LocalGroupMember Administrators
The Get-LocalGroupMember cmdlet gets members from a local group.
BCWHSendpointIR 1.0: BCWHScheckIRListUsers
13) Network Activity
Get-NetTCPConnection | Select-Object creationtime, localaddress, localport, RemoteAddress, Remoteport
The Get-NetTCPConnection cmdlet gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state.
BCWHSendpointIR 1.0: BCWHScheckIRNetwork
14) Terminate malicious process
Get-Process "process" | Stop-Process
Stop-Process can be used to terminate processes based on process name or process ID (PID).
|